CPA Amendment Regulations 2026 Gazette - Direct Marketing

MEDIA STATEMENT REGULATOR NOTES PUBLISHED GAZETTE OF THE CONSUMER PROTECTION ACT AMENDMENT REGULATIONS 2026 21 APRIL 2026

The Information Regulator (Regulator) has taken note of the Government Gazette published on 15 April 2026 relating to the Consumer Protection Act (CPA) Amendment Regulations, which introduce measures aimed at curbing unsolicited marketing communications, including spam calls. The Regulator welcomes the amendments, which are certainly an added protection to address the growing problem of unsolicited direct marketing (spam calls). However, it is important to emphasise that compliance with the Protection of Personal Information Act (POPIA) is still mandatory, irrespective of whether a consumer (data subject) is registered on the pre-emptive block, in the opt-out registry, or not. The direct marketer (responsible party) cannot send the consumer (data subject) who have not registered on the pre-emptive block direct marketing messages for goods and services through unwanted (unsolicited) electronic communication without first obtaining their consent to do so as provided for in section 69 (1) and (2) of POPIA or without complying with section 69 (3) of POPIA if the data subject is a customer of a responsible party.

Legal Framework (POPIA)

Direct marketing through unsolicited electronic communication is provided for in terms of section 69 of POPIA, which states the following:

1. The processing of personal information of a data subject for the purpose of direct marketing
   by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject-

2. has given his, her or its consent to the processing; or

3. is, subject to subsection (3), a customer of the responsible party.

4. (a) A responsible party may approach a data subject-
   Woodmead North Office Park, 54 Maxwell Drive, Woodmead, Johannesburg, 2191, Gauteng Province, South Africa P.O Box 31533, Braamfontein, Johannesburg, Adv. FDP Tlakula (Chairperson), Adv. LC Stroom (Full-time Member), Mr. MV Gwala (Part-time Member). Mr. M Mosala (Chief Executive Officer) Email: enquiries@inforegulator.org.za Website: www.inforegulator.org.za Toll Free: +27 80 001 7160

5. whose consent is required in terms of subsection (1)(a); and

6. who has not previously withheld such consent, only once in order to request the consent of
   that data subject. (b)The data subject's consent must be requested in the prescribed manner and form. In terms of section 69(3) of POPIA, a responsible party (direct marketer) can only keep a database of data subjects (consumers) who are their customers. "It is the considered view of the Regulator that consumers who have not registered a pre- emptive block with the Commission, are still protected by POPIA. This is because whilst the Regulations protect those who have opted out through registration on the pre-emptive block, POPIA protects those who have not registered on the pre-emptive block. The consent of the latter will still have to be obtained before they can be bombarded with direct marketing messages through unsolicited electronic communication. The reason for this is that consent is defined in POPIA as a voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Therefore, by merely opting- out, a data subject cannot be regarded as having given consent," said Chairperson of the Regulator, Adv. Pansy Tlakula. The Regulator has been dealing with the issue of direct marketing by means of unsolicited electronic communication for some time and has received several complaints from data subjects who are tired of being bombarded with unsolicited telemarketing messages and calls. To this regard, it has had bilateral engagements with the National Consumer Commission on matters where the legislation POPIA and CPA intersect. Furthermore, it has issued a Guidance Note on Direct Marketing in terms of the POPIA to guide responsible parties on how to comply with POPIA when processing personal information of data subjects for direct marketing by means of unsolicited non-electronic communications in terms of section 11 and unsolicited electronic communications in terms of section 69 of POPIA. The Guidance Note is accessible here https://inforegulator.org.za/popia/ .

For media enquiries contact Takalani Muvhali on TMuvhali@inforegulator.org.za/ 071 606 4515. ISSUED BY THE INFORMATION REGULATOR OF SOUTH AFRICA.

Adv. FDP Tlakula (Chairperson), Adv. LC Stroom (Full-time Member), Mr. MV Gwala (Part-time Member). Mr. M Mosala (Chief Executive Officer)