SA, the CPA and spam

The new Consumer Protection Act allows South Africa customers to opt out of unsolicited marketing communications, which is definitely a step in the right direction. However, according to PIETER STREICHER, MD of BulkSMS.com, customers need to understand the limitations of this new law and companies need to be ready to comply with it.

There is no denying that the launch of the Consumer Protection Act (CPA) ‚do not contact registry‚ to allow South African customers to permanently opt-out of all unsolicited marketing communications will be a massive step forward for consumer rights. But customers need to understand the limitations of the mechanism, and companies need to be ready to comply with the new law, especially smaller companies need to consider the implications of having to regularly query the database.

Thanks to the CPA, consumers will be able to add their contact details to the registry and so block direct marketing communications from all companies, even those that they might have previously given permission to contact them. But consumers need to realise that the registry is somewhat of a blunt instrument ‚ once you have added your details, you would have to sign up again with companies that you do want to hear from.

The other warning for consumers is that, despite the CPA finally coming into effect on 1 April 2011, the development of the registry has only just gone out to tender. Building the registry is no small task, as it needs to allow companies to quickly query it on a regular basis, and a best guess is that it will take another one to two years to be set up.

Despite my comments about it being a blunt instrument, the registry is a vast improvement on the current system from a consumer’s point of view:

Currently the Direct Marketing Association (DMA) manages an opt-out list that only its members are obliged to comply with. Under the CPA, anyone marketing to a consumer has to comply.

While the DMA emails the list to its members ‚ which is clearly a massive security risk – the CPA registry will keep the contact details secure. Companies will submit their lists to the registry and then be told who they can legitimately contact.

The DMA list only applies to third party lists, and not to companies that the customer initially gave their contact details to directly. The CPA registry will override previously given explicit consent to companies for direct marketing messages.

The CPA criminalises companies who spam consumers, whereas the DMA works on an industry regulation basis.

From an SMS point of view, the registry will go a long way to cutting down on SMS spam, but only for those on the registry. Recently spammers have been bypassing industry regulations such as the WASPA Code, by using international messaging routes. The CPA will apply to all companies including network operators, regardless of which messaging routes they use.

For those consumers not on the registry, the CPA provides no protection against spam or the buying and selling of their personal details. This will change once the Protection of Personal Information Bill (POPI) is enacted. The POPI Bill requires that businesses obtain personal details directly from the data subject. Companies may not obtain personal details from third parties unless they have the explicit consent of consumers to do so.

Companies should be gearing up to comply with the CPA once the do not contact registry becomes available.

But smaller companies who can’t afford the financial and operational overheads of querying the database themselves need to tread carefully. Companies that do not query the registry will be unable to legally send direct marketing communications to their own customers even if they have received consent, because according the law, if a company doesn’t check the database, it has to assume that everyone is registered on the do not contact registry, and the registry overrides explicit consent previously given.

A solution for these companies is to take advantage of a third party channel that does interrogate the do not contact registry. Businesses should ensure that the WASP they choose to send SMS communications does check the registry once this becomes available, and be sure they are complying with the law.

So smaller companies do have alternatives to the overheads of querying the registry themselves or face a marketing channel being unavailable to them. Of course, at the end of the day, playing by the rules is better for the consumer and the efficacy of companies’ marketing messages.