Sharing personal information

Selling or renting customer lists: where POPIA actually bites

Disclosing your database to an unrelated marketer is rarely covered by any ground — this is the sharing POPIA is actually aimed at.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
After a dozen pages of myth-busting, here is the counter-example: selling or renting your customer database to an unrelated marketer is rarely lawful under POPIA. No ordinary ground covers it, your privacy notice probably never disclosed it, the buyer cannot satisfy section 69 with bought consent, and the first enforcement fine for direct marketing — FT Rams Consulting — grew from exactly this ecosystem. This is the sharing the Act was written to stop.

On this page

The seller’s problem: no ground, no compatibility, no notice

Run the three checks and watch each fail. Ground: selling the list serves your interest in the sale price — but section 11(1)(f) requires balancing, and disclosing customers to a stranger for purposes they never imagined seldom survives it; no other ground comes close. Compatibility: you collected the information to serve customers, not to merchandise them — section 15’s test fails and nothing in s 15(3) deems it compatible. Openness: section 18(1)(h)(i) expected your notice to name recipients or categories of recipients — “whoever pays us” was not on it.

The buyer’s problem: section 69 cannot be bought

The list’s only commercial use is marketing — and for electronic marketing the buyer needs the data subject’s consent or an existing customer relationship. A bought list supplies neither: the people on it are not the buyer’s customers, and consent given (if ever) to the seller is not consent to the buyer’s marketing. The buyer gets exactly one lawful move — the once-off section 69(2) consent request — and the amended Regulations close the workaround the industry leaned on:

Source — the actual words

“For the purposes of direct marketing through unsolicited electronic communications, opt-out shall not constitute consent as referred to in section 69 (2) of the Act.”

Amendment of the POPIA Regulations (GN 6126, GG 52523, 17 April 2025), reg 6.4Read it on Dept of JusticePDF

Blasting the list and honouring unsubscribes is therefore not compliance — it is the conduct that earned FT Rams Consulting the first direct-marketing enforcement notice and a R100 000 fine (see the enforcement tracker).

What remains lawful

The going-concern sale: customer records transferring with the business they belong to, the buyer continuing the same service — purpose continuity, disclosed in a decent notice, is the distinction. Referral partnerships where the customer is asked and agrees. Joint promotions where each party markets its own base. And ordinary marketing to your own customers, which POPIA expressly accommodates. What does not survive is the database as a tradeable commodity — that is not a myth about POPIA; it is the point of it.

Frequently asked questions

Can I sell my customer database?

As a standalone trade to an unrelated marketer — almost never lawfully. No section 11 ground fits, the disclosure is incompatible with your collection purpose, and your privacy notice almost certainly never disclosed it.

What about selling the business itself, customer list included?

Different transaction. Transferring customer records as part of a going-concern sale serves the existing service relationship — the buyer steps into the seller’s shoes. Disclose the possibility in your privacy notice and keep purpose continuity.

Is buying a marketing list lawful if the broker says it’s "opted in"?

Consent under section 69 must be the data subject’s consent to receive marketing — a broker’s blanket assurance is not it, and regulation 6.4 confirms opt-out can never constitute consent. The buyer carries the section 69 burden and cannot outsource it to the seller’s paperwork.

Are lookalike audiences and hashed-email ad matching the same thing?

They raise related but distinct questions — disclosure to the platform, compatibility and notice transparency among them. They are not the simple "list sale" case; assess them on their own facts.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Sharing personal information

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub