With South Africa’s Protection of Personal Information Act (POPIA) having officially commenced on 1 July 2020, the clock is now ticking for business leaders and marketers to ensure they remain compliant once the grace period (of one year) is over. For marketers and lead generation companies in particular, there is a great deal of confusion as to what POPIA means for existing direct marketing practices – and what companies can and cannot do under the data privacy legislation.
In recent years, there has been strong consumer pushback against marketing practices that are widely perceived to be intrusive, surveillance-based, and even downright creepy. Yet this sentiment has to be carefully balanced with sustainable and respectful marketing strategies that provide value to both businesses and consumers – and support business growth in a sustainable way with respect to consumer privacy.
To achieve this balance, it is critical for marketers and lead generation companies/specialists to understand the parameters that POPIA has outlined, and how to adapt marketing practices (or review them) within the new legal context. Companies have a lot at risk, as the recent Experian data breach has underscored: the consumer credit reporting company suffered a major breach of customers’ personal information – affecting an estimated 24 million South Africans and nearly 800,000 businesses. Such an incident highlights the value of personal information, and the many questions (and risks) around the buying and selling of customer data without permission.
Arguably, one of the key areas to examine and understand is lead generation – and where/how marketers can obtain leads, as well as consent from the consumer. Privacy regulators are hyper focused on this space, so it is really worth understanding the new rules of the road.
Lead generation & record-keeping
Contrary to what many people think, POPIA doesn’t include a long list of things you can no longer do; instead, it deals mostly with how businesses and marketers now do things. So, where can you get leads?
Today, first party lead generation is experiencing a resurgence in popularity – with companies spending more time around starting conversations with potential customers. That said, a major portion of lead generation is from third party providers, and buying leads. You can still buy leads, but there are certain rules attached to this.
For example, if you are looking to purchase leads from a credit bureau, you can buy these leads if there is a clause within the credit bureau’s terms and conditions stating that they have obtained permission from prospects/customers to on-sell their information, but they must actually have the customer’s permission! Without this permission, you cannot buy the leads (because the prospects aren’t aware of the fact that their information is being used).
In addition, with regards to using or harvesting personal information from the internet, including from social media sites, you are technically allowed to do this. Bear in mind, however, that POPIA states that, wherever possible, get the information directly from the person (unless it is information that that person has made deliberately public). In addition, before using electronic marketing to contact someone whose information you have harvested, you must get in contact to tell them you have their information – and request consent to use it for direct marketing.
Another key question is, ‘can I use someone else’s database’? For example, can a separate company from a separate brand use another company’s database? Here the answer is no, because the prospects did not necessarily sign up for direct marketing from the new company (there was no signed consent).
Also, can you buy leads outright? Well, yes, if you trust that the person selling the leads obtained consent from the prospects to sell their information, but if they didn’t you could be in hot water with the Regulator. If they don’t get consent, then you will have to contact the leads and get a double opt-in yourself. If you are selling the lead, then it’s important to consider if your leads are aware you have the information, and have given you the permission to sell the information (or you have given them the chance to object).
Notably, even when the same company cross-sells across products or services, POPIA states that you don’t need opt-in consent for ‘the same or similar products’; for example, credit is different to clothes, so you would need consent because they are different categories.
What does Consent look like?
As it stands, most people/companies are not getting valid consent. Under POPIA, consent needs to be informed/specific; it needs to be voluntary; and an expression of will (i.e. I have to do something, such as tick a box). You can’t ‘hide’ consent within T&Cs!
So, when do you need consent? Firstly, if the person doesn’t know you (it’s a cold call), you need consent for electronic marketing. Also, if you never told leads that you are going to use their information for marketing, you need their consent. Additionally, if you got the information from someone else, you need to ask for permission to have the information from the prospect, as well as consent to use it for direct marketing (double opt-in).
You don’t need consent if you got the prospect’s information in the context of a sale (they know you), and you told them you would use the details for marketing for similar products/services; and you told them they could object every time you contacted them.
That said, what is very problematic for many companies is that proper records are not being kept around obtaining consent, and under what circumstances the permission/consent was obtained. Importantly, remember that if you do re-consent or re-permission your database, you will likely lose up to 90% of your leads. Now, POPIA doesn’t expressly say you need to re-consent your database; instead, it provides principles that you have to interpret for your own context.
Taking a risk-based approach: Do you need to re-consent your database?
We believe there are several key questions to answer before making this decision. Firstly, do you know where you got the information from? If you don’t know, the only way to be 100% safe is to re-consent. Then, do you have a record of how these people signed up? Also consider, have you ever contacted them for marketing before? If the answer is yes, every week, then you are probably fine. Now, if you’ve never contacted them before and you’re sitting with old information that you harvested a while back, you should likely re-consent.
Also, if the opt-out was vague or if you have no record of how prospects signed up, this presents a risk for you. A good rule of thumb is to ask, will this person be surprised (or worse, irritated) to hear from you?
The important thing here is to weigh things up (for example, is your database highly valuable and generating profits; are you being respectful and providing clear unsubscribe processes); and then make an informed, risk-based decision. Don’t throw your database out with the bath water!
Looking ahead, there are some immediate steps to take to ensure you are balancing business growth with the new emphasis on consumer privacy:
- Use friendly and open pro-POPIA messaging in your communication;
- Package or present the re-consent as an opportunity for your customers to update all their details, and do it securely;
- Incentivise staying or subscribing;
- Manage complaints quickly and professionally;
- Decide who in the company is responsible for POPIA compliance;
- Find out where you got the data on your database, and what they thought they were getting themselves into;
- Decide what you are going to do with your existing base;
- Check your sign-up process (people shouldn’t be surprised to get marketing);
- Audit your unsubscribe process and make unsubscribing easy and fool proof (this should be a priority!);
- Train your customer-facing teams around POPIA.
Written by JD Engelbrecht, MD of Everlytic, and Elizabeth de Stadler, consumer law and POPIA expert at Novation Consulting.