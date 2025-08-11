South Africans using call screening apps that require them to share their address books should be aware that these apps could be violating the Protection of Personal Information Act (Popia).

South Africa’s Information Regulator recently confirmed it was investigating a complaint against one such popular app, Truecaller, following lobbying by several companies and individuals.

Companies have complained that the app harms their businesses because it flags their numbers and charges a fee to be whitelisted.

A small Internet service provider (ISP) told MyBroadband that it hoped the app would be banned. “They create a platform where they allow anyone to say anything about your business, good or bad, even swear words,” they said.

“For a ridiculous fee — $590 (R10,448) per month for 5,000 calls — they will whitelist your number so your business can get through to clients again,” the ISP said.

Truecaller has become a must-have app for many people worldwide who have become frustrated with telemarketing spam.

However, the issue is that Truecaller’s effectiveness is due to its crowdsourcing features, some of which potentially violate South African privacy laws.

The app relies heavily on users giving it access to their phone’s address books and call logs to build its number database.

While Truecaller does not upload address books “to make them searchable” as is, the information is nonetheless extracted into the app’s database.

When a number that is not in someone’s own address book calls a Truecaller user, the app checks the number against its database.

Two legal experts previously told MyBroadband that the app’s crowdsourcing mechanisms likely violated Popia, even though Truecaller’s terms and conditions attempt to shift legal accountability.

Truecaller explains that it requires users to confirm they are authorised to share their contacts’ information — an attempt to comply with the consent requirements of privacy legislation worldwide.

However, Norton Rose Fulbright’s Rosalind Lake has explained that this blame-shifting was unlikely to survive scrutiny under Popia.

Truecaller must notify non-users of data usage

Lake said that Popia requires “responsible parties” — which would include Truecaller in this case — to notify data subjects how it will use, store, transmit, and access their personal information.

This includes cases where the data is not collected directly from the subject, like when a Truecaller user shares that subject’s address book with Truecaller.

“These notification requirements are usually fulfilled through a privacy policy,” Lake explained. “It appears that Truecallers’ privacy policy places this obligation on the user,” Lake said.

Lake said this approach did not comply with Popia when considering the way in which Truecaller functions.

“If you are reporting a number as spam, you are hardly going to phone them to tell them that their number has been added to the database,” Lake said.

“In this situation, the user of the app would not be considered a responsible party when it consents to provide access to its phone book.”

Lake said Truecaller was the one who requests access and use of the information, which means it is responsible under Popia.

Lake said that although a Truecaller user could be technically considered an “operator” for the app, there must be an agreement in place between Truecaller and them with certain operator obligations.

Truecaller’s sharing of third-party data with explicit consent could also have more severe consequences.

“There have been some circumstances reported where a person’s safety may be compromised by their name being on the database — such as a journalist working undercover,” Lake said.

Werksmans Attorneys’ Ahmore Burger-Smidt echoed Lake’s views, questioning the basis on which Truecaller is processing all the contract information that a user holds.

“It is very difficult to motivate for this to be done on the basis of a legitimate interest,” she said. “It is entirely possible that individuals do not have any knowledge of this use of their data at all.”

“This means that they are being denied their rights as data subjects in terms of Popia and that their privacy is being infringed.”

When previously asked about accusations that it was violating Popia, Truecaller said it did not want to speculate on the various legal opinions on the subject.

However, Truecaller says it allows people to unlist their numbers from the app, and it is up to users to obtain consent to share people’s numbers, which is a form of opt-out.

“This way, the inherent fundamental right of users to know who is calling them is balanced with any person’s desire to be unlisted,” Truecaller said.

“This way, we endeavour to make users’ communication safe and trustful and help them to save themselves from potential fraud and other crimes.”