POPIA's section 69 imposes specific obligations on direct marketing, distinct from the general processing rules. This guide explains the consent requirements, the existing-customer exception, the role of Form 4, and the practical steps for compliance.
Why Direct Marketing Has Its Own POPIA Regime
Section 69 of the Protection of Personal Information Act 4 of 2013 (POPIA) creates a special regime for direct marketing that operates over and above the general processing conditions in Chapter 3. Where ordinary processing of personal information may proceed under any of the lawful grounds in section 11, namely consent, contract, legal obligation, legitimate interest, public law, or vital interest, direct marketing by electronic communication is restricted to two narrow grounds: prior consent in the prescribed form, or marketing to existing customers within strict limits.
This restriction reflects the legislature's view that unsolicited electronic marketing imposes a disproportionate cost on the recipient. The Information Regulator has prioritised section 69 enforcement, and complaints from individuals concerning unsolicited marketing communications form a substantial proportion of its caseload.
The Scope of Section 69
Section 69 applies to direct marketing by means of any form of electronic communication. The Act defines electronic communication broadly to include email, SMS and MMS, automated calling systems including auto-diallers and robocalls, faxes, and instant messaging platforms such as WhatsApp and Telegram, which the Information Regulator interprets as electronic communication for section 69 purposes.
Voice calls made by a human operator are not strictly automated and are therefore not within the section 69 prohibition, but they remain subject to general POPIA processing conditions and to the Consumer Protection Act 68 of 2008 direct marketing rules. The CPA's pre-emptive opt-out registry, the Direct Marketing Registry maintained under section 11 of the CPA, applies regardless of the POPIA position.
Ground 1: Prior Consent in the Prescribed Form
The default rule is that direct electronic marketing requires the data subject's prior, specific, informed, and freely given consent. Consent must be obtained in the form prescribed by the Information Regulator, which is set out as Form 4 in the POPIA regulations.
Form 4 Requirements
Form 4 prescribes that consent requests must be presented in clear and understandable language, identify the responsible party seeking consent, specify the categories of products or services that will be marketed, identify the channels through which marketing will be delivered, and provide a clear means for the data subject to refuse consent or withdraw it later.
Pre-ticked checkboxes do not satisfy the consent requirement. Bundled consent, where consent to marketing is conditioned on access to a service, is generally not freely given within the meaning of section 1 of POPIA, although the position is fact-sensitive where the service itself is genuinely contingent on marketing data.
Per Channel and Per Category
A best-practice consent capture distinguishes between channels such as email, SMS, and WhatsApp, and between product categories. A single consent for all marketing across all channels and all products is technically valid but is increasingly likely to be challenged as insufficiently specific. Granular consent capture protects the responsible party in the event of a complaint.
Ground 2: The Existing Customer Exception
Section 69(3)(b) creates a narrow exception for marketing to existing customers. The responsible party may direct-market by electronic communication to an existing customer without prior Form 4 consent, but only where the contact details were obtained in the context of the sale of a product or service, the marketing relates to similar products or services, the customer was given a reasonable opportunity to object at the time of collection, the customer is given an opportunity to opt out of each subsequent marketing communication, and the customer has not opted out.
The Similar Products Limit
The similar products requirement is the most frequently litigated element of the existing-customer exception. A retailer that sold a customer a specific category of product cannot rely on the exception to market unrelated categories. A car dealership that sold a vehicle may market vehicle servicing or related accessories, but probably not insurance products from a separate group company. Marketers should map their product taxonomy against this requirement before relying on the exception.
Group Companies and Cross-Marketing
The exception does not extend to group companies or affiliates. Where a customer's contact details were collected by Company A, Company B, a group affiliate, cannot rely on the existing-customer exception to market to that customer, even where the customer would reasonably expect intra-group communications. A separate Form 4 consent is required for group cross-marketing.
Opt-Out Mechanics
Every direct marketing communication must include a clear, accessible opt-out mechanism. Best practice includes a one-click unsubscribe link in the email message footer, processing the opt-out without requiring login or password entry; an SMS STOP reply mechanism that processes the opt-out automatically; a clear instruction on WhatsApp messages to reply STOP or equivalent, with the opt-out processed within reasonable time; and a clear opt-out request honoured during voice calls.
The opt-out must be processed and propagated across the responsible party's marketing systems. Where a customer opts out of email marketing on Tuesday and receives an SMS marketing message on Wednesday from the same responsible party, the opt-out has not been honoured even if the systems are technically separate. Cross-system opt-out propagation is a frequent compliance gap.
Interaction with the Consumer Protection Act
The Consumer Protection Act overlays an additional regime on direct marketing transactions. Where direct marketing leads to a transaction, the CPA's section 32 cooling-off period applies: the consumer has five business days from delivery to cancel the transaction without penalty, regardless of the underlying contract terms. The CPA also creates rights to be informed of the marketer's identity, the marketing purpose, and the goods or services being offered. POPIA section 69 and CPA section 32 are independent regimes; compliance with one does not satisfy the other.
Record-Keeping for Consent
The responsible party must maintain records sufficient to demonstrate compliance. For consent-based direct marketing, the records should evidence the date and time consent was obtained, the channel used to obtain consent such as an online form, in-store sign-up, or paper form, the exact wording of the consent request shown to the data subject, the data subject's affirmative action such as the checkbox state, signature, or recorded voice consent, and any subsequent withdrawal of consent and the date.
Marketing platforms often retain timestamps but not the actual consent wording. Where consent capture forms are updated, retain a versioned archive of each form with a date range showing when each version was active.
Common Compliance Gaps
The Information Regulator's published guidance and complaint resolution decisions identify recurring section 69 gaps including pre-ticked consent boxes on online forms; similar products overreach in existing-customer marketing; cross-channel opt-out failure where opt-out from one channel does not propagate to others; group cross-marketing on the basis of consent given to a single group entity; acquired marketing lists where the responsible party cannot demonstrate the original consent supporting each contact; and default-on app permissions where mobile app push notifications are sent for marketing purposes without specific consent.
Remediation Where Non-Compliance Is Discovered
Where a responsible party discovers a section 69 compliance gap, remediation typically involves pausing the affected marketing campaigns, assessing the scope of the non-compliance including which contacts, which channels, and what duration, recapturing valid consent where the existing-customer exception cannot be relied on, and updating the consent-capture systems to prevent recurrence. Voluntary disclosure to the Information Regulator may be appropriate where the gap is material and where remediation is being undertaken.
How Mashiane Attorneys Can Assist
Our POPIA practice advises responsible parties on direct marketing compliance, including consent-capture form design, existing-customer exception structuring, opt-out system review, marketing campaign legal sign-off, response to data subject complaints, and remediation programmes. Contact our team for a section 69 compliance assessment.