By Natalie Veli & Sasha-Lee de Bod

With the majority of the Protection of Personal Information Act of 2013 (“POPI”), coming into effect in July 2020, businesses will now have a year to comply with the laws, the deadline for compliance would then be the 1st of July 2021. POPI sets some conditions for the parties responsible to lawfully process the personal information of both people and companies.

According to the POPI Act, personal information is defined as data that can be used to identify a person. All companies, including franchises need to ask your permission to send you, or your company, marketing material. If you have given that permission, they can contact you until you ask them to stop, ‘unsubscribe’ or ‘opt out’.

1. Buying and Selling of Databases

The buying and selling of personal information is strictly prohibited. Certain companies have built up huge databases that they buy and sell on the open market, consisting of contact details, including phone numbers and email addresses. This is no longer allowed (and is also unethical). The quality of your database is far more beneficial to your company than quantity. Email addresses often change so you will end up sending to addresses that are no longer in use and therefore an unopened mail affecting your sending reputation by getting bounced emails, it  would then be quite difficult to reach active email addresses. People receiving your emails are likely going to mark your email as spam if they have not opted-in for your mails. Spam complaints damage your sending reputation which again will make it more difficult to reach customers inbox in the future.

Personal information includes, but is not limited to:

  • Gender
  • Age
  • Religion / Beliefs /Culture
  • Language
  • Email address
  • Physical address
  • Telephone number
  • Location
  • Personal opinions, Views or Preferences

The above is some of the most used data in direct marketing. This will all fall under the conditions of POPI. Pay careful attention to the managing of your data.

Relevant in franchising going forward:

Franchisors build various databases e.g. potential franchisees, existing franchisees, suppliers and service providers as well as customer databases.

The franchisee recruitment procedure generally adheres to legislation pertaining to cooling off periods, confidentiality and now data management (POPI).  All franchisors and their recruiters need to take note of all the necessary POPI requirements with regards to receiving and capturing leads on a central database. This includes how to collect and manage personal information of franchise applicants and/or potential franchisees, the time period the information may be kept and perceived as relevant.  Franchises receive applications for territories that might not be available at present, but franchisors need to keep them informed and send them content and notifications when the areas are available and to keep them engaged with the brand.  All direct marketing campaigns pertaining to new franchise opportunities are generally sent to a database that has been built over a period of time.

In addition, the ownership of customer databases will be very important within a franchise network and it should be clearly defined within the franchise agreement.  We advise that franchisors keep ownership of all databases and to manage it to ensure compliance with POPI regulations.

2. Permission Post-POPI Implementation

  1. You do have permission to contact subscribers who are currently in your database. If a marketer already has permission, it is fine to keep sending material to them. You will not need to ask your subscribers to ‘re-subscribe’.
  2. Marketers will need to inform customers that they will use their information to send them promotional content with the option to unsubscribe in that actual promotional mail, in terms of POPI, that is acceptable.
  3. If a client has been in your database for a reasonable time period and the person has not opposed to it within that time period and then that person lodges a POPI complaint after POPI comes into effect, then a concept called “soft opt-in” governs this situation where the person is taking a gamble with you post-POPI implementation. This concept is not codified law, it is the responsibility of the data collector to manage the database in an ethical manner to prevent a complaint.
  4. A person can only be approached once to get consent. If consent is refused, it is refused for all time. You should also be able to always tell the person where you obtained their information.

Franchisors need to take note of the permission post-POPI implementation guidelines and develop a policy within their operations and procedure manual.  Franchisees need to be notified of this new policy and should be assisted with implementation thereof within their operations.

3. NB!! Chapter 8 of POPI

As a direct marketer, the chapter of POPI that governs direct marketing by means of unsolicited electronic communications is chapter 8.

The three points below are the main requirements.

1. The processing of personal information of a data subject (a human or a company) for the purpose of direct marketing, by means of any form of electronic communication is prohibited unless a data subject (a human or a company):

  • Has given their consent to the processing; or
  • Is a customer of the responsible party.

Conclusion: Always ask for permission to use personal information

2. A person or company may only process the personal information of a data subject (a human or a company) who is a customer of the person or company. If the person or company has obtained the contact details of the data subject (a human or a company) in the context of the sale of a product or service;

  • For the purpose of direct marketing of the person or company’s own similar products or services; and
  • If the data subject (a human or company) has been given a reasonable opportunity to object, free of charge or hassle, to the use of their electronic details,
    • At the time when the information was collected; and
    • When each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.

Conclusion: You are only allowed to process personal information if you have obtained it via the sale of a product or a service, to market your own other similar products or services and you ALWAYS need to give the customer/subscriber the opportunity to opt-out of communication from your company

3. Any communication for the purpose of direct marketing must contain:

  • Details of the identity of the sender or the person on whose behalf the communication has been sent; and
  • An address or other contact details to which the recipient may send a request that such communications must stop.

Conclusion: Always identify yourself and give the receiver a clear opportunity to opt out of communication.

4. What Actions Do You Need to Take Within Your Company/Franchise?

All franchises and businesses, as small as a sole proprietor, will need to comply by July 2021, not just big corporates.

Appoint an information officer to ensure employees know about the POPI act. Your business will need to have an information policy in place, which should be documented in the operations and procedure manual. After the policy has been developed, we would advise you communicate the update to the entire franchise network. You do not need to employ someone new for this role, you can appoint yourself or someone within you franchise head office structure/infrastructure as an information officer.

The information officer will be responsible for:

  • Ensuring the business processes data correctly, in compliance with POPI.
  • Having a plan for when to dispose of data.
  • Having a plan in place in case you are hacked, and someone steals that data.
  • Update your company website if you have one. Every business that has a website will now also need to include a privacy notice indicating, among other things, what you do with customer information, how you process it, and how long you keep it.
  • Informing, training, and supporting the franchise network i.e. all franchisees and all employees, with the implementation of this Act.

5. General Best-Practice Checklist

Here are some checks to make sure you, as a marketer (franchisees within their local community/area and franchisor on a regional and national level), comply with the provisions of POPI

  1. Did you receive a subscriber’s details in the process of selling a product or service?
  2. Did you display your logo or company name in the body of the email?
  3. Did you also display your sender name to identify yourself?
  4. Is your communication to customers related to your products or services?
  5. Can your customer opt-out at the time the information is collected, and each time communication is sent?
  6. Does your content only relate to your own or similar products or services?
  7. Have you provided an address or a link to which the customer can send a request to opt-out?

6. What Happens If You Are Not Compliant?

The risks of non-compliance with POPI can include reputational damage, hefty fines and/or imprisonment, as well as paying out damages claims to data subjects, not to mention lengthy court battles and attorney fees if the claim ends up in court. It will be critical for franchisors and their support staff to ensure that they as well as each franchisee within their network is compliant as it will have an effect on the entire group if one party falls short on the requirements.

Though you may have chosen a reputable bulk email sending platform to use for your email marketing needs, the onus is still on you to ensure you use the data in a compliant way. Thus, franchisors need to confirm and verify if their systems and platforms pertaining to data and information is POPI complaint.

Source: TouchbasePro