South Africa is grappling with a growing surge in spam calls, and authorities are now responding through specific changes to the Protection of Personal Information Act (POPIA), aimed at strengthening data privacy enforcement and curbing unsolicited communications. The new amendments are seen as a crucial step to address years of mounting frustration among consumers who feel harassed, ignored, and exploited by unchecked telemarketers.
Key Takeaways
- Stricter Consent Requirements: The amended POPIA regulations now prohibit opt-out clauses as valid consent for telemarketing. Companies must obtain explicit, recorded permission from consumers before initiating direct marketing calls.
- Broader Consumer Rights: South Africans can now object to the processing of their personal data at any time during business hours, and request correction or deletion if the information is inaccurate, outdated, or unlawfully obtained.
- Enforcement and Accountability Strengthened: Information officers face expanded responsibilities, and businesses can no longer avoid penalties by pleading ignorance or technical gaps. The Information Regulator now has clearer mechanisms for complaints, identity protection, and fine collection.
About Arcadia Finance
Get the funds you need with ease through Arcadia Finance. Compare offers from 19 trusted lenders with no application fees and full NCR compliance.
Consumer Rights Strengthened Through Legal Revisions
Recent amendments to POPIA are focused on reinforcing the authority of individuals to request the removal of their personal data from company databases. At the same time, the revised legislation places stricter legal obligations on organisations to confirm that they have obtained proper and verifiable consent before retaining or processing any personal information. This shift is intended to restore a measure of control to ordinary South Africans who have for too long had little say over how their private details are used or shared.
Legal professionals from Cliffe Dekker Hofmeyr have noted that many South Africans would not be mistaken in feeling that nearly every second phone call they receive is an unsolicited sales call. This ongoing problem is being fuelled by advancements in outreach technology and an increasing number of data leaks, both of which make it easier for telemarketers to reach consumers without prior approval.
Many of these calls originate from companies the recipients have never interacted with, raising questions about how their contact information was acquired in the first place.
Original Legislation Aimed at Reducing Data Exploitation
When POPIA was first enacted in 2020, it was intended to act as a safeguard for consumers against the misuse and distribution of their personal information by businesses. The law provided a framework that allowed individuals to reject the collection or continued storage of their data, especially when used for direct marketing purposes. However, implementation gaps and low levels of consumer awareness left the legislation more theoretical than practical in curbing intrusive marketing practices.
Although the law has technically been in place for several years, its enforcement has been relatively weak. This has led regulators to introduce new amendments aimed squarely at telemarketing practices, seeking to close the gaps that previously allowed unsolicited calls to continue unchecked. The lax application of existing laws emboldened marketing firms, many of which operated with impunity despite clear breaches of consent-related provisions.
April 2025 Marked a Turning Point for Data Protection
The most recent batch of regulatory amendments officially took effect in April 2025. This follows the rollout of the Information Regulator’s e-Portal, a platform created to report security breaches involving personal information. The portal is now designated as a compulsory reporting tool for both private enterprises and public institutions.
The mandatory use of the portal is a decisive move to ensure accountability, creating a clear paper trail for potential future enforcement and fines.
The updated regulations also bring clarity to terminology within POPIA by defining the terms “complaint” and “complainant”, and aligning the latter with the legal language used in section 74(1) of the Act. These adjustments are meant to standardise interpretation and improve consistency in handling data privacy disputes. For years, vagueness in the language of the law left room for companies to exploit technicalities, a loophole the new wording seeks to firmly shut.
Stricter Standards for Telemarketing Consent Introduced
Legal experts Sadia Rizvi and Simone Dickson have outlined critical changes introduced by the amended legislation that will affect both commercial entities and individuals. Of particular significance are the more demanding requirements for marketing firms to obtain and document consent from individuals prior to initiating contact.
In practical terms, this could force some businesses to rethink their entire lead generation model, especially those relying on third-party data brokers.
Opt-Out No Longer Recognised as Sufficient Consent
One of the more impactful changes is the disqualification of opt-out clauses as a valid method of obtaining consumer consent. The amended law requires companies to implement systems that allow telephone conversations to be recorded and stored reliably. This ensures that, should an individual request deletion of their data or object to its processing, there is an accessible record of how consent was initially granted. It also means that businesses can no longer hide behind vague disclaimers or pre-checked boxes buried in terms and conditions.
Because of the removal of opt-out mechanisms as a valid form of consent, organisations are now expected to update their internal procedures related to customer permission for direct electronic marketing. This includes stricter methods for gathering, storing, and verifying each instance of consent. Firms that fail to do so could face regulatory scrutiny, legal challenges, and potentially hefty administrative fines.
Expanded Consumer Rights Under POPIA Explained
Under the revised regulations, individuals now have more flexible avenues for objecting to the processing of their personal information. Previously, objections required the submission of a formal form. Now, a data subject may object at any time during a responsible party’s business hours, and organisations are obliged to ensure that such objections are handled promptly, without any associated cost, and in a user-friendly manner. This change is expected to dramatically improve the public’s ability to challenge unsolicited communication in real time.
Requests for Data Correction and Deletion Now Enforceable
The new regulations also provide individuals with the right to request the correction or deletion of their data in cases where it is inaccurate, incomplete, irrelevant, excessive, or was gathered unlawfully. In circumstances where a business no longer has valid grounds to retain personal information, the data subject may also request its complete removal. These provisions are especially significant in an era of frequent data breaches, where information is often circulated without consent or oversight.
Responsibilities of Information Officers Have Expanded
There has been a notable shift in the duties of information officers. Previously, their main responsibility involved ensuring that the PAIA manual was available and shared upon request, often for a fee. Now, information officers are tasked with actively overseeing and refining their organisation’s compliance framework in a continuous and proactive manner. They are expected to serve not just as administrative contacts, but as strategic enforcers of lawful data governance practices.
The recent amendments also redefine who may be considered a “complainant” for the purpose of lodging a complaint with the Information Regulator. This includes not only the data subject directly affected, but also any individual acting on their behalf, any responsible party who feels aggrieved by a regulatory decision, or any person with a demonstrable personal interest in the matter. This expanded definition ensures that whistleblowers, family members, and even legal representatives can all initiate a complaint in the name of accountability.
Formalisation of Complaint Details and Regulatory Duties
The revisions also outline the specific information required in a complaint and clarify the obligations of the Information Regulator. Importantly, they affirm the right of the data subject to request that their identity be kept confidential when submitting a complaint. This is seen as a necessary step to protect those who fear retaliation or further harassment for reporting misuse of their personal information.
A final significant addition involves administrative penalties. The prior version of POPIA did not offer any structure for how fines imposed on organisations could be settled. Under the updated regulations, companies are now allowed to enter into agreements with the Information Regulator to pay any fines imposed in structured instalments. This offers some relief for smaller firms, but also removes the excuse of non-compliance due to financial incapacity.
Conclusion
The latest amendments to South Africa’s Protection of Personal Information Act signal a more serious and structured approach to curbing spam calls and protecting consumer data. By closing loopholes around consent, empowering consumers with greater rights, and reinforcing the responsibilities of businesses and regulators alike, the changes mark a significant shift toward restoring control over personal information. For both consumers and companies, the message is clear: data privacy is no longer optional; it is enforceable.
Fast, uncomplicated, and trustworthy loan comparisons
At Arcadia Finance, you can compare loan offers from multiple lenders with no obligation and free of charge. Get a clear overview of your options and choose the best deal for you.
Fill out our form today to easily compare interest rates from 19 banks and find the right loan for you.
