After years of waiting, the Protection of Personal Information Act (POPIA) countdown begins, with less than 30 days to go until the 1 July 2021 deadline for compliance. What does it mean for you and your business, and are you ready?
In July 2020 the POPI Act commenced and South Africans were given a one-year grace period to get compliant. This grace period ends at the end of this month.
How does POPIA affect marketing and communications? And how is Flow Communications adapting to this new reality?
For the purposes of this article, we will focus on POPIA as it relates to marketing and communications.
The Act’s purpose is to protect the personal information of South African citizens as enshrined by our Constitution. Personal information includes “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person” and includes information such as race, gender, sex, age, physical address, telephone number, ID number, email address, and location.
In communications, we use personal information to communicate with customers and potential customers, and to personalise their experience. It’s therefore essential that we communicate in ways that do not fall afoul of POPIA.
Email newsletter communication
We typically send email newsletters using Campaign Monitor, which has a sterling record in terms of data privacy and compliance. A fundamental tenet has been that subscribers opt in to the communication (usually via a website subscribe form) and that they have the option to opt out at any time via an unsubscribe link. In order to keep its high privacy standards, Campaign Monitor has a rigorous vetting process for large subscriber sets to ensure the email subscribers have opted in to the communication.
If you’re unsure whether subscribers have opted in, or your records are incomplete, it is a brilliant time to clean up and refine your newsletter subscriber lists by emailing all recipients and asking them if they would like to continue receiving communication. If they do not opt in, remove them from the subscriber list.
It may be hard to stomach your newsletter list going down from 1 000 recipients to 200, but left with what will be people who actually want to receive your communication, your sending costs will reduce significantly, and your open rate percentage will skyrocket.
Also remember to have an unsubscribe link on all email marketing, to ensure people have a quick mechanism to opt out. Often this is compulsory in bulk emailing software.
Opt-in on website registration
If your website allows for online registration, ensure there is a marketing preferences checkbox that the user must tick to receive marketing communication.
This is apart from transactional communication that is required for the proper functioning of the website. For instance, you should not allow users to unsubscribe to transactional communication such as “forgot password” or sending an order receipt. POPIA does not prevent you from communicating with your direct customers. Rather, POPIA protects consumers from unsolicited bulk marketing to the customer.
Do you need a cookie consent notice on your website? The European GDPR regulations say “yes”, but in the case of POPIA, the regulations are not clear on the matter. South African law firm Michalsons says you should have a cookie notification message. Your first job is to ask if your website even collect cookies (some simple websites don’t), and if so, whether those cookies contain personal information that may run afoul of POPIA. When in doubt, contact your marketing or communications company.
Ability to remove customers’ personal information
Under POPIA, customers have the right to request that their personal information is expunged (a fancy word for “deleted”). However, common sense must prevail: if a customer owes you money, they can’t ask that you delete their phone number and address! But if the information is not required for the effective provision of products and services, the customer may request that the information is deleted.
Do you have the mechanisms to do this – for instance, a delete button on the back end of your website or email list? Again, consult your web team to ensure there are reliable methods for this, and an audit trail to prove the action was completed.
POPIA gives direct marketers only one chance at obtaining consent from a potential customer. For instance, if you obtain an email list of potential customers, you may send them one communication asking if they would consent to further marketing. If they do not consent, you cannot ask them again.
But what about current customers? POPIA allows us to market to current customers, but only if we received their information in the context of the sale of a product and service and only if the services you are marketing relate to similar products and services. For instance, Flow could reasonably advertise its new virtual event offering to current customers as it relates to digital communications services, but it would be a stretch for us to send a bulk emailer about a new insurance product.
Collect only what you need
When running a marketing competition, for example, be careful to only collect information you need. Any personal information that you collect has to be protected and managed, which means investing in time and resources. Ask yourself, do you really need the customer’s ID number in order for them to enter the competition – are there details you can collect after the prizes are announced, for instance their physical address? The less personal information you collect, the better. Another benefit is the fewer questions you ask, the more conversions you will get!
Don’t panic – you’re (probably) not going to jail
By respecting your customer’s privacy rights with common-sense mechanisms such as opt-in and opt-out checkboxes, cookie consent banners where appropriate, enabling customers and potential customers to remove their personal information, and asking permission before direct marketing to potential customers, you are unlikely to be in the crosshairs of the information regulator.