Subscribe to Newsletter
Direct marketing – Unpacking the conflict between the amended CPA Regulations & POPIA
21 May, 2026
Featured | Regulation & Compliance

 

Lize de la Harpe, Senior Legal Advisor: Regulatory Unit at Sanlam

 

The Consumer Protection Act (CPA) Amendment Regulations, 2026, gazetted on 15 April 2026, introduced a mandatory national opt-out registry to curb unsolicited direct marketing.

 

Let’s unpack exactly how these regulations fit in with section 69 of Protection of Personal Information Act, 2013 (POPIA).

 

Direct marketing in the context of POPIA

 

POPIA defines “direct marketing” as approaching a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject or requesting the data subject to make a donation.

 

Electronic communication”, in turn, is defined as any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

 

When direct marketing is conducted by means of unsolicited electronic communications, additional rules apply – these are set out in Chapter 8 (section 69) titled “Rights of data subjects regarding direct marketing by means of unsolicited electronic communications, directories and automated decision making”.

 

In essence, section 69(1) prohibits direct marketing by means of unsolicited electronic communications unless certain conditions are met.

 

These conditions are:

 

  1. Where the data subject has given consent, or
  2. Where the data subject is a customer of responsible party if:
    1. the responsible party obtained the contact details of the data subject in the context of the sale of a product or service; and
    2. for the purpose of direct marketing of the responsible party’s own similar products or services; and
    3. the data subject has been given a reasonable opportunity to object free of charge.

 

Concept of consent

 

As stated above, one of the exceptions on the prohibition of direct marketing by way of unsolicited electronic communications is where a data subject has consented.

 

It is extremely important to remember that consent is a specifically defined concept in POPIA.

 

As such, for such consent to be valid, it must meet the following requirements:

 

  1. it must be an expression of will,
  2. given voluntary,
  3. be specific, and
  4. be informed.

 

The problem

 

The amended regulations mainly amend Regulation 4 of the CPA Regulations published in 2011, which deals with mechanisms to block direct marketing communication.

 

In essence, from 15 April 2026, direct marketers may not directly market any goods or services to any consumer who has registered a pre-emptive block.

 

All marketers are required to register on the opt-out register administered by the National Consumer Commission (NCC) and pay an annual fee.

 

Marketers have the duty to “cleanse” their contact lists against an this opt-out register monthly.

 

“Cleansing” is defined as the process of removing consumers who have opted‑out of any electronic communication from a direct marketer’s database, ensuring they are no longer contacted.

 

It is clear from the wording of the amended regulations that it implies an opt-out of direct marketing by means of electronic communication. This conflicts with section 69 of POPIA in terms of which you need a data subjects’ consent (opt-in) to direct market to them by means of unsolicited electronic communication, unless they are an existing customer (and then limited to the responsible party’s own similar products or services). Failure by a data subject to register a pre-emptive block does not amount to consent for purposes of section 69 of POPIA.

 

Conclusion

 

  • During a workshop held on 12 May 2026, the Information Regulator specifically addressed this problem and noted that her office did provide comment on this issue when the regulations were still in draft form. It is, however, evident from the final wording that their comments were not taken into account.

 

  • Be that as it may, all responsible parties are required to ensure that all processing of personal information is lawful – and in order to be lawful, it must comply with the conditions as set out in POPIA. As such, it is advisable to ensure that any direct marketing campaign that involves direct marketing by means of unsolicited electronic communication meets the requirements as set out in section 69 of POPIA.

 

Ed’s note: I’ve done the google search for you, register for the Consumer Opt-Out Registry here.

 

ENDS

Author

@Lize de la Harpe, Sanlam
+ posts
Share on Your Socials

Share

Subscribe to the EBnet Daily Newsletter and WhatsApp Community for the latest retirement funding, financial planning, and investment news, along with market updates and special announcements.

Subscribe to

Thank You. You have been subscribed. Please check your emails for a confirmation mail.