South Africans will now enjoy stronger protections against unwanted marketing calls, spam messages, and misuse of personal data after the Information Regulator issued significant amendments to the Protection of Personal Information Act (POPIA).
The new regulations, published on 17 April 2025 and effective immediately, aim to enhance individual rights and impose stricter obligations on organisations processing personal information. According to legal experts from Bowmans, the changes represent a bold step towards greater accountability in the digital age.
“These amendments aim to enhance data subject rights whilst ensuring that organisations adhere to stricter compliance requirements and remain accountable,” Bowmans stated.
Stricter consent requirements for direct marketing
One of the biggest changes focuses on direct marketing practices. Companies can no longer assume permission through inaction. If an organisation wants to market to someone who is not already an existing customer, it must now explicitly obtain that person’s consent — and must do so through expedient, free, and accessible means like email, telephone, SMS, WhatsApp, or automated calling systems.
Furthermore, businesses must maintain an electronic record of this consent and be able to produce it upon request. The amended rules also require consent forms to clearly specify which goods or services will be marketed and the data subject’s preferred method of communication.
A major clarification issued under the new regulations is that an opt-out option alone does not constitute consent. The absence of objection is no longer seen as agreement — explicit positive action is required before marketing can proceed.
Easier to object, correct, or delete personal information
The amendments grant data subjects more avenues to object to the processing of their information or to request corrections or deletions at no cost. Organisations must respond to such requests within 30 days of receipt.
Even in cases where personal information is collected during a sale, and direct marketing to existing customers is permissible, businesses must still allow recipients to opt out easily from future communications.
Streamlined complaints process and flexible fines
The Information Regulator has also made it easier for individuals to lodge complaints. Any person — even acting in the public interest — can submit a complaint using a standardised form via email, fax, courier, or hand delivery. Assistance will be provided for drafting or translating complaints when necessary, and complainants can request that their identities remain confidential.
If a company is fined for non-compliance but faces financial hardship, it may now apply to pay penalties in instalments, with the Regulator considering the organisation’s financial situation.
A call for immediate compliance
Bowmans warned organisations to urgently update their data protection compliance frameworks, saying: “It’s time for organisations to dust off their data protection compliance frameworks and ensure that their processes align with the new laws because when it comes to privacy, the rules just received a serious upgrade.”
The updated POPIA regulations mark a watershed moment for consumer data protection in South Africa, setting a tougher, clearer framework for marketing practices, consent management, and corporate accountability.