Warning to South African businesses using new SMS spam tactic

South African companies requiring people to opt out of direct marketing SMSs via mobile apps are violating the country’s privacy laws.

That is according to two legal experts at law firms Webber Wentzel and Fairbridges Wertheim Becker.

MyBroadband recently noticed that Vodacom was not offering the ability to opt out of direct marketing by responding to SMSes advertising its VodaPay app and special offers.

Instead, the mobile network requires that users uncheck SMS direct marketing under the notification settings in the VodaPay app.

That applies not only to existing users, but also former users who may no longer have the app on their device.

One former VodaPay user who was not a Vodacom customer kept getting spammed with SMSes that he could not stop unless he redownloaded the app.

In addition to consuming data to get the app, he had to reset his PIN because he had long forgotten his VodaPay account details before he could stop the messages.

Consumer rights expert Wendy Knowler told MyBroadband she believed Vodacom violated the Protection of Personal Information Act (Popia).

She argued that marketers were not allowed to dictate through which channel a person, referred to in the law as a “data subject”, must opt out.

Vodacom told MyBroadband that VodaPay does not use text messages as a conversational channel and said the service could not detect when a customer installed the app or ported to another network.

“Customers can always download and install the app again,” they said. “Upon registration, a VodaPay customer is immediately able to update any permissions, including marketing and notification preferences.”

MyBroadband has since learnt that several other prominent businesses in South Africa — including at least two large banks — are using the same tactic.

They may want to reconsider this approach or risk being targeted by the Information Regulator, which enforces Popia.

Each communication must include opt-out

Webber Wentzel partner Wendy Tembedza, a technology lawyer with expertise in data protection and privacy laws, recently told MyBroadband that this practice fell short of Popia’s requirements.

She explained that Popia regulated direct marketing by means of unsolicited electronic communications, including SMSs.

“One of the aims of Popia is to give consumers rights in relation to direct marketing, specifically the right to choose whether to receive marketing communications or not,” Tembedza said.

“Failing to give this option to customers in marketing SMSs contravenes the customer’s rights in this regard.”

Specifically, Section 69 of Popia requires that a marketing entity must provide an opportunity to object to direct marketing in each communication engagement with a customer.

“In each SMS, the customer must be given an opt-out option,” Tembedza said.

Tembedza said that the position was reinforced in the Guidance Note on Direct Marketing issued by the Information Regulator.

In accordance with Knowler’s view, Tembedza said the law implicitly dictates that a responsible party cannot elect the channel through which consent can be withdrawn.

That is especially relevant where the elected channel is not the channel through which the communications are sent.

Fairbridges Wertheim Becker director Jodi Poswelletski also argued that the practice was not aligned with Popia.

Poswelletski explained that the opt-out option must be reasonable, free of charge and offered in a manner free of unnecessary formality.

According to Powelletski, requiring opt-out via mobile apps makes the process more tedious and is not free, which means it does not meet Popia’s requirements.