New laws for spam calls and messages in South Africa

The Information Regulator published amended regulations under the Protection of Personal Information Act (POPIA), strengthening South Africans’ rights to object to the processing their personal information.

This gives South Africans stronger protections against unwanted spam calls and marketing messages by placing stricter obligations on organisations that process personal information.

The Information Regulator issued these revised regulations on 17 April 2025, which came into effect immediately upon publication.

“These amendments aim to enhance data subject rights whilst ensuring that organisations adhere to stricter compliance requirements and remain accountable,” said legal experts from Bowmans. 

The regulations grant South Africans (“data subjects”) more ways to object to the processing of their personal information or to request that it be corrected or deleted, without any cost to them.

Bowmans explained that the new rules focus heavily on direct marketing. If a company wants to market to someone who is not already a customer, it must first get the person’s permission. 

“This must be done in a way that is expedient, free of charge and reasonably accessible, and can include methods such as email, telephone, SMS, WhatsApp, or even automated calling machines,” the experts said. 

They further noted that an organisation must keep an electronic recording of the consent, and make the recording, or a transcription thereof, available to the data subject upon request.

The amended regulations also change the information that must be included on the consent forms issued to data subjects. 

“Organisations must specify the goods or services to be marketed and obtain the data subject’s consent,” Bowmans said. 

This includes consent to receive marketing communications regarding such goods or services, and the specific method of preferred communication.”

Additionally, when collecting personal information, organisations are required to inform data subjects of their right to object.

In respect of requests for the correction or deletion of personal information, comapny must advise the data subject of the action taken in response to the request within 30 days of receipt of the request.

Opt-out messages will no longer slide

A major clarification in the new rules is that an opt-out shall not constitute consent. Companies cannot assume someone has agreed to be contacted just because they haven’t said no. 

The law firm said that this means simply providing someone with the means to opt out of receiving marketing communications is not good enough.

“In the absence of the data subject exercising the right to opt out, it does not imply that the data subject has consented. Consent in this context requires a positive action,” it said. 

Direct marketing is allowed for existing customers if an organisation acquires the customer’s contact details in the context of a sale and promotes similar products or services.

However, the law firm stressed that there must still be a process for opting out whether the data subject is an existing customer or not.

The regulations also make it easier for people to submit complaints. Anyone with a personal interest in the issue—or even someone acting in the public interest—can submit a written complaint using a prescribed form. 

The complaint can be sent by email, fax, post, courier, or hand delivery. The Information Regulator will now offer assistance with writing the complaint or translating it if it’s made in a language other than English.

People who file complaints can also request to keep their identity confidential, and the Regulator will consider the reason for the request before deciding.

If a company is fined for breaking the rules but cannot pay the fine immediately, it can now request to pay in instalments. 

The Regulator will consider “the financial circumstances of the organisation and any other relevant reasons that may directly or indirectly impact the organisation’s affordability.”

“These amendments represent a bold move toward greater accountability and stronger protection for the rights of data subjects,” said Bowmans. 

“It’s time for organisations to dust off their data protection compliance frameworks and ensure that their processes align with the new laws because when it comes to privacy, the rules just received a serious upgrade.”