Protecting Your Privacy | Legal Matters

How The POPI Act Empowers Consumers Against Spam Calls

By Jessie Taylor

Despite growing awareness and technical countermeasures, South Africa has witnessed an unrelenting rise in spam calls, including telemarketing, phishing, and robocall scams. However, recent amendments to the Protection of Personal Information (POPI) Act have given individuals meaningful legal protection against these intrusions.

As the digital economy grows, so too does the volume of personal data circulating in commercial and quasi-commercial ecosystems. Recognising this growing threat to personal privacy, South Africa has moved to reinforce the rights of its citizens through legislation that demands accountability and transparency from those who handle or distribute personal information.

A new definition of electronic communication Historically, direct marketing calls skirted legal liability because telephone calls were not formally defined as “electronic communications”. This loophole has now been closed. In April, the Information Regulator issued a Guidance Note clarifying that voice calls, including automated and robocalls, are indeed “electronic communication” for the purposes of Section 69 of the POPIA. This means unsolicited calls now require explicit consent by law.

Under the revised act, anyone receiving a direct marketing phone call from a non-customer must have previously provided explicit, informed opt-in consent. If no consent exists, marketers may make only one request for consent - and only if the consumer has not already refused. For existing customers, calls are permitted only for marketing similar products or services. Importantly, every call must clearly identify the sender and provide an easy means to opt out. Organisations are required to honour opt-out requests promptly and free of charge.

Crucially, consent records must be kept and proof provided on demand. Companies must notify individuals if they intend to use their data for marketing and allow correction, deletion, or objection within 30 days.

Consumers Now Have Clear Rights Under POPIA:

• Opt in, not opt out: Marketers must obtain explicit consent before contacting non-customers.

• Transparency and identification: Every call must clearly state who is calling, with immediate opt-out instructions.

• Opt-out enforcement: Consumers can refuse or revoke consent at any time—that refusal must be honoured instantly at no cost.

• Full access to consent records: Individuals can request proof of how and when consent was provided, and companies must comply.

• Complaints process: Any person, even acting on behalf of someone else, may lodge a complaint with the Information Regulator.

New Opt-out Registry in The Pipeline

Complementing the statutory consent framework, the government is working to launch a national Opt-Out Registry in the 2025/26 financial year. Once active, consumers can register their phone numbers to prevent any unsolicited marketing calls from both marketing firms and data brokers. Businesses will be legally obliged to “cleanse” their marketing databases for registry numbers before launching campaigns.

This registry will replace or deepen the existing voluntary DoNot-Contact list run by the Direct Marketing Association of South Africa (DMASA), which only covers its own member companies.

Under the strengthened POPIA regime, failures to comply with consent rules can result in hefty penalties, such as administrative fines up to R10 million, or imprisonment for serious offences. The Information Regulator now has broadened enforcement capabilities, including accepting complaints from any member of the public (not just data subjects themselves).

Spam callers risk prosecution if they continue contacting consumers after an opt-out request. Consent must be reinstated explicitly, and failure to comply is criminal.

Despite these robust laws, spam calls remain widespread. As recently as July, TechCentral reported pervasive telemarketing intrusions across South Africa, with operators claiming they cannot block calls at the network level without breaching interception laws under RICA. This leaves consumers largely responsible for filtering calls through apps like Truecaller, Samsung Smart Call or Apple’s upcoming call-screening features.

When spam continues, consumers are encouraged to file reports with the telecom provider, the Independent Communications Authority (ICASA), or the National Consumer Commission. The complaint process now extends beyond marketing-specific laws to data protection enforcement.

The strengthened provisions under Section 69 of the Protection of Personal Information Act offer South Africans robust legal recourse against unsolicited calls and messages. Consumers now have the power to withhold consent, request deletion of their data, and lodge formal complaints—all backed by statutory penalties for noncompliance.

Yet, the lingering spam epidemic illustrates that legislation alone is insufficient. Effective enforcement, increased resources for the Information Regulator, public education, and coordination with telecom operators are essential to make meaningful progress.

Sources: BusinessTech | Moonstone Information | TechCentral | CapeTownEtc | MediaUpdate | Cape Argus