Direct Marketing (CPA + POPIA)

"Direct marketing" is defined almost identically in section 1 of the Consumer Protection Act 68 of 2008 (CPA) and section 1 of the Protection of Personal Information Act 4 of 2013 (POPIA) as any approach to a person, in person or by mail or electronic communication, to promote or sell goods or services or to request a donation. The two statutes impose different consent regimes. The CPA operates on an opt-out model: a consumer may pre-emptively block direct marketing via the national Opt-Out Register under section 11 and may at any time demand that a supplier desist. POPIA imposes a stricter opt-in regime for direct marketing by unsolicited electronic communication under section 69.

Section 69 of POPIA prohibits the processing of personal information for the purpose of direct marketing by electronic communication (email, SMS, automated call) unless the data subject has given prior consent in prescribed Form 4, or is an existing customer whose contact details were obtained in the context of a sale of similar products and who was given a reasonable opportunity to object at the point of collection. The practical effect is that cold electronic direct marketing requires a signed Form 4 opt-in; customer-base marketing can rely on the "similar products" exception provided opt-out was offered at every touchpoint.

Non-compliance carries layered exposure: the CPA permits Commission fines; POPIA permits Information Regulator enforcement notices and administrative fines of up to R10 million; and section 99 of POPIA recognises a private right of action for data subjects. Operationally, marketers must maintain auditable consent records, honour unsubscribe requests without charge, and identify the sender and a valid opt-out mechanism in every electronic message. Telemarketing and door-to-door marketing are additionally restricted by CPA regulations on permitted days and hours.