Spam calls and texts: Companies are failing to comply with Popia

Seldom have a few simple questions elicited such frantic responses. After receiving more than 20 text messages from 10 different companies – all in the space of three weeks – I contacted the senders and asked the same question: Where did you get my telephone number?

It’s a reasonable question but few could respond to it quickly, while some of the answers stretched the new Protection of Personal Information Act (Popia) to the point of breaking the law.

The companies could not answer questions relevant to the provisions of Popia easily, some taking up to two weeks to “investigate”.

The new legislation gives everyone the right to enquire about how companies use their personal information – and companies are obliged to answer queries, including:

  • Where did you get my contact details?
  • What information do you have about me?
  • Do you share my personal information with third parties?
  • What do you use my personal information for?

Popia became effective in July 2020 and was fully implemented in July 2021 after a grace period of 12 months to give companies time to ensure compliance.

Wendy Tembedza, senior associate at law firm Webber Wentzel, says the spirit and purpose of Popia is, among other things, to protect a person’s right to have a say in how their personal information is used:

Under Popia, a data subject (person) must be informed of all the ways in which a responsible party (the companies) will use their personal information at the time when the information is collected, or as soon as reasonably possible after collection. If the data subject has not been advised of the potential sale or sharing of their information, any such sale or sharing will in most instances be unlawful.
In addition, Popia requires that any further processing of personal information (being processing of personal information for purposes other than that for which the information was initially collected), must be compatible with the purpose for which it was initially collected. In this regard, the responsible party would have to assess factors such as the relationship between the purpose for initial collection and the intended further processing, the nature of information concerned and the consequences of the intended further processing for the data subject.
Popia has introduced a major shift in how personal information, including contact details on large databases, can be dealt with. Essentially, the wholesale commercialisation of contact details has been prohibited due to, in part, the broad definition of personal information which is protected under Popia.

Tembedza adds that while direct marketing is allowed, companies should ensure that they fully understand their obligations under Popia:

While there are nuances relevant to the question of whether a responsible party can send you direct marketing materials, the basic requirement is that direct marketing is only permitted in instances where either the data subject is an existing customer of the responsible party (subject to additional qualifying requirements), or where the data subject has given consent for their personal information to be used for direct marketing. Unless the direct marketing is taking place in one of these two scenarios, it will be unlawful.

She adds that the new act makes provision for steep penalties, including imprisonment and/or a fine of up to R10-million for a breach of the act.

In relation to contact lists, the risk increases because these lists can run into the tens of thousands. This is particularly important because factors such as the number of data subjects affected will be taken into account by the Information Regulator when determining the appropriate fine.

She confirms that companies are obliged to disclose where a data subject’s details were collected from.

So, it seems that companies are struggling with the new legislation, with only a few able to give a quick response to queries.

Here’s what happened

Budget Insurance answered within two days, reminding me that I had a policy with it some years ago and that this counts as a client relationship within the provisions of Popia. In addition, I opted in to receive marketing messages when using the Hippo Comparative Services website (hippo.co.za) a few months ago.

Thus, Budget Insurance knows a lot about me. I have provided it with my (new) telephone number, while it already had my e-mail address, home address, identity number and a lot of other personal information as well. Budget might even still know what car I drove a few years back and what furniture I had in my house at the time.

That I received no fewer than four text messages from Scorpion Legal Services within a few weeks came as a surprise. I have never dealt with the company nor have I responded to any of their advertisements that try to sell legal insurance policies. Asking Scorpion Legal Services where they got my contact details and whether they have other personal information about me was a bad experience.

The firm used Popia as an excuse not to provide the very information that Popia says it must provide to people.

Scorpion Legal Services said it has no personal information about me because it uses third parties to conduct advertising campaigns and generate leads.

“In order to abide by Popia, we are only able to divulge the information linked to this cell number to the person who owns the number. The third party involved is happy to engage with you directly, if you can provide evidence that the cell number that the SMS was sent to belongs to you,” answered an executive in an e-mail. She asked to remain anonymous, adding that I should contact my service provider and ask them for confirmation of my cell number.

That my number is included in my official signature to the bottom of every e-mail I sent to Scorpion Legal Services was not acceptable. “Anyone can send an e-mail and sign it with a cell number,” according to Scorpion.

That the executive called me on the number, and insisted on recording the conversation, including my verbal declaration that it is my number, did not help either as “you could have picked up the phone in the street”.

One would have thought that getting confirmation of your own cellphone number would be easy.
It took several calls to get hold of a human at the MTN call centre, who referred me to a different department. Unfortunately, the call looped back to the same call centre menu. Someone said the information would be readily available in an MTN store, but the shop assistant referred me back to the call centre.

The MTN press office eventually explained: “As per the numbering plan regulations (2016), numbers are a national resource and are neither owned by the licensee to whom they have been allocated to nor the subscriber to whom a number is assigned. We have noted that the number is currently on Pay As You Go, therefore MTN does not keep personal records that were used to register or activate the number. These are kept under the Regulation of Interception of Communications and Provision of Communication-Related Information Act and this information can only be made available to parties via Subpoena 205 (a court order).

“MTN is not authorised to provide written confirmation that the user is the owner of the mobile number,” according to MTN.

Management of the firm that runs advertising campaigns and generates leads for Scorpion Legal Services responded to my queries directly. Stephanus van Deventer, MD of Black Moon Investments (BMI), went the extra mile to answer my queries. Actually, he drove 500km because he insisted on a face-to-face meeting.
“I delegate a lot of tasks, but I deal with complaints myself,” he says, “and more than one of your queries led to BMI.”

Informative

The meeting was informative, explaining how this small part of the digital marketing industry works. Van Deventer provided proof that I opted in on his database after responding to an earlier general advertising campaign.

“Based on the aforementioned response and relationship established, the data subject was profiled as a high propensity responder to a number of products and services and would therefore have been included in product and service offerings targeted via direct various marketing efforts through the respective electronic channels,” concluded his investigation into the queries.

BMI also sent messages on behalf of Sanlam, Liberty, Apex Motor Warranties and Hollard Life, all of whom have responded to queries and answered questions. Van Deventer explained that the industry went through consolidation as a result of Popia. “I welcome the new act. It is good for the industry as a lot of ‘garage’ outfits closed down,” he says by way of explaining why BMI works for a lot of clients.

However, he admitted to and apologised for an internal problem which resulted in many messages from different (and competing) companies. The discussion on opting in on a database was interesting, and frightening.

While an advertisement might carry the name of a well-known company that somebody is willing to share personal information with, you opt in to a general database owned by a service provider – because nobody ever bothers to read the terms and conditions or privacy policy before ticking the box. Sending an e-mail to a company by using the handy enquiry form on their website will often opt in the sender, once again due to not reading the terms and conditions. This can be seen as forced consent, if the contact form is the only available method of contacting a company, or other contact details are difficult to find.

An interaction with LegalWise – also after receiving a marketing message – serves as an example. LegalWise responded to the original questions as to why I was receiving marketing messages with the following explanation: “We have confirmed that the SMS messages were sent by a network partner of Reach Republic, one of the third-party lead providers used by LegalWise. Reach Republic has confirmed that the message was sent to yourself in error and it was never the intention to communicate the message to yourself.

“The error was a result of a recent data update on the part of the network partner in which your number was incorrectly linked to another party for whom the message was intended.”

It clearly is easy to opt in to marketing messages and agree to the sharing of your personal information

LegalWise says it had none of my personal information prior to me using the Contact Us form on its website to query the marketing messages. They now have my name, surname, telephone number and e-mail address, because I “opted in” when I clicked the submit button on their contact form. The privacy policy includes: “By submitting your details and/or using the website, you accept the terms and conditions of the policy and expressly consent to the collection, use and disclosure of your personal information in the manner described below. If you object to, or disagree with, any of the terms and conditions of use or with any of the potential uses described in this policy, please leave the website immediately.”

It clearly is easy to opt in to marketing messages and agree to the sharing of your personal information.

Fortunately, there is a way to opt out, too. The Direct Marketing Association of South Africa offers an opt-out service that will add a telephone number to do-not-contact list. Members of the umbrella body should check their contact lists against the association’s database regularly to prevent them from irritating potential customers.

Being marketers, the association puts a positive twist on it. “Registering may prevent you from receiving information which you want – thereby cutting you off from relevant and worthwhile opportunities. For example, you may miss out on special sales or miss the opportunity to support charities who use telemarketing as an economical way to raise awareness and much needed support.”

  • This article was originally published by Moneyweb and is used by TechCentral with permission

Source: techcentral.co.za