Regulation of Spam in South Africa

Regulation of spam in South Africa was introduced by the Electronic Communications and Transactions Act, 2002 (ECTA) and bolstered by the Consumer Protection Act, 2008 (CPA) and the recently promulgated Protection of Personal Information Act, 2013 (POPIA). Below is a discussion of how the current framework for the regulation of direct marketing by means of unsolicited electronic communications (commonly referred to as spam) has taken shape.

Links to the relevant sections of the above can be found in the headings below.

The Electronic Communications and Transactions Act

Widely considered to be of limited practical use, section 45 of the ECTA provides that recipients of unsolicited communications are able to opt-out of future communications and may request information on where their contact details were obtained.

Whilst section 45 of the ECTA represents the point of departure in any matter regarding the receipt of unsolicited communications, it will be repealed and replaced by section 69 of the POPIA once a commencement date for the latter has been proclaimed by the Presidency.

A more comprehensive set of limitations have been provided for in both the CPA and the POPIA, please see below.

The Consumer Protection Act

Section 11 of the CPA follows in the footsteps of the ECTA by providing that you may refuse to accept, request the discontinuation of (opt-out) or pre-emptively block direct marketing communications, and that any opt-out or pre-emptive block must be respected by marketers, have their receipt confirmed in writing and that the exercise of these right must be performed free of charge.

A welcome outcome of the CPA will be the formation of a Do Not Contact Registry (DNCR) which will serve as a national database of pre-emptive blocks for both general and specific marketing advances and which will allow individuals to tailor the frequency, timing and nature of the marketing they receive (if any).

Whilst the Interactive Advertising Bureau (IAB) - formerly known as the Digital Media & Marketing Association (DMMA) - which represents a large portion of the direct marketing market, currently administers a private DNCR for its members there has been little progress on the implementation of the national DNCR contemplated in the CPA.

The Protection of Personal Information Act

Signed into law in November 2013, the POPIA represents the most ambitious attempt thus far to formulate a framework for the protection of personal information, of which the limitation of unsolicited communication for the purpose of direct marketing forms a part.

Whilst the POPIA will be of limited use prior to its commencement date (and then subject to transitional arrangements), the publication of regulations by the Minister of Justice and the formation of an Information Protection Regulator, it is hoped that the mechanisms provided for in section 69 will serve to bolster previous attempts to regulate unsolicited communications.

Section 69 of the POPIA places significant limitations on the circumstances in which a party may engage in direct marketing by means of unsolicited communications by requiring individuals to have either consented to the use of their personal information (opt-in) or for there to be an existing relationship between the parties. An existing relationship between the parties is itself subject to additional limitations and does not result in a freedom to make repeated advances.

Notwithstanding the above, you will always be entitled to opt-out of future communications for the purpose of direct marketing.

Responding to spam

In responding to local spam we have found the following template message to be most useful:

Dear Sirs,

On [insert date here], I received the following message from you:

[insert message here]

As the above is an approach for the purpose of direct marketing which relies upon personal information which I did not provide to you, your message constitutes an unsolicited communication in terms of section 45 of the Electronic Communications and Transactions Act (Act 25 of 2002)(ECTA), as read with section 11 of the Consumer Protection Act (Act 68 of 2008)(CPA) or alternatively, as the case may be, Section 69 of the Protection of Personal Information Act (Act 4 of 2013)(POPIA)

In terms of the acts listed above, this message serves as a notification that I do not wish to receive any further communications from you or your agents. Kindly confirm that you will discontinue all future communication in this regard.

Please note that a failure to comply with this request constitutes a criminal offense in terms of section 45 of the ECTA and that the continued receipt of unsolicited communications may lead to prosecution. Additionally, I hereby request that you immediately disclose where you obtained my contact details, as per section 45(1) of the ECTA and/or section 22(1) of the POPIA. Failure to respond to this request may also constitute a criminal offense.

[Optional paragraph]

I note that your original message did not provide me with an option to cancel my subscription to your mailing list, as required by section 45(1) of the ECTA and/or section 69(4) of the POPIA. This means that you may already have committed an offense in terms of the respective Acts and may be subject to prosecution.]

[and continue with]

Should you wish to familiarise yourself with the relevant legislation, or check my facts, a copy of the ECTA, CPA and POPIA are available on-line via the Government's web site and can be found here:

- http://www.gov.za/documents/download.php?f=68060
- http://www.gov.za/documents/download.php?f=99961
- http://www.gov.za/documents/download.php?f=204368

Your urgent co-operation in this regard would be appreciated.

A copy of this template can also be found at: http://www.internet.org.za/spam_message.txt

Note: The Government of South Africa's website has been known to change their link structure causing documents to become unavailable at their previous locations. Please verify the link before sending the above message. Please report broken links on this website to the webmaster

You can also read the following legal opinion on the matter:
Legal View: The Law vs the Scouge of Spam (Lance Michalson, 2003)

Extracts from the Relevant Acts

The Electronic Communications and Transactions Act

Section 45 of the Electronic Communications and Transactions Act, 25 of 2002

Unsolicited goods, services or communications

45.(1) Any person who sends unsolicited commercial communications to consumers, must provide the consumer

  1. with the option to cancel his or her subscription to the mailing list of that person; and
  2. with the identifying particulars of the source from which that person obtained the consumer's personal information, on request of the consumer.

(2) No agreement is concluded where a consumer has failed to respond to an unsolicited communication.

(3) Any person who fails to comply with or contravenes subsection (1) is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1).

(4) Any person who sends unsolicited commercial communications to a person who has advised the sender that such communications are unwelcome, is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1).

The Consumer Protection Act

Section 11 of the Consumer Protection Act, 68 of 2008

Right to restrict unwanted direct marketing

11.(1) The right of every person to privacy includes the right to -

  1. refuse to accept;
  2. require another person to discontinue; or
  3. in the case of an approach other than in person, to pre-emptively block,

Any approach or communication to that person, if the approach or communication is primarily for the purpose of direct marketing.

(2) To facilitate the realisation of each consumer's right to privacy, and to enable consumers to efficiently protect themselves against the activities contemplated in subsection (1), a person who has been approached for the purpose of direct marketing may demand during or within a reasonable time after that communication that the person responsible for initiating the communication desist from initiating any further communication.

(3) The Commission may establish, or recognise as authoritative, a registry in which any person may register a pre-emptive block, either generally or for specific purposes, against any communication that is primarily for the purpose of direct marketing.

(4) A person authorising, directing or conducting any direct marketing -

  1. must implement appropriate procedures to facilitate the receipt of demands contemplated in subsection (2); and
  2. must not direct or permit any person associated with that activity to direct or deliver any communication for the purpose of direct marketing to a person who has -
    1. made a demand contemplated in subsection (2); or
    2. registered a relevant pre-emptive block as contemplated in subsection (3).

(5) No person may charge a consumer a fee for making a demand in terms of subsection (2) or registering a pre-emptive block as contemplated in subsection (3).

(6) The Minister [Trade and Industry] may prescribe regulations for the operation of a registry contemplated in subsection (3).

Protection of Personal Information Act

Section 69 of the Protection of Personal Information Act, 4 of 2013

Direct marketing by means of unsolicited electronic communications

69.(1) the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject -

  1. has given his, her or its consent to the processing; or
  2. is, subject to subsection (3), a customer of the responsible party.

(2)

  1. A responsible party may approach a data subject -
    1. whose consent is required in terms of subsection (1)(a); and
    2. who has not previously withheld such consent.

only once in order to request consent of that data subject.

  1. The data subject's consent must be requested in the prescribed manner and form.

(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)-

  1. if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
  2. for the purpose of direct marketing of the responsible party's own similar products or services; and
  3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details -
    1. at the time when the information was collected; and
    2. on the occasion of each communication with the data subject for the purpose of marketing if the subject has not initially refused such use.

(4) Any communications for the purpose of direct marketing must contain -

  1. details of the identity of the sender or the person on whose behalf the communication has been sent; and
  2. an address or other contact details to which the recipient may send a request that such communications cease.

(5) "Automatic calling machine", for the purposes of subsection (10, means a machine that is able to do automated calls without human intervention.