By Madeleine Truter
Section 11(3) of the Consumer Protection Act 68 of 2008 (CPA), read together with reg 4(3)(g) of the regulations gazetted in terms of s 120(1) of the CPA (GN R293 GG34180/1-4-2011), contemplate the establishment of an Opt-Out Registry. The National Consumer Commission (the NCC) was established in terms of s 85 of the CPA, and is currently busy ironing out the details of how the Opt-Out Registry will be implemented. All direct marketers will be required to ‘spool’ their databases against the Opt-Out Registry before engaging in direct marketing with a consumer.
There has been considerable debate among policy makers regarding an appropriate mechanism to protect persons against the unsolicited electronic communications and spam that are associated with direct marketing. The wide definition of ‘direct marketing’ in s 1 of the CPA means that any communication, regardless of form or format, directed at a consumer personally, is subject to the provisions of the CPA.
Section 11 of the CPA confirms the consumer’s right to restrict unwanted direct marketing, by providing that the right of every person to privacy includes the right to –
Section 11(2) of the CPA provides that to facilitate the realisation of each consumer’s right to privacy, and to enable consumers to protect themselves efficiently against the activities contemplated in s 11(1), a person who has received a direct marketing approach may demand (during or within a reasonable time after that communication has been received) that the person responsible for initiating the communication desist from initiating any further communication. A person authorising, directing or conducting any direct marketing must implement appropriate procedures to facilitate the receipt of demands contemplated in s 11(2).
Section 11(3) provides that except in respect of those existing clients where the direct marketer has proof that the existing client has after the commencement of the regulations expressly consented to receiving direct marketing from the direct marketer, a direct marketer must assume that a comprehensive pre-emptive block has been registered by a consumer, unless the administrator of the Opt-Out Registry has in writing confirmed that a pre-emptive block has not been registered in respect of a particular name, identity number, fixed line telephone number, cellular telephone number, facsimile number, pager number, physical address, postal address, e-mail address, website uniform resource locator (URL) global positioning system co-ordinates or other identifier, which the operator of the Opt-Out Registry makes provision for. If the direct marketer has made use of a opt in provision, it should be relatively simple to provide proof that the consumer expressly consented to receiving direct marketing from the direct marketer. If the direct marketer cannot show express consent, the operator of the Opt-Out Registry is required to confirm in writing that no pre-emptive block has been registered by the consumer.
In order to assess the effectiveness and appropriateness of the Opt-Out Registry mechanism chosen by the NCC to protect South African consumers’ right to privacy, it is helpful to refer to what the approach has been in other western and Southern African Development Community (SADC) jurisdictions.
Opt-out registry mechanisms from Western jurisdictions:
Opt-out registry mechanisms from the SADC jurisdictions:
– when the advertising is addressed to the data subject as representative, employee of a corporate person; and
– when the advertising communications are sent to an individual with whom the supplier of a product or a service has already concluded transactions, provided the opportunity to refuse was expressly provided to the customer at the time of the transaction, and this does not involve an additional cost. In this case, the data subject has the right to oppose to his personal data processing for advertising or direct marketing purposes.
Opt-out versus opt in
The inverse of the opt-out system, is the opt in approach, which requires express consent before a communication is sent to a consumer, and before the consumer’s personal information is used for direct marketing. Insofar as the opt in approach is concerned, e-mail address authentication is the minimum degree necessary for any e-mail advertising or other ongoing e-mail communication. E-mail address authentication is a technique for validating that a consumer claiming to possess a particular e-mail address actually does so. This is normally done by sending an e-mail containing a token to the address, and requiring that the party being authenticated supply that token before the authentication proceeds. The e-mail containing the token is usually worded so as to explain the situation to the recipient and discourage them from supplying the token (often via visiting a URL), unless they are attempting to authenticate.
As a general point of departure, consumers are more reluctant to tick an ‘opt in’ box, than they are to tick an ‘opt-out’ box. The conclusion is, therefore, that the adoption of an opt in requirement for South Africa (SA) would bring about a massive change for direct marketers, and will be a game-changer for all data-driven organisations. It stands to be reasoned that the aforementioned change is exactly the type of reform that SA needs when it comes to the protection of consumers’ right to privacy. The question that then poses itself, is why is an opt in system not rather being pursued by the NCC, instead of the operation of the Opt-Out Registry. The administration of the Opt-Out Registry will no doubt be a costly exercise. There is a real possibility that the Opt-Out Registry will become another bureaucratic institution, which does not provide good regulation, it being understood that ‘good regulation’ would be a regulatory mechanism which is cost effective and which does not overlap or contradict any other regulators or legislation. There is consensus among data privacy advocates that opt in systems provide better protection than opt-out provisions. While opt-out systems are being used by countries such as the US, the UK, Canada and Australia, the establishment of an Opt-Out Registry might not necessarily be the most suitable solution for SA.
In terms of the Protection of Personal Information Act 4 of 2013 (POPI), an opt in system is introduced in SA. POPI’s opt in system means that a business is not allowed to conduct direct marketing unless prior consent is obtained from a consumer. The business may contact a new customer once to obtain this consent. In terms of POPI, you do not have to ask for consent if you want to market to existing customers if –
POPI also has rules regarding consent and how to obtain it for the processing of personal information, which apply to direct marketing. In essence, consent must be –
The consent to receive direct marketing will have to be in the form prescribed by the Information Regulator, which must still be established in terms of POPI, the details of which will be provided by the regulations to be published under POPI. The POPI regulations have not yet been released for public comment.
Because both POPI and the CPA will apply to direct marketing, it is anticipated that these pieces of legislation will apply concurrently where possible, or, if concurrent application is not possible, the Act which provides the best protection to consumers will apply. It is unclear how the mandate of the Information Regulator will differ from the mandate of the NCC. The establishment of two regulators for the protection of data privacy is reminiscent of the proposed Twin Peaks model (namely, a Prudential Authority and a Market Conduct Authority) for the regulation of banking and insurance. Twin Peaks has already been referred to as the ‘twin daggers’ due to the fact it is feared that the new regime will compound complexity, red tape and costs, by multiplying regulators and staff. In keeping with the reference to bladed weaponry, it remains to be seen whether the Opt-Out Registry will become the proverbial sword of Damocles, presenting an ever present peril for the effective protection of South African consumers’ right to data privacy.
Madeleine Truter BLC LLM (UP) BA (Hons) Political Science (UP) Advanced Certificate in Company Law (Wits) Advanced Certificate Law of Banking and Financial Markets (cum laude) (Wits) is a legal adviser at Setso Property Fund in Johannesburg.
This article was first published in De Rebus in 2017 (Oct) DR 17.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|