POPI in a Nutshell

Introduction

The new Protection of Personal Information Act (POPI) was signed into law in November 2013. POPI is legislation similar to the UK’s Data Protection Act and aims to give effect to the constitutional right to privacy as enshrined in section 14 of our Consitution. POPI therefore prescribes some “rules” in terms whereof businesses will need to process all personal information (that qualifies as “personal information”in terms of POPI) in future.

POPI is not a bad thing. If you read about POPI on the internet, the picture may seem a bit gloomy. There is unfortunately also a lot of wrong information available on POPI on the internet. We therefore urge you to speak to someone with the relevant knowledge to assist you with interpreting the way in which POPI will apply to your particular business.

Implementation

It is important to understand that while POPI has been “signed into law”, therefore meaning that it is an Act (and no longer a Bill that may still change), the majority of provisions are not yet in force. This means that the majority of povisions cannot yet be enforced.

A commencement date will be published in the government gazette and after a one year period from the commencement date, all businesses will need to comply with the POPI requirements (unless the one year period is extended). In effect this means that there will be a “one year compliance period” for businesses to get their ducks in a row. Don’t be fooled by this….There is no quick fix for POPI and businesses should consider this as a “longer term” project. Therefore, the time is most definitly right to start your compliance project (if you have not done so).

POPI conditions

POPI is priciples based. This mean that POPI does not necessarily bed down hard and fast rules in all circumstances. No, POPI rather prescribes certain principles (similar to “good business practices” but with the intention to compel businesses to implement these practices) that all businesses will need to adhere to.

In further articles we will discuss the different conditions in more detail, but by way of summary you can consider the following:

  • In terms of POPI you need to identify the reason why you want to use the personal information and then only use it for those specific reasons. POPI refers to this as the “purpose of use”. The reason for this rule is that a person should be able to know for what reason you will use his or her information.
  • In certain circumstances you may only use (the Act talks about “process”) personal information if you have consent to do so. But note that you will still be able to use information in some instances even if you do not have consent.
  • You need to implement meassures to ensure that you do not lose personal information or share it with other businesses not entitled to have it.
  • People have the right to ask you what information about them you hold.
  • When you market products or services to people, they always have the right to opt out. In some instances you will not even be able to market to people at all without their consent.
  • POPI has implications for transborder flow of information (this will be important if you store information cross border or make use of cloud service providers for example).
  • POPI very specifically requires certain measures from you when you use service providers that will process personal information on your behalf.
  • POPI requires from you to deal with children’s information and “special information” (as defined in POPI) in a very specific manner.

Conclusion

POPI should not be a threat to your business. You can rather embrace this and use it as a differentiating factor, considering that your competitors may not yet be compliant.

Yes, penalties of up to R 10 000 000 could be imposed, but our view remains that reputational risk is a real factor that should also be considered. If you have not started your compliance project, the time is now. You can contact Jana van Zyl at jana@dommisseattorneys.co.za for more information.

Consumer rights in terms of the CPA

The Consumer Protection Act 68 of 2008 (CPA) provides for extensive protection of consumer rights. In preceding legislation we have seen provisions that also relate to consumer rights – these include for example the National Credit Act 38 of 2005 (NCA) and the Electronic Communications and Transactions Act 25 of 2002 (ECT Act).

The big difference however is that the consumer protection provisions of the NCA and ECT Act only apply in very specific instances – for example the NCA only applies to credit transactions and the ECT Act only applies to electronic transactions. The CPA on the other hand is different: the default position is that the CPA will apply (allowing consumers to rely on the CPA rights), unless an applicable exception exists. These exceptions are limited.

Generally speaking consumers have the following rights in terms of the CPA:

1. Right to equality
This right provides that consumers cannot be discriminated against on one of the discrimination grounds listed in the Constitution.

2. Right to privacy
The Constitution makes provision for the right to privacy in section 14 of the Constitution. The CPA gives effect to this right by providing for some privacy protection when it comes to direct marketing.

3. Right to choose
The CPA provision of the consumer’s right to choose extends to the consumer’s right to return goods.

4. Right to disclosure of information
The CPA aims to assist consumers by forcing suppliers to provide consumers with adequate information in order for them to make informed decisions.

5. Right to fair and responsible marketing
The CPA places a lot of emphasize on marketing activities. Suppliers must be fair in their marketing material and may not mislead consumers.

6. Right to fair and honest dealing
In terms of the CPA, a consumer can expected to be treated fairly and honestly.

7. Right to fair, just and reasonable terms and conditions
Similar to the NCA, the CPA provides for a list of terms that

8. Right to fair value, good quality and safety
Consumers are entitled to receive goods or services that are of good quality, in good working order and free of any defects.

Consumer rights will not mean much if they cannot be enforced. The CPA therefore makes provision for various forums through which the consumer can address alleged breach of the CPA – without necessarily going to court. Not all of these forums are operative as yet, however the National Consumer Commissioner has been appointed and the National Consumer Commission have received complaints from unsatisfied consumers as from 1 April 2011.

Be sure that you know your consumers’ rights. And be sure that you know when an opportunistic consumer is using the CPA to try to enforce rights that he or she does not have in terms of the CPA.

Forfeiture Provision Of The NCA Declared Unconstitutional

The Cape Town High Court delivered a judgment during April 2012 (Opperman vs Boonzaaier and Others Case No. 24887/2010) in terms whereof section 89(5)(c) of the National Credit Act 34 of 2005 (“NCA”) was declared unconstitutional. The majority of the Constitutional Court has now confirmed the order of invalidity.

Background factual information:
Opperman lent Boonzaaier roughly R 7 million in terms of three written loan agreements. Boonzaaier was unable to repay the debt and during the subsequent application for his sequestration, the question was raised whether section 89(5)(c) was unconstitutional. In terms of
this section a credit provider loses his right to claim back money which has been lent to a consumer if he was not a registered as a credit provider when making the loan. Section 40 of the NCA requires a person who is a credit provider under at least 100 credit arrangements or to whom the total principal debt owed in terms of all outstanding credit agreements exceeds R 500 000.00, to be registered as a credit provider in terms of the Act. If such a credit provider fails to register, the credit agreement would be void. In this case, Opperman was not registered as a credit provider as he was not aware of the requirement of registration.

Constitutional Court Judgment
The majority of the Constitutional Court found that section 89(5)(c) resulted in “arbitrary deprivation of property in breach of section 25(1) of the Constitution”. It was further confirmed that the deprivation was not a reasonable and justifiable limitation of the right to property, because the said section compelled a court to declare an agreement such as the one in this matter to be void and compelled the court to order that the unregistered credit provider’s right to restitution be cancelled or forfeited to the state. No discretion is allowed under section 89(5)(c) and by removing a credit provider’s right to claim restitution, he is being deprived of property. In light of the above, the section was found to be unconstitutional. This judgment will no doubt be viewed as a welcome relief to credit providers who, in good faith, lend large amounts of money without being aware of the requirement that they register as a credit provider under the NCA.

Strip the legal jargon from your documents – your consumer does not understand it!

‘Plain language’ or ‘easy speak’- call it what you want, but you need to use it: the Consumer Protection Act (CPA) requires all ‘suppliers’ to draft their customer facing documentation in a manner that their average consumer will understand. Some love this idea and others (lawyers
especially) hate it.

But what does this mean to you in your relationship with your consumer? Can the consumer demand to receive documentation in his or her home language? Does it mean that each and every consumer who enters your outlet must understand every clause in all of your agreements? The CPA deals with “plain language” in section 22 of the Act where it sets out that documentation must be provided in “plain language”, meaning that “an ordinary consumer of the class of persons for whom the notice, document or visual representation is intended, with average literacy skills and minimal experience as a consumer of the relevant goods or services, could be expected to understand the content, significance and import of the notice, document or visual representation without undue effort”.

From this it follows that if your documentation is reasonable, in that your average consumer will understand it, then it will pass the test even if not every individual consumer understands all clauses 100%. It is a given that your average consumer is unlikely to understand Latin terms, so don’t use them. The same goes for technical terms or warranty terms – explain these in a simple way so that your consumer will understand them.

It is interesting to note that the CPA does not require suppliers to translate their documents into more than one of the official languages. This approach differs from the approach in the National Credit Act (NCA), which requires credit providers to draft and adhere to a language policy – sometimes requiring that documentation be made available not only in English.

BUT: even if your documentation is written in plain language, if it was clear to you that the consumer did not understand the agreement at all, and you nevertheless continued to enter into the agreement, this will not comply with the CPA. In terms of section 40 it is unconscionable for a supplier knowingly to take advantage of the fact that a consumer was substantially unable to protect his own interests because of physical or mental disability, illiteracy, ignorance, or inability to understand the language of an agreement.

If you are in doubt about the language used in your customer facing agreements or terms and conditions, we can help you to translate your documentation from “pre – CPA” to “plain language as required by the CPA” (and NCA).

The Consumer Protection Act (CPA) regulates your marketing activities

I have previously heard someone saying: “Now that the CPA is in effect, it will be almost impossible to be creative in one’s marketing material – future marketing will be boring!”

Whether this is true or not is debatable, but the bottom line is that marketers need to be careful: the CPA provides for some clear rules when it comes to marketing. Some marketing practices are being prohibited outright whereas other marketing practices are allowed, but regulated strictly. There are in addition some general rules that apply to all types of marketing.

The intention of the CPA’s marketing provisions is clear: you may not mislead your consumer! This means that you will need to consider your marketing material and be sure that your average consumer will understand the message and not be misled.

There are a number of CPA sections dedicated to marketing. The reason is obvious: in our country there are a lot of uneducated and vulnerable people who may in the past have been lured into purchasing products or services for which they had no use. Because marketers were so clever and portrayed a convincing, but untrue, message about certain products which ultimately induced consumers to buy them, the legislator deemed it appropriate to provide some protection to these vulnerable members of society by creating rules that apply to marketing activities. The rationale of these rules is therefore that people should not be persuaded to spend their hard-earned money on products or services that do not have the qualities being portrayed in the marketing material.

We will discuss the various different marketing provisions in more detail in future posts. For now it is important to take note of the following:

  • The general rule is that your marketing material may not be “false, misleading, or deceptive” in any way – whether direct or indirect;
  • Some forms of marketing are prohibited. These include bait marketing (where you “bait” potential consumers into your stores while you know that you do not have stock of the ‘bait item’ to sell to them) and negative option marketing (where the consumer will be deemed to enter into an agreement if the consumer does not clearly decline a particular offer);
  • Promotional competitions, loyalty schemes, promotions and catalogue marketing all have a lot of rules that apply to them and each time that you run any of these types of campaigns, you need to consider the rules very carefully to ensure that your campaign will comply with the CPA requirements;
  • Direct marketing is not prohibited by the CPA as some people may believe. BUT a lot of rules apply, and once the Protection of Personal Information Bill comes into effect, even more rules will apply.

About Dommisse Attorneys
Dommisse Attorneys can assist you with your marketing campaigns to ensure compliance in terms of the CPA. For more information you can contact us by sending an email to info@dommisseattorneys.co.za

POPI: Is “consent” the beginning and the end?

True or false: if you do not have the person’s consent, you cannot use his personal information? From a lot of articles available on the internet, it would seem that the answer to this question must be ‘true’. But is this really the case? Can it be true that unless, for example, I consent to you collecting on debt (money that I owe you and that you are entitled to collect from me in terms of the law) you may not process my personal information and you may not share it with debt collectors? Surely this cannot be the case.

The answer lies in section 11 of the Protection of Personal Information Bill (POPI), which is anticipated to soon come into effect. Section 11, “Consent, justification and objection”, forms part of the second condition for lawful processing, named “processing limitation”. The aim of this condition is, in general, to make the responsible party aware of the fact that that there are some limitations on the processing of personal information and gone are the days where a responsible party could process personal information as and how it pleased.

A lot of people make the mistake of only reading section 11(1)(a) which states that: “Personal information may only be processed if— (a) the data subject or a competent person (where the data subject is a child) consents to the processing”. These people then take the view that if there is no consent, the processing will not be allowed. However, section 11 also makes provision for other justification grounds – meaning that even though there is no consent, the responsible party can “justify” why he is processing the personal information through other means.

The other justification grounds include the following:
1. If the processing is necessary for concluding a contract to which the data subject is a party or it is necessary to perform under such contract;
2. If the processing complies with an obligation imposed by law on the responsible party (an example might be processing for purposes of complying with legislation such as RICA or FICA);
3. If the processing protects a legitimate interest of the data subject;
4. If the processing is necessary for the proper performance of a public law duty by a public body;
5. If the processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

From this it is clear that even if you do not have the data subject’s consent to process personal information in a particular situation, the law may still allow you to process it if you are able to rely on one of the grounds listed above.

It is important to understand however that different rules will apply to electronic direct marketing. This is dealt with in a separate section of the Bill – section 69. We will provide more information on this in a separate post in due course

Promotional Competitions: The Do’s and The Dont’s

We have all received the phone call or sms to say: “Congratulations, you have won!” (Often some exotic holiday), only to find out that you have not won any prize! You are no winner! Oh no! Now you need to attend some meeting, or purchase “points” in terms of some kind of scheme. So where is the so called prize?

This recently happened to someone I know. He received a sms – informing him that he had won R950 000. So we phoned… and what a surprise, after some questions and statements from our side (including of course a reference to the CPA), the person on the other side hung up. And hung up again when we tried to phone again. And again.

So what does the law say?

Before the Consumer Protection Act 68 of 2008 (“CPA”) came into effect, promotional competitions were governed by the Lotteries Act 57 of 1997 and Regulations. These pieces of legislation were difficult to interpret, which resulted in a lot of confusion and difficulty in compliance with the requirements. Since the enactment of the CPA, promotional competitions are regulated by section 36 and regulation 11 of this Act. The CPA does not outlaw promotional competitions. BUT: it regulates promotional competitions – meaning that a lot of rules apply.

A few of the DO’s:

  1. Check your “offer” to participate (your marketing material) – you need to specify some information during this process (participants should know what they are in for);
  2. Compile competition rules in accordance with the CPA requirements;
  3. Instruct an independent party to oversee and certify the conducting of the competition;
  4. Retain some specified documentation for a period of 3 years.
  5. A few of the DON’TS
  6. Don’t tell anyone that they have won a competition if they have not actually won it;
  7. Don’t charge an entry fee (a requirement that a participant must purchase goods or services to enter will be allowed in certain circumstances);
  8. Don’t force the winner to be present at the prize draw;
  9. Don’t force the winner to participate in marketing activities;
  10. Don’t charge more than R 1.50 for an electronic entry.

We are geared to assist promoters with the review and drafting of their customer facing documentation for promotions, competitions and similar campaigns. We can also assist with the actual prize draw (or oversee the process) and report on your compliance with the provisions of the CPA.

Amendments to the National Credit Act

The National Credit Act (NCA) came into effect on 1 June 2007. One of the objectives of the NCA was to stop credit providers from providing credit to consumers who could not afford the credit. Six years down the line and the unfortunate reality is that a rather large percentage of credit consumers are in fact over-indebted. Fingers often point to credit providers and whether their business practices are in line with the NCA requirements. It is therefore imperative that credit providers revise their processes to ensure that they conduct business in accordance with the spirit and intent of the Act.

Considering the current credit position in our country, it is clear that despite the good intentions of the Act, some of the content needs clarification. On 29 May 2013 the Department of Trade and Industry therefore published the draft Amendment to the Bill, together with the draft Policy Review Framework, with the stated aim being to address problem areas identified in the practical
application of the NCA.

Some of the proposed amendments apply to the following aspects of the Act:

1. Amendments to some definitions like the definition of “lease” and “secured loan”;
2. Registration of debt counsellors;
3. Cancellation of registrations;
4. Changing the conditions of registration;
5. Suspension of reckless credit agreements;
6. Consent of spouse where married in community of property;
7. Registration and accreditation of alternative dispute resolution structures and agents.

Depending on your business model, some of the proposed amendments may have a big impact on your business operations. It is therefore necessary that you review current practices, and also consider the approach that the National Credit Regulator is likely to take in future.

Consumer law expert Jana van Zyl rounds out Dommisse Attorneys team

Commercial law firm Dommisse Attorneys has been joined by new partner Jana van Zyl, an expert in consumer law, following the firm’s recent acquisition of RTK Attorneys.

“Jana’s presence on the team means we can offer a rounded set of compliance and commercial skills to our clients,” says lead partner Adrian Dommisse. Many of the firm’s clients are in the ICT industry, and Dommisse says there is an increasing need for guidance on how to comply with the raft of new consumerrelated legislation that has been introduced in recent years.

The more recent laws include not just the Consumer Protection Act (CPA), but also the National Credit Act (NCA), the Electronic Communications and Transactions Act (ECT), and more recently the Protection of Personal Information Bill (POPI) which is expected to be enacted soon.

“POPI compliance will need to be considered by any business who processes information” says Van Zyl, who is assisting several large clients in the retail industry, “and a compliance project can be a significant exercise. Typically one would conduct a gap analysis, develop an action plan and then help the client to implement appropriate business processes.”

On CPA side, Van Zyl says clients also often ask for one-off consultations and opinions relating to the application of the CPA to their particular business operations. These could include everything from the wording of customer facing documentation, policies and competition terms to how to practically implement a particular section of the legislation.

“Training is a fairly large component of what I do,” she adds. “A number of common practices around marketing and promotions, for example, have had to change with the introduction of the CPA and POPI will add to that once enacted. Clients often need in-depth training before they can understand and implement the new laws in their everyday business practice.”