POPIA is still on the way… but it’s taking time

In March this year, Elizabeth de Stadler, CEO of Novation Consulting, gave a presentation at the IAB SA Digital Summit on the Protection of Personal Information Act (POPIA).

She warned that the new legislation was on its way, and advised on the effects it would have on the way marketers do their work, and the media industry as a whole. Five months on, we chatted with De Stadler to get an update on what progress has been made with POPIA and whether anything has changed.

Q: Since March, what progress has occurred with POPIA?

A: The Information Regulator is busy staffing their office, but there has been a bit of a delay. They are having a difference of opinion with Treasury about whether they are a schedule 3 entity in terms of the Public Finance Management Act. So red tape!

They are not letting this slow them down though and they have been doing a lot of advocating for South Africans’ privacy. Since March, there have been three breaches which the Information Regulator has released media statements on:

  • The Information Regulator decided to proactively engage Facebook regarding the Cambridge Analytica saga. Here is the media statement the Information Regulator released regarding this breach. On the 10 May the Information Regulator wrote to Facebook Ireland (who is responsible for providing services to all countries which make use of the platform outside of the US and Canada. They informed the regulator that the Information Commissioners Office (ICO) is conducting an investigation.
  • In the Liberty breach, the Information Regulator commented on the breach and encouraged private and public bodies to already proactively comply with the Act.  They also got Liberty to come in for a meeting to explain what they have been doing.
  • The Information Regulator commented on the Aggregated Payment System breach and stated that all these data breaches are an indication of the importance of a fully functioning Information Regulator.

Q: Has POPIA been implemented or is it still in the development/consultation phase?

A: It has been partly implemented. The sections which have already commenced are:

  • Section 1 – Definitions
  • Chapter 5, Part A – Establishing the Information Regulator
  • Section 112 – Regulations
  • Section 113 – Procedure for making regulations

Once they have sorted out the red tape, the president will announce an effective date for the rest of it. It is important to remember that there is a one year grace period that runs from the commencement date and so you will only have to comply with the Act after that one year period.

It is worth remembering that many South African companies will be subject to the EU General Data Protection Regulation which came into force on 25 May 2018. It is very similar to POPIA (we based POPIA on a previous version). We wrote a white paper on when it will apply. You can read that here.

Read more: POPIA is coming!

Read more: Eight steps for business to take towards POPIA compliance

Read more: Data protection in SA

Read more: SA companies take heed

Q: How do you think POPIA will affect players in the media industry?

A: The biggest concern for digital marketers is the dreaded consent. Do digital marketers need consent to serve personalised advertising? In terms of email and SMS, the POPIA requires an opt-in consent specifically for the purpose of digital marketing. The consent can’t be hidden in terms and conditions and you can’t make buying products or services subject to the consumer giving consent. They have to be able to say no.

You may also have to ask your entire base to consent again. We all know how that goes. You send a mail asking people whether you can continue to send them your newsletter. If you are lucky, you have a 30% open rate. So 70% of your base is gone. Of the 30%, the majority won’t notice or won’t bother responding, so you are left with 15% of the base you had. This is going to be your fate unless you told your customers (and they have to have at least at some point tried to buy something from you) that you would use their details for direct marketing, you allowed them to unsubscribe and you gave them an option to unsubscribe every time you contacted them.

The worst news is that the regulator has issued draft regulations which contained a consent form for direct marketing and it is very long, in legalese, requires a signature (so it is not tech neutral) and more. The IAB SA made representations on behalf of the digital marketing industry (I am the chairperson of the IAB’s Regulatory Affairs Council). We are still waiting to hear if they will take them into account.

The players who should really be really worried are the ones buying and selling personal information. The Information Regulator will probably not allow that without consent. So getting hold of the information to spam people is going to get harder.

Q: Where to next for POPIA?

Now we wait. Best guess (and I really am guessing) is that it is going to be in force in about 20 months’ time.

Q: Your advice to media industry players regarding POPIA?

A: Get advice on how to make sure that you don’t have to ‘reconsent’ your existing base. Evaluate your profiling activities to make sure that they are fair. Find out where you are getting your data and that the source is legal.

The Information Regulator was contacted for an update on their work for this article, but did not respond before publication.

Here’s the video interview we did with de Stadler at the IAB SA Digital Summit in March:

Michael Bratt is a multimedia journalist at Wag the Dog, publishers of The Media Online and The Media. Follow him on Twitter @MichaelBratt8