Personal information and regulatory requirements for direct marketing: A South African insurance industry experiment

Abstract

The processing of personal information by companies should be in line with ethical and regulatory requirements. Whilst respecting the right to privacy, personal information can be used to create value in the economy as well as on an individual level by tailoring and targeting services. However, personal information should not be processed under false pretences for the purposes of direct marketing. Data protection regulations, such as the Protection of Personal Information Act (PoPI) 2013, regulate the processing of personal information. Accordingly, companies domiciled in South Africa have to comply with the conditions of PoPI and must process personal information in line with the agreed purpose. PoPI will have an impact on direct marketing and certain conditions will apply to protect individuals’ personal information, as well as how and by whom it is used. This research sets out to investigate whether companies in the insurance industry are complying with the direct marketing conditions of PoPI pertaining to opt in and opt out preferences as well as a few other aspects. An experiment was conducted in South Africa whereby two new cellphone numbers and six new e-mail addresses were deposited in the economy by requesting online insurance quotes from twenty different insurance companies. For half of the online insurance quotes the researchers elected to opt in for direct marketing and for the other half to opt out. Any communication received on the cellphone numbers or e-mail addresses was recorded and analysed to establish if the preferences expressed were being complied with. The results indicate that data was shared and possibly leaked; this finding was based on the number of contacts received from companies that were not part of the sample. It was found that opt out preferences for direct marketing were not honoured by some companies. Other aspects, such as the availability of the option to opt in or opt out for direct marketing when depositing personal information on websites, secure processing of personal information and the use of privacy disclaimers, were also found to be lacking in some instances. This indicates that the insurance industry in South Africa might not yet be fully compliant with the requirements for direct marking, as required by PoPI and the Consumer Protection Act (CPA). The results of the research can be used to improve direct marketing interactions with consumers, helping to ensure not only compliance with PoPI, but also the maintenance of a trusting relationship by respecting privacy.