The National Consumer Commission’s planned opt-out registry

October 1st, 2017

By Madeleine Truter

Section 11(3) of the Consumer Protection Act 68 of 2008 (CPA), read together with reg 4(3)(g) of the regulations gazetted in terms of s 120(1) of the CPA (GN R293 GG34180/1-4-2011), contemplate the establishment of an Opt-Out Registry. The National Consumer Commission (the NCC) was established in terms of s 85 of the CPA, and is currently busy ironing out the details of how the Opt-Out Registry will be implemented. All direct marketers will be required to ‘spool’ their databases against the Opt-Out Registry before engaging in direct marketing with a consumer.

There has been considerable debate among policy makers regarding an appropriate mechanism to protect persons against the unsolicited electronic communications and spam that are associated with direct marketing. The wide definition of ‘direct marketing’ in s 1 of the CPA means that any communication, regardless of form or format, directed at a consumer personally, is subject to the provisions of the CPA.

Section 11 of the CPA confirms the consumer’s right to restrict unwanted direct marketing, by providing that the right of every person to privacy includes the right to –

  • refuse to accept;
  • require another person to discontinue; or
  • in the case of an approach other than in person, to pre-emptively block, any approach or communication to that person, if the approach or communication is primarily for the purpose of direct marketing.

Section 11(2) of the CPA provides that to facilitate the realisation of each consumer’s right to privacy, and to enable consumers to protect themselves efficiently against the activities contemplated in s 11(1), a person who has received a direct marketing approach may demand (during or within a reasonable time after that communication has been received) that the person responsible for initiating the communication desist from initiating any further communication. A person authorising, directing or conducting any direct marketing must implement appropriate procedures to facilitate the receipt of demands contemplated in s 11(2).

Section 11(3) provides that except in respect of those existing clients where the direct marketer has proof that the existing client has after the commencement of the regulations expressly consented to receiving direct marketing from the direct marketer, a direct marketer must assume that a comprehensive pre-emptive block has been registered by a consumer, unless the administrator of the Opt-Out Registry has in writing confirmed that a pre-emptive block has not been registered in respect of a particular name, identity number, fixed line telephone number, cellular telephone number, facsimile number, pager number, physical address, postal address, e-mail address, website uniform resource locator (URL) global positioning system co-ordinates or other identifier, which the operator of the Opt-Out Registry makes provision for. If the direct marketer has made use of a opt in provision, it should be relatively simple to provide proof that the consumer expressly consented to receiving direct marketing from the direct marketer. If the direct marketer cannot show express consent, the operator of the Opt-Out Registry is required to confirm in writing that no pre-emptive block has been registered by the consumer.

In order to assess the effectiveness and appropriateness of the Opt-Out Registry mechanism chosen by the NCC to protect South African consumers’ right to privacy, it is helpful to refer to what the approach has been in other western and Southern African Development Community (SADC) jurisdictions.

Opt-out registry mechanisms from Western jurisdictions:

  • Australia administers a ‘national do not call register’, in terms of which a telephone number must be used or maintained primarily for private or domestic purposes, or exclusively for transmitting and/or receiving faxes, provided that numbers can be removed at any time.
  • Canada operates an opt-out list, which allows consumers to register their election not to receive telemarketing calls. Charities, newspapers and pollsters are exempted, although they are required to keep their own do not call lists, to which consumers can request to be added to.
  • In the European Union (EU) the opt-out approach (ie, where consumers are automatically put on a list, and then have the option to request to be taken off the list) is illegal, and a system of opt-in is required by law.
  • The United Kingdom (UK) has a ‘Robinson list’, which is operated by the UK’s Direct Marketing Association, which reduces unsolicited calls. However, it has not stopped market research calls, silent calls or overseas calls.
  • The United States (US) has a ‘suppression list’, which requires that senders of commercial e-mails provide a functioning opt-out mechanism by which e-mail recipients can unsubscribe their e-mail addresses from future e-mail messages. The unsubscribed e-mail addresses are placed into the suppression list, which is used to ‘suppress’ future e-mail messages to that e-mail address.

Opt-out registry mechanisms from the SADC jurisdictions:

  • The relevant data privacy legislation in Angola is the Personal Data Protection Law (Law Number 22/11 of 17 June) and the Electronic Communications and Information Society Services Law (Law Number 23/11, of 20 June 2011). The Angolan regulator is the Agência de Protecção de Dados (APD). In Angola, the sending of electronic communications for the purposes of advertising is generally subject to the prior express consent of its recipient (namely, ‘opt in’) and to prior notification to the APD. The processing of personal data for this purpose may be conducted without data, subject consent in specific circumstances, notably:

– when the advertising is addressed to the data subject as representative, employee of a corporate person; and

– when the advertising communications are sent to an individual with whom the supplier of a product or a service has already concluded transactions, provided the opportunity to refuse was expressly provided to the customer at the time of the transaction, and this does not involve an additional cost. In this case, the data subject has the right to oppose to his personal data processing for advertising or direct marketing purposes.

  • In Lesotho the right to privacy is recognised and protected in the Constitution of the Kingdom of Lesotho. Lesotho established a Data Protection Commission in terms of their Data Protection Act. The Lesotho Data Protection Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy. In Lesotho, ‘direct marketing’ is defined in
    s 50 of the Data Protection Act as ‘communication by whatever means of any advertising or marketing material which is directed to particular data subjects’. A data subject is entitled, at any time, by notice to a data controller, to require the data controller to cease, or not to begin, processing of personal data in respect of which he or she is the data subject for the purposes of direct marketing.
  • In Madagascar, the Data Protection Law, 2014 relates to the protection of personal data. The Madagascar Data Protection Law does not provide specific restrictions on the use of electronic marketing. However, the data subject has a right to opt-out of allowing their personal data to be used for marketing purposes without providing any reason.
  • In Mauritius, the Mauritian Data Protection Act 13 of 2004, is largely based on the Directive 95/46/EC of the European Parliament relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data. The use of personal data for the purposes of electronic marketing is not prohibited in Mauritius. However, at any time, an individual may by way of written notice, request a data controller to either stop, or not to begin, the processing of personal data in respect of which he or she is a data subject, for the purposes of direct marketing.
  • In Zimbabwe the protection of privacy is a principal enshrined in Zimbabwe’s Constitution. While there is no designated national legislation dealing with data protection for private persons in Zimbabwe yet, there are existing laws that have a bearing on the right to privacy and protection of personal information for specified types of data, or in relation to specific activities. The Access to Information and Protection of Privacy Act (Chapter 10:27) is the law which contains the most provisions on data protection. However, this generally only regulates the use of personal data by public bodies. In August 2016 the Zimbabwean Cabinet, which is the highest government approval body, approved the National Policy for Information and Communication Technology. According to the Revised ICT policy, the establishment of an institutional framework for enacting legislation dealing specifically with digital data protection matters and cyber security is anticipated. The Zimbabwean Government is currently working on a Consumer Protection Bill 2014, which seeks to protect consumers from unfair trade practices. The draft Consumer Protection Bill does not make reference to electronic marketing, nor does it provide for consumer privacy rights in respect of personal data.

Opt-out versus opt in

The inverse of the opt-out system, is the opt in approach, which requires express consent before a communication is sent to a consumer, and before the consumer’s personal information is used for direct marketing. Insofar as the opt in approach is concerned, e-mail address authentication is the minimum degree necessary for any e-mail advertising or other ongoing e-mail communication. E-mail address authentication is a technique for validating that a consumer claiming to possess a particular e-mail address actually does so. This is normally done by sending an e-mail containing a token to the address, and requiring that the party being authenticated supply that token before the authentication proceeds. The e-mail containing the token is usually worded so as to explain the situation to the recipient and discourage them from supplying the token (often via visiting a URL), unless they are attempting to authenticate.

As a general point of departure, consumers are more reluctant to tick an ‘opt in’ box, than they are to tick an ‘opt-out’ box. The conclusion is, therefore, that the adoption of an opt in requirement for South Africa (SA) would bring about a massive change for direct marketers, and will be a game-changer for all data-driven organisations. It stands to be reasoned that the aforementioned change is exactly the type of reform that SA needs when it comes to the protection of consumers’ right to privacy. The question that then poses itself, is why is an opt in system not rather being pursued by the NCC, instead of the operation of the Opt-Out Registry. The administration of the Opt-Out Registry will no doubt be a costly exercise. There is a real possibility that the Opt-Out Registry will become another bureaucratic institution, which does not provide good regulation, it being understood that ‘good regulation’ would be a regulatory mechanism which is cost effective and which does not overlap or contradict any other regulators or legislation. There is consensus among data privacy advocates that opt in systems provide better protection than opt-out provisions. While opt-out systems are being used by countries such as the US, the UK, Canada and Australia, the establishment of an Opt-Out Registry might not necessarily be the most suitable solution for SA.

In terms of the Protection of Personal Information Act 4 of 2013 (POPI), an opt in system is introduced in SA. POPI’s opt in system means that a business is not allowed to conduct direct marketing unless prior consent is obtained from a consumer. The business may contact a new customer once to obtain this consent. In terms of POPI, you do not have to ask for consent if you want to market to existing customers if –

  • the business obtained the customer’s contact details in the context of a transaction;
  • the contact details are used for the purpose of marketing similar products or services to the customer;
  • the customer was given a reasonable opportunity to object to receiving direct marketing, free of charge and without having to go through too much red tape; and
  • every time thereafter that marketing material is sent to that customer (in other words, the customer must be given the opportunity to opt-out or unsubscribe every time).

POPI also has rules regarding consent and how to obtain it for the processing of personal information, which apply to direct marketing. In essence, consent must be –

  • explicit;
  • voluntary;
  • specific; and
  • informed.

The consent to receive direct marketing will have to be in the form prescribed by the Information Regulator, which must still be established in terms of POPI, the details of which will be provided by the regulations to be published under POPI. The POPI regulations have not yet been released for public comment.

Because both POPI and the CPA will apply to direct marketing, it is anticipated that these pieces of legislation will apply concurrently where possible, or, if concurrent application is not possible, the Act which provides the best protection to consumers will apply. It is unclear how the mandate of the Information Regulator will differ from the mandate of the NCC. The establishment of two regulators for the protection of data privacy is reminiscent of the proposed Twin Peaks model (namely, a Prudential Authority and a Market Conduct Authority) for the regulation of banking and insurance. Twin Peaks has already been referred to as the ‘twin daggers’ due to the fact it is feared that the new regime will compound complexity, red tape and costs, by multiplying regulators and staff.  In keeping with the reference to bladed weaponry, it remains to be seen whether the Opt-Out Registry will become the proverbial sword of Damocles, presenting an ever present peril for the effective protection of South African consumers’ right to data privacy.

Madeleine Truter BLC LLM (UP) BA (Hons) Political Science (UP) Advanced Certificate in Company Law (Wits) Advanced Certificate Law of Banking and Financial Markets (cum laude) (Wits) is a legal adviser at Setso Property Fund in Johannesburg.

This article was first published in De Rebus in 2017 (Oct) DR 17.