New laws coming after spam calls in South Africa

South Africa faces a spam call epidemic, and new regulations are taking them on directly through changes to the Protection of Personal Information Act (POPIA).

The changes in question give consumers more authority when asking companies to get rid of their data, and places more responsibility on companies to ensure they have the necessary consent to have it at all.

Legal experts at Cliffe Dekker Hofmyer said that South Africans could be forgiven for feeling that every second call they receive is a spam call. 

With technology now allowing for broader outreach and data breaches increasing, the volume of unsolicited sales calls continues to increase. 

Consumers were supposed to be given some protection from incessant calls through the Protection of Personal Information Act (POPIA), which has been in effect since 2020. 

The Act was intended to offer consumers protections against having their data sourced and traded by companies, along with a way for them to opt out of having this data stored.

Although the law has been in force for some time, enforcement of the rules has been minimal. 

In response, regulators recently introduced changes to the Act, many of which target telemarketing practices explicitly.

The amendments, which took effect in April 2025, follow the introduction of the Information Regulator’s e-Portal to report security compromises online. 

The portal is now deemed a mandatory reporting tool for private and public organisations.

The amended regulations also introduce definitions for “complaint” and “complainant”, aligning the term “complainant” with the language used in section 74(1) of POPIA. 

Sadia Rizvi and Simone Dickson from Cliffe Dekker Hofmeyr flagged key changes to the spam call legislation, which would impact companies and consumers in the country.

Notably, the amendments set out more rigorous requirements for marketing companies regarding consent and record-keeping of such consent. 

The changes also render opt-out clauses inadequate when it comes to telemarketers. 

“Mechanisms must be implemented to ensure that telephone conversations are easily recorded and accessible, particularly when a data subject requests the destruction and deletion of their personal information or objects to it being processed,” the experts said. 

“Since opting out is no longer considered valid consent, organisations must revise their internal procedures for obtaining consent from consumers for direct marketing through electronic communications.”

The nitty-gritty

A deeper dive into the regulations highlights what companies in South Africa need to keep in mind when it comes to POPIA. 

In the past, data subjects could only object to the processing of their personal information by submitting an objection using a form. 

Now, a data subject can object at any time during the office hours of the responsible party. Responsible parties must ensure that objections are made free of charge, expediently and conveniently. 

Moreover, the new regulations state that a data subject can now request the correction and deletion of their personal information if it is inaccurate, irrelevant, excessive, incomplete or obtained unlawfully. 

They can also request the deletion or destruction of a record of their personal information if the responsible party is no longer authorised to retain the data. 

There has also been a major change for information officers, who previously needed to monitor and implement the PAIA manual and make a copy available upon request for a fee.

Information officers are now responsible for ensuring that the implementation of the compliance framework is continually improved.

The changes also include a change to the meaning of a complainant and set out the details of the people who can lodge a complaint with the Information Regulator. 

This also include anyone acting on behalf of a data subject, a responsible party aggrieved by an adjudicator’s determination, and any person with sufficient personal interest in the matter. 

The provision has also been made for details, which needed to be included by a compliant, as well as the regulator’s responsibilities and the data subject’s right to protect their identity. 

Finally, the regulations previously had no provision for administrative fines incurred by a responsible party. Responsible parties can now arrange with the regulator to settle the fines in instalments.