Khanyitas

POPIA and Direct Marketing: What the Section 69 Opt-In Rule Means for Your Business

23 May 2026 · SA marketers and small business owners

POPIA and Direct Marketing: What the Section 69 Opt-In Rule Means for Your Business

If your business sends promotional emails, SMS messages, or WhatsApp blasts to customers or prospects, POPIA's rules on electronic direct marketing apply to you. Section 69 of the Protection of Personal Information Act sets out when and how you may contact people for marketing purposes — and it draws a clear line between permitted and prohibited contact.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA as enacted. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Section 69 Actually Says

POPIA section 69 deals with direct marketing by means of electronic communication — think email, SMS, automated calling systems, and internet-based messaging. The core position the Act takes is an opt-in model:

The Information Regulator's published guidance reinforces this framing: unsolicited electronic marketing without prior consent is, as a general rule, not permitted under POPIA. You can read the Regulator's guidance documents at inforegulator.org.za.

---

The Two Permitted Pathways

1. Express prior consent

The first and clearest route is obtaining explicit, informed consent before sending any marketing communication. POPIA section 11 sets out the requirements for valid consent more broadly: it must be voluntary, specific, and informed. Applied to direct marketing, this means:

2. The existing customer relationship exception

Section 69 also contemplates a narrower exception where a business has obtained a customer's contact details in the context of a sale or negotiation of a sale of a product or service. Under this exception, the business may use those details to market its own *similar* products or services — but only if:

This exception does not open the door to broad, unrelated marketing. The products or services marketed must be similar to those involved in the original transaction.

---

The Right to Object

Even where contact is initially lawful, data subjects retain the right to object to further processing of their information for direct marketing purposes. POPIA section 11(3) specifically recognises a data subject's right to object to processing, and section 69 gives that right particular force in the marketing context. Once someone opts out, the Act's position is that their objection must be respected and further marketing communications should stop.

Practically, this means every marketing message should include a functional, easy-to-use unsubscribe or opt-out mechanism — not a broken link or an instruction to reply to an address that nobody monitors.

---

What About WhatsApp and Social Media DMs?

The Act refers to "electronic communication," which is broad. While the Information Regulator has not published a definitive ruling on every channel, the general principle — consent before contact for marketing — is understood to apply to electronic channels beyond just email and SMS. If you are using WhatsApp Business, social media direct messages, or similar tools for promotional outreach to people who have not asked to hear from you, the same underlying question applies: do you have a lawful basis to contact them?

For platform-specific questions, consult a qualified practitioner who can assess your particular setup.

---

Common Mistakes to Avoid

Buying or renting contact lists. Purchasing a database of email addresses or phone numbers and then marketing to those people without their consent to receive *your* communications is high-risk territory under POPIA. The fact that someone consented to marketing from the list vendor does not mean they consented to marketing from your business.

Assuming a business card is consent. Someone handing you their card at a networking event has given you their contact details — not their consent to be added to your newsletter.

Pre-ticked consent boxes. A checkbox that is already ticked when a user lands on your sign-up form does not demonstrate active, informed consent.

No opt-out in messages. Every direct marketing communication should make it straightforward for the recipient to stop receiving messages.

Ignoring opt-out requests. Continuing to send messages after someone has unsubscribed is one of the clearest ways to fall foul of section 69.

---

What Happens If You Get It Wrong?

The Information Regulator has the authority to investigate complaints, issue enforcement notices, and — in serious cases — refer matters for prosecution. Penalties under POPIA can include fines and, in certain circumstances, imprisonment. The Regulator's enforcement pages at inforegulator.org.za set out the complaints process that data subjects can use.

Beyond formal enforcement, non-compliance damages customer trust — and for small businesses, that reputational cost is often more immediate than a regulatory penalty.

---

Practical Steps Worth Considering

  1. Audit your current lists. Where did each contact's details come from, and do you have a documented lawful basis for marketing to them?
  2. Review your consent wording. Is it specific, clear, and unticked by default?
  3. Check your opt-out process. Does it work? Does someone actually action unsubscribe requests?
  4. Keep records. Documentation of how and when consent was obtained is important if a complaint is ever made.
  5. Get advice on edge cases. If you are unsure whether a particular channel or list qualifies under the existing-customer exception, speak to a qualified attorney.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA as enacted. It is not legal advice. For your specific situation — including your specific marketing channels, customer lists, and consent records — consult a qualified attorney.

*Primary source: Protection of Personal Information Act 4 of 2013, available at gov.za. Information Regulator guidance: inforegulator.org.za.*