Direct marketing

Section 69: electronic marketing and the once-off consent ask

Email, SMS and automated calls are opt-in — with a single statutory chance to ask a prospect for consent, in the prescribed form.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Section 69(1) prohibits electronic direct marketing — automatic calling machines, fax, SMS, email — unless the data subject has consented or is your customer. Section 69(2) gives you one statutory chance to ask a non-customer for consent, in the prescribed manner and form; since April 2025 that request may be made by email, phone, SMS or WhatsApp, telephonic requests must be recorded, and regulation 6.4 confirms that opt-out can never constitute consent.

On this page

The prohibition — and its two doors

Source — the actual words

“The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject— (a) has given his, her or its consent to the processing; or (b) is, subject to subsection (3), a customer of the responsible party.”

Protection of Personal Information Act 4 of 2013, s 69(1)Read it on Dept of JusticePDF

Door one is consent — including the once-off ask below. Door two is the existing-customer exception, which has its own three legs. “Including” means the list is not closed — WhatsApp messages and push notifications are electronic communication too, and the Regulator reads live phone calls into the same regime.

The April 2025 modernisation — and the loophole it closed

The amended Regulations (in force 17 April 2025) modernised the mechanics: written consent may be obtained on a form substantially similar to Form 4 “or in any manner that may be expedient” — including by email, telephone, SMS or WhatsApp, fax or automated calling machine — but telephonic and automated-call consent requests must be electronically recorded(regs 6.2–6.3). And regulation 6.4 closes the old loophole in one blunt sentence:

Source — the actual words

“For the purposes of direct marketing through unsolicited electronic communications, opt-out shall not constitute consent as referred to in section 69 (2) of the Act.”

Amendment of the POPIA Regulations (GN 6126, GG 52523, 17 April 2025), reg 6.4Read it on Dept of JusticePDF

The “we emailed them and they didn’t unsubscribe” model is dead in law as well as in spirit. The full set of 2025 changes is consolidated on the 2025 amendments page.

The first fine: FT Rams Consulting

The Regulator’s first direct-marketing enforcement notice (February 2024) targeted FT Rams Consulting for persistent marketing emails sent without consent and despite opt-outs; when the company ignored the notice, a R100 000 administrative fine followed. Every element of the conduct — no consent, no customer relationship, opt-outs ignored — maps onto the rules above. The matter, and every other enforcement action, is logged on the enforcement tracker.

Frequently asked questions

Can my first email to a prospect be a marketing pitch?

No. The Guidance Note is explicit: "the first communication which the responsible party sends to the data subject must be a communication requesting consent". The pitch may only follow a yes.

Is silence or a non-reply consent?

No. "Therefore, silence cannot mean consent" — the Guidance Note’s words. And regulation 6.4: opt-out shall not constitute consent. Only an affirmative response opens the door.

How many times may I ask a prospect for consent?

Once. Section 69(2) permits the approach "only once", and only if the person has not previously withheld consent. A no — or no answer — ends it.

Is double opt-in required?

Not by statute — POPIA requires voluntary, specific, informed consent in the prescribed manner. Double opt-in is simply strong evidence of exactly that, which you carry the burden of proving (s 11(2)(a)).

Do these rules apply to B2B email campaigns?

Yes. Companies are data subjects under POPIA, so section 69 is the safe operating assumption for B2B electronic marketing in South Africa.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Direct marketing

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub