The Consumer Protection Act (CPA) and the Consumer Protection Act Regulations (GNR.293 of 1 April 2011) set out the relevant conditions relating to spam.
The CPA deals with spam through provisions and regulations dealing with “direct marketing”. This is defined as approaching a person, in person or by mail/electronic communication, for the direct/indirect purpose of promoting/offering goods/services or requesting a donation.
The CPA requires that
- recipients are able to refuse to accept, request discontinuation or pre-emptively block direct marketing communications;
- the sender/direct marketer must confirm unsubscribe requests in writing;
- the opt-out request must be respected, as must any pre-emptive block registered; and
- no fee may be charged for any opt-out or for the registration of a pre-emptive block by a consumer.
The CPA contemplates a Do Not Contact Registry (DNCR) which will serve to register any pre-emptive block. This DNCR will operate nationally and is required to ensure that the block registered becomes effective after 30 days.
The DNCR is required to have sufficient security arrangements in place to prevent manipulation, theft or loss of data in the registry. The DNCR is also required to comply with any laws relating to the protection of personal information or privacy. Direct marketers are required to register with the DNCR, providing certain details. The DNCR should have screening and validation processes in respect of its employees working with the information collected in the registry and any person wishing to register as a direct marketer.
A direct marketer wishing to send commercial communication is required to first query the DNCR to check whether a block has been registered. It is not allowed to send the communication without first querying the DNCR and receiving confirmation that no block has been registered. (Note: This does not apply to existing clients, where the direct marketer has proof that the consumer has expressly consented to receiving direct marketing from the direct marketer, which consent was provided after 1 April 2011).
The following information may be registered:
- name, ID number, passport number, telephone number, mobile number, facsimile number, email address, postal address, physical address, URL or any other identifier;
- a pre-emptive block for any time of the day or any day of the year; or
- a comprehensive prohibition for any medium of communication, address or time whatsoever.
The administrator of the DNCR is bound to the following terms:
- It may not provide, sell or otherwise dispose of a consumer’s information without the consumer’s express written permission, or by order of court or operation of law;
- Where the DNCR is queried in respect of a consumer, it may only confirm/deny the registration of a block and may not release any other information. Only direct marketers who have registered and confirmed their details may be supplied with this information from the registry; and
- On request by a consumer, it must provide a copy of any query made on that consumer and the registry’s reply, as well as the identity, registered address and contact person of the direct marketer who submitted the query.
Suppliers may not engage in direct marketing directed at consumers at home during the following hours/days:
- on Sundays or public holidays;
- on Saturdays, before 09h00 and after 13h00; and
- every other day, between the hours of 20h00 and 08h00 the following day.
The consumer may be contacted during these days/times where the consumer has explicitly/impliedly requested or agreed otherwise.
It is too early to make an assessment of the effectiveness of the spam management system set out in the CPA, but it is certainly an improvement on section 45 of the ECT Act. It seems unlikely that there will be a functioning DNCR operating in 2011 and, at this stage, it appears that the DMASA is the leading contender for the operation of a DNCR.
Concerns have been expressed about the limited reach of a DNCR in a country like South Africa and the fact that a person who has not registered a block will effectively be ‘legitimised’ for the purpose of direct marketing.
But perhaps the biggest concern – and it is certainly one which would make us think twice about advising someone to use the DNCR – lies in respect of the security of the information held. There are too many serious security breaches reported every week and DNCRs in other countries that have proved vulnerable to hacking to allow for a great deal of confidence that a database so attractive won’t be compromised.
Certainly those registering blocks should do so selectively and so as to register the minimum amount of personal information. Why, for example, they should need a consumer’s ID number is not clear to us.