With the Protection of Personal Information Act (POPIA) set to come into full effect tomorrow, many South African companies have been sending messages to customers to notify them of their rights under the act.
This includes the ability to opt-out of marketing communications and informing clients about how they can access and manage the private information that the company processes about them.
As a result, a chain message has spawned that is doing the rounds on the platforms like WhatsApp and Telegram.
The message claims that “administrators will be required to obtain your consent for being part of this WhatsApp group”.
It further asked that members do not use other people’s names and phone numbers visible in the group chat without first obtaining consent.
The message is reproduced below.
PROTECTION OF PERSONAL INFORMATION (POPI) ACT
We just need to share a POPIA disclaimer as all WhatsApp groups need to adhere to the Act from 1 July 2021.
As we all know the compliance due date for the Protection of Personal Information Act, 4 of 2013 (“POPIA”), being 30 June 2021, is steadfastly approaching. This deadline brings a few changes.
One of these changes is that the administrators will be required to obtain your consent for being part of this WhatsApp group. As such, you are herewith notified that you are entitled to refuse such consent and you may exercise such a right by leaving this group.
Should you elect to remain in this group, it will be accepted that you have consented to being a part of this group and to your personal information (being your cell phone number and name) being noticeable to any person in this group.
In this regard, we implore on all members of this group not to make use of such personal information for whatsoever reason, without obtaining the consent of the relevant person.
Do NOT reply to this Notice. If You Do NOT want or Need 2b On Group Feel Free to remove Yourself.
MyBroadband asked several top South African law firms specialising in POPIA about this message. Their feedback was unanimous — most group administrators don’t need to send out a message like this.
John Giles, the managing attorney at Michalsons, further suggested that people read the guide on “How to Use WhatsApp Responsibly” published on the chat app’s website.
The video from the guide is embedded at the end of the article.
Wilmari Strachan, the executive for technology, media, and telecommunications at ENSafrica, said there are some nuances worth noting.
“That would depend on the type of group,” said Strachan, explaining that POPIA does not apply to the processing of personal information in the course of a purely personal or household activity.
“So no need to send this to all your family groups — unless you’re really bored.”
However, WhatsApp is also often used for more formal groups, such as school classroom groups, where you get added whether you like it or not. For these, Strachan said, it might be prudent that groups post a notice and basic rules.
“Persons or businesses that create groups to market their goods and services must get consent.”
Strachan said that they recommend that when you create a non-personal group, you rather send someone a link to join if they want to, instead of simply adding them.
Ahmore Burger-Smidt, the director and head of data privacy practice at Werksmans Attorneys, also emphasised that the POPIA is clear when it states that it does not apply to purely personal or household activity.
“If this is what the legislation spells out, I find it utterly bizarre that this message is addressed to all WhatsApp group admins and in fact that group admins now in a huff and puff post it!”
Burger-Smidt said that this demonstrates the complete lack of understanding of what the legislation entails and when it applies.
“You cannot fool yourself to think now that you are forcing someone to consent that all is fine in the land of POPIA compliance.”
Burger-Smidt also said that it is different for a business on the WhatsApp Business platform — then consent may be required.
“We need to remind ourselves that the POPIA legislation provides for lawful processing of personal information on the basis of, amongst others, entering into a contract or then contractual obligations or if there exists a legitimate interest i.e. the legitimate interest of the responsible party (company) or a third party.”