A Marketer's Guide To POPI.

Created the 12 March 2014 by Nicholas Marini


We know a lot of people are worried about POPI - Protection of Personal Information Act - which has come into law, so we wrote this nifty little guide that tells you the essentials of what you need to know. You are welcome to contact us for a free POPI consultation. We get all our information from the Direct Marketing Association of SA who played an integral role in consulting with government about the Act and implimentation thereof. This post will hopefully break it down into bits and pieses for you and speaks to the main purposes of the Act and how it affects marketing operations and storage of data. POPI is the largest Act in South Africa's history so if you feel unsure of anything or need clarity just give us a call as there is so much grey area in the Act that the regulatory bodies will have to take care of. We hope you find it handy and please share it so that we get to know the law and be more effective as an industry, together.

Extent of Act

Protection of Personal Information Act (P.O.P.I.) covers the collection, processing and use of personal data for any reason, except a personal address book, by any judicial or natural persons. The Act is principles based and therefore allows for exceptions and exemptions as well as exceptions to the exemptions. P.O.P.I. is read in conjunction with the following Acts:

  • Promotion of Access to Information (PAIA) Act 2000
  • Electronic Communications Act 2005
  • Consumer Protection Act 2011

Should there be conflicting law between these Acts the most restrictive law must be applied. P.O.P.I. will govern how we interact with any private and personal data, not only of our current or prospective clients but also in regards to HR. Data safety and consent is paramount in the Act with the legislation allowing for hefty fines should the law be disobeyed.


Who is affected


  • All companies and any of their divisions holding personal information – natural or juristic.
  • The 3 tiers of government: municipalities, provincial and national
  • All parastatals
  • Service providers
  • Individuals, consultants and sole traders who hold personal information. Exception: Data held for personal use.

Collecting Data


There are only three ways to collect data:

  • From the consumer directly
  • From a third party
  • From a public record

Information is required to be given before collection, except “if not reasonably practicable”. Furthermore the data may not include information which is irrelevant. If data is not collected directly, the individual must be made aware of the source used.

Notification for Collecting Data


The information that needs to be given to the consumer prior to the collection should include:

  • What information is being collected
  • The source of the data, if necessary
  • Name and address of the user/marketer (Juristic person is sufficient)
  • Purpose(s)
  • Any category of recipient with nature of data and right to access or rectify the data. E.g. A list broker, different divisions in a company, etc.
  • Right to object and/or to complain
  • If the collection is voluntary or mandatory and the consequences, if any, of not providing the information.
  • If data will be transferred to another country


Purpose and Retention of Data


Data “must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”.

Data should only be retained for as long as “necessary for achieving the purpose for which [it] was collected”.

Marketing is a legitimate purpose for the collection, retention and processing of data. Though please remember that there is a clear differentiation between e-communication (e-mail, SMS/MMS, fax) and other Direct Marketing approaches such as mail and telephone. The differentiation has a large impact on consent, but they all require for the consumer to be able to opt out at any time.



Consent is defined as - “any voluntary, specific and informed expression of will in terms of which permission is given”.


However it does of course come with its exceptions and these are:

  • (11 b) “where processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party”;
  • (11 f) “where processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom information is supplied”

Consent is ruled by two terms in Direct Marketing, “Opt-in” and “Opt-out”. Certain communication methods require Opt-in, Marketing by e-communications (email, sms, fax, automated calling machines) must have consent (“in the prescribed manner and form”).


1)    Once to get consent, so long as the consumer has not “previously withheld such consent” (e.g. on the national opt out database);

2)    If the data has been collected “ in the context of a sale”, then consent is considered given (soft opt in) for similar products and services”

Different Channels Have Different Requirements

 POPI Opt In and Opt Out Rules per Communication Channel

Special Data


Often referred to as “sensitive” data, special data includes the following fields:

  • Race
  • Religion
  • Health
  • Sexual Preference
  • Criminal Record
  • Trade Union Membership
  • Politics

Special data has an impact on your HR process as now consent will need to be acquired from the employee before recording this information as well as the relevant notifications given to the employee. This consent will also be required for existing staff contracts as well as past contracts or retirement data.


The Information Officer


Even though, in a court of law, the Directors and Board of a company are held to be liable, each entity must appoint an Information Officer who is responsible for the implementation of P.O.P.I. in the company. The Information officer can be a natural or juristic person, therefore allowing this function to be outsourced. You may also have more than one Information Officer and it is possible to have one for each division where necessary.


Do’s and Don’ts



  • Inform customers that they may be on your database and they are invited to check (current thought suggests this can be done via a newspaper advert or making it publicly accessible).
  • Create a check list of all notifications you need to give current and prospective clients.
  • Do check all your current databases and consolidate into one.
  • Update your database regularly, P.O.P.I. necessitates that the data must be up to date.
  • Ensure your data is secure and cannot leave your ownership.
  • Check your data against the national opt out database at
  • Schedule regular data audits.
  • Appoint an Information Officer.
  • Have a code of conduct regarding data in your company.



  • Keep unnecessary or old data.
  • Create multiple databases.
  • Misinform potential clients about the purposes of your data collection.
  • Keep invalid or old data.
  • Accept databases from disreputable sources.
  • Ignore Opt-outs
  • Conceal data breaches.

We hope you found this helpful and you can use it in future. Don't forget to share it with your colleagues and friends and give us a call or drop us an e-mail anytime you have questions. Good luck!

Click here to go back
  • 2014
  • 7 October
    Food for Thought
  • 25 August
    It's Hitting Home Fast
  • 31 July
    Computer Facilities Update
  • 20 May
    Developing A Smart Direct Marketing Campaign - Part 2
  • 15 April
    Developing A Smart Direct Marketing Campaign - Part 1
  • 31 March
    To Meet or Not to Meet
  • 25 March
    Is Multi-Platform Marketing Working In South Africa
  • 24 March
    Big Data is Watching You!
  • 18 March
    You Say Dayta, I Say Dahta.
  • 12 March
    A Marketer's Guide To POPI.
  • 10 March
    Tabbed Gmail Inbox Survey
  • 10 March
    Print is Dead! Long Live Print!
  • 4 March
    Data and Content Marketing - The Perfect Match
  • 28 February
    My Data for Convenience and Stuff?
  • 27 February
    4 Pillars of Data Driven Communication
  • 27 February
    Lessons From Our Founder
  • 27 February
    Data Driven Communication