If you want the practical version first, here it is: for unsolicited marketing emails, treat consent as the default rule unless you clearly fall within the existing-customer exception.
That is the safer operating posture for most SMEs. POPIA does not give businesses a wide-open right to email prospects simply because they found an address or someone filled in a casual form once. The South African Information Regulator's direct marketing guidance, published on 3 December 2024, and the POPIA Regulations make the boundaries clearer than many businesses realise. A stronger digital marketing system, a realistic view of what digital marketing includes operationally, better staff training through relevant digital marketing courses and certifications, and tighter tracking through analytics all support compliance, but they do not replace it.
The basic POPIA rule for marketing emails
For electronic direct marketing, section 69 is the core rule.
The Information Regulator's Guidance Note on Direct Marketing explains that direct marketing by electronic communication, including email, is prohibited unless:
- the data subject has given consent, or
- the person is your customer and you satisfy the narrower customer conditions
The Information Regulator's guidance note on direct marketing also matters because it explains that written consent must be requested using prescribed Form 4 under the POPIA framework.
What this means for prospects
If the person is not already your customer, the compliance position is much tighter than many SMEs assume.
Under the guidance note:
- you may approach the person only once to request consent
- that request must follow the prescribed manner and form
- if consent is withheld, you should treat that as a stop signal
This is why bought lists, scraped lists, and vague "marketing partnerships" create so much risk. The data source may look commercially useful, but that does not mean you have a lawful basis to send marketing emails.
The customer exception is narrower than people think
Some SMEs assume that if anyone ever dealt with the business, marketing is allowed forever.
That is not what the section 69 customer exception says. The Regulator's guidance note explains that the business may rely on the customer route only if:
- the contact details were obtained in the context of the sale of a product or service
- the marketing is for the responsible party's own similar products or services
- the person had a reasonable and free opportunity to object when the details were collected and on each marketing communication if they did not initially refuse
This matters because many businesses stretch the exception too far. A historic contact is not automatically a usable marketing list.
Every message still needs the basics
Even where marketing is allowed, each communication still needs to identify the sender and provide a way to stop future communications.
That is part of what section 69(4), as summarised in the guidance note, requires:
- clear identity of the sender or party on whose behalf the message is sent
- an address or contact detail the recipient can use to stop further messages
In practice, that means hidden sender identity and broken unsubscribe processes are not minor admin issues. They are compliance failures.
What SMEs should do operationally
Most SMEs should tighten five things first:
- separate prospects from existing customers
- document how each email address was obtained
- store consent evidence and withdrawal records
- maintain a suppression list for objections and refused consent
- review every signup form and campaign workflow
The Regulator's guidance note also says responsible parties should maintain a database of people who withheld consent or objected. Operationally, that means your marketing stack should not treat unsubscribes and refusals as optional clean-up.
Where teams usually go wrong
The most common problems are:
- treating all contacts as one big marketing list
- assuming event scans or downloads equal valid email marketing consent
- not separating consent from general contact capture
- using third-party agencies without checking the consent trail
- making opt-out harder than it needs to be
If this feels familiar, the issue is not only legal. It is workflow design.
What this article is and is not
This is practical operational guidance, not a substitute for legal advice on a specific fact pattern.
That matters because some cases are straightforward and others are not. But for most SMEs, the path to lower risk is still clear: tighten consent handling, use the customer exception carefully, and make opt-out easy.
FAQ
Can I email a prospect if they gave me a business card?
Not automatically. For unsolicited direct marketing by email, POPIA section 69 still matters. A business card does not by itself erase the consent and customer-exception rules.
Can I keep emailing existing customers about anything I sell?
Not safely in a blanket way. The exception is narrower and refers to your own similar products or services, plus the contact details must have been obtained in the context of a sale.
Can I ask for consent more than once if someone ignores the first request?
The Information Regulator's guidance note says a responsible party may approach the data subject only once to request consent where consent is required.
If this feels familiar
If this feels familiar, your business may not need more email volume first. It may need better list discipline, cleaner consent handling, and a safer campaign workflow.
Book a strategy call if you want the workflow tightened properly
If you want help aligning your digital marketing operations with better list hygiene, cleaner consent capture, and stronger reporting, book a strategy call or get in touch. We can help you tighten the workflow, while you confirm any edge-case legal questions with appropriate counsel.
