Popia isn’t about ending personalised marketing, but rather getting brands to do it the right way

Every time I get a sales call, I ask the contact centre agent where they got my contact details. When their response shows that I didn’t consent to sharing my details, I tell them the business they represent is breaking the law. That tends to end the call pretty quickly. Nonetheless, I usually get the sense that the agent works for a brand or a direct marketing call centre that knows, but doesn’t particularly care, about the Protection of Personal Information Act (Popia).

On the flipside to this cavalier approach, there are many SA business leaders who worry about unwittingly violating the privacy regulations and becoming known as “the company the regulator makes an example of”. With news headlines about fines and prison terms, their wariness is understandable. Yet we are speaking to many large companies that have become so cautious in their approach to using customer data that it is impairing their customer experience.

For example, when we speak to brands about using their first-party data for targeted advertising across Google and social media platforms, they immediately pour cold water on the idea. Many insist that agencies are putting their clients at risk of noncompliance with Popia by using first-party data sets on Google or Facebook. Not only is this untrue, but it also severely limits opportunities for a more personalised and effective approach to marketing. Companies that remain concerned about the implications of the act could seek legal advice if they need reassurance on this point.

Empowering citizens to hold organisations accountable

It’s worth returning to the act and its contents and intention. The goal of Popia is to empower citizens to hold organisations accountable for how they store, manage and safeguard personal information. In practice, this does not mean never using customer data for personalised marketing or sharing it with another party.

In our interpretation — and this isn’t legal advice, since I’m not a lawyer — it means instead ensuring that the customer has given their informed consent to use their data and that their data is stored securely. 

Yes, this does create significant new challenges for marketers who have taken a relaxed approach to managing personal data in the past. However, it doesn’t mean that brands cannot use consumers’ data, as long as they get permission and follow good practices in securing the data. Let’s return to the example of leveraging first-party data on Facebook or Google.

The data should meet the principle of informed consent, which basically means a brand has a clean database and has each customer’s permission to contact them. The security features on the major platforms, meanwhile, pass the security test. Once a list is uploaded to a platform, the data is hashed for usage. It will be used by machine learning algorithms and cannot be extracted or viewed by any human.

The risks in the chain arise when data is transferred from the company’s customer relationship management system onto the platform. This step may involve multiple people processing the data on behalf of the client. Each company should therefore ask agencies that handle its customer data about the processes and systems they follow in moving data into the platforms’ audience segmentation tools.

Reducing human touchpoints

Automation is one of the keys to secure and compliant integration of first-party data on third-party platforms. Less human intervention in handling data reduces the chances of a data breach. We recommend that the movement of data via secure feeds and application programming interfaces be automated and protected. This does require technical capabilities not typically found in most media agencies, which is one reason we decided to join a larger systems integration group.

It is worth bearing in mind that agencies, too, are subject to Popia and many of them have already prepared for Europe’s general data protection regulation (GDRP). They know data and they understand the implications of violating privacy laws and regulations. Under the law, they are data controllers. Without the right capabilities in the data and security space, they could put their clients at risk and face severe penalties and reputational damage themselves.  

Another major consideration lies in how companies collected their data and whether each consumer gave their consent to the organisation storing their data and using it for marketing purposes. Companies that don’t have clean and reliable databases need to look at how they can address this shortcoming. If they can get this right and work with trustworthy agencies, there is no reason to shy away from creating custom audiences with marketing platforms such as Facebook or Google.

Translating best practices into law

It is a gift for any company to be entrusted with customer data. Privacy laws have become necessary because far too many organisations abused this trust and disrespected their customers’ privacy. Indeed, even after Popia came into effect in July 2021, many companies are still taking chances.

But for forward-thinking companies, Popia simply translates best practice into law. What it means is that organisations are now legally required to do what they should always have done: collect and use data with permission and make sure that data is secure. If they get these basics right, they can and should continue to use data that communicate with customers in a more tailored and dynamic way.

Grant Lapping is the digital executive at +OneX

The big take-out: For forward-thinking companies, Popia simply translates best practice into law.