If you want the practical version first, here it is: for unsolicited marketing emails, treat consent as the default rule unless you clearly fall within the existing-customer exception.
That is the safer operating posture for most SMEs. POPIA does not give businesses a wide-open right to email prospects simply because they found an address or someone filled in a casual form once. The South African Information Regulator's direct marketing guidance, published on 3 December 2024, and the POPIA Regulations make the boundaries clearer than many businesses realise. A stronger digital marketing system, a realistic view of what digital marketing includes operationally, better staff training through relevant digital marketing courses and certifications, and tighter tracking through analytics all support compliance, but they do not replace it.
The basic POPIA rule for marketing emails
For electronic direct marketing, section 69 is the core rule.
The Information Regulator's Guidance Note on Direct Marketing explains that direct marketing by electronic communication, including email, is prohibited unless:
- the data subject has given consent, or
- the person is your customer and you satisfy the narrower customer conditions
The Information Regulator's guidance note on direct marketing also matters because it explains that written consent must be requested using prescribed Form 4 under the POPIA framework.
What this means for prospects
If the person is not already your customer, the compliance position is much tighter than many SMEs assume.
Under the guidance note:
- you may approach the person only once to request consent
- that request must follow the prescribed manner and form
- if consent is withheld, you should treat that as a stop signal
This is why bought lists, scraped lists, and vague "marketing partnerships" create so much risk. The data source may look commercially useful, but that does not mean you have a lawful basis to send marketing emails.
The customer exception is narrower than people think
Some SMEs assume that if anyone ever dealt with the business, marketing is allowed forever.
That is not what the section 69 customer exception says. The Regulator's guidance note explains that the business may rely on the customer route only if:
- the contact details were obtained in the context of the sale of a product or service
- the marketing is for the responsible party's own similar products or services
- the person had a reasonable and free opportunity to object when the details were collected and on each marketing communication if they did not initially refuse
This matters because many businesses stretch the exception too far. A historic contact is not automatically a usable marketing list.
Every message still needs the basics
Even where marketing is allowed, each communication still needs to identify the sender and provide a way to stop future communications.
That is part of what section 69(4), as summarised in the guidance note, requires:
- clear identity of the sender or party on whose behalf the message is sent
- an address or contact detail the recipient can use to stop further messages
In practice, that means hidden sender identity and broken unsubscribe processes are not minor admin issues. They are compliance failures.
What SMEs should do operationally
Most SMEs should tighten five things first:
- separate prospects from existing customers
- document how each email address was obtained
- store consent evidence and withdrawal records
- maintain a suppression list for objections and refused consent
- review every signup form and campaign workflow
The Regulator's guidance note also says responsible parties should maintain a database of people who withheld consent or objected. Operationally, that means your marketing stack should not treat unsubscribes and refusals as optional clean-up.
Where teams usually go wrong
The most common problems are:
- treating all contacts as one big marketing list
- assuming event scans or downloads equal valid email marketing consent
- not separating consent from general contact capture
- using third-party agencies without checking the consent trail
- making opt-out harder than it needs to be
If this feels familiar, the issue is not only legal. It is workflow design.
What this article is and is not
This is practical operational guidance, not a substitute for legal advice on a specific fact pattern.
That matters because some cases are straightforward and others are not. But for most SMEs, the path to lower risk is still clear: tighten consent handling, use the customer exception carefully, and make opt-out easy.
How I would compare the options
For The SME Guide to POPIA-Compliant Email Marketing in 2026, I would keep the comparison practical. The strongest option is usually the one that improves the content decision, gives the team clearer evidence, and reduces the risk of publishing more pages without making any of them easier to trust or act on.
| What I would compare | What I would look for | Why it matters |
|---|---|---|
| Buyer intent | Does the page answer the question a serious prospect is actually asking about the sme guide to popia-compliant email marketing in 2026? | Matching intent makes the content useful before it tries to sell anything. |
| Proof | Are there examples, source references, service links, or visible experience behind the recommendation? | Specific proof helps the reader trust the advice and compare it with other options. |
| Next step | Does the article connect naturally to content marketing or another relevant service path? | The post should help a qualified reader move from research to a sensible action. |
The practical standard I would use
The standard for The SME Guide to POPIA-Compliant Email Marketing in 2026 is not whether the topic has been covered. The standard is whether the page helps someone make a better content decision. If the article only repeats definitions, it may attract a visit but still leave the reader with the same uncertainty they had before.
For The SME Guide to POPIA-Compliant Email Marketing in 2026, I would want the page to explain what matters, what can wait, and what evidence should guide the next move. That includes the commercial context, the reader's likely hesitation, and the internal path from this article to content marketing or another relevant support page.
When those pieces are clear for The SME Guide to POPIA-Compliant Email Marketing in 2026, the content does more than fill a calendar. It gives the reader enough growth context to arrive at the enquiry with fewer basic doubts.
FAQ
Can I email a prospect if they gave me a business card?
Not automatically. For unsolicited direct marketing by email, POPIA section 69 still matters. A business card does not by itself erase the consent and customer-exception rules.
Can I keep emailing existing customers about anything I sell?
Not safely in a blanket way. The exception is narrower and refers to your own similar products or services, plus the contact details must have been obtained in the context of a sale.
Can I ask for consent more than once if someone ignores the first request?
The Information Regulator's guidance note says a responsible party may approach the data subject only once to request consent where consent is required.
If this feels familiar
If this feels familiar, your business may not need more email volume first. It may need better list discipline, cleaner consent handling, and a safer campaign workflow.
Book a strategy call if you want the workflow tightened properly
If you want help aligning your digital marketing operations with better list hygiene, cleaner consent capture, and stronger reporting, book a strategy call or get in touch. We can help you tighten the workflow, while you confirm any edge-case legal questions with appropriate counsel.

