Data protection laws are being introduced all around the world. Their goal is to protect users’ privacy and their data, limiting the ways it can be used. Online marketing relies heavily on clients’ information. This is why tools like PushPushGo must go the extra mile to comply with laws and regulations in different countries. 

PushPushGo collects data regarding:

• Timestamp of questions sent to the server
• IP addresses of subscribers - since this is the address of an internet service provider, it is not considered personal data
• GPS coordinates of the IP address
• Browser, operating system and device used by subscribers
• Referral - in the case of simple integration, this is the domain of pushpushgo.com, while in the case of integration with your own domain it is the domain of the integrated site.

It seems to be strictly technical, but some of that information may be considered private data. So how do you handle privacy using direct marketing tools?

We sat down with Ewa Molenda-Kropielnicka, attorney at law, specializing in legal issues of digital marketing communication. She works primarily with marketing agencies and new technology and e-commerce companies. We talked about data protection law in South Africa. Here’s what we’ve learned. 

What is POPIA and when was it introduced?

Protection of Personal Information Act, known as POPIA or POPI Act, is the primary act of law in South Africa which deals with personal data protection. It was introduced on 1st July 2020, but with a one-year grace period. It means that the regulations came into effect on 30th July 2021. 

What is considered private data according to POPIA?

Section 1 of POPIA defines “personal information” as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The list of such data includes, but is not limited to name, race, age, health and education, email address, phone numbers, and an online identifier.

When implementing web push notifications on the site should any information be added to the Privacy Policy or any other section of the site?

After the implementation of push notifications, we recommend updating your privacy policy. You should include information that your website uses push notifications (along with a short definition of push and its purpose) provided by PushPushGo sp. z o.o. located in Krakow, Poland. It is also useful to add that receiving push notifications is voluntary and the website needs the user’s consent to send them. Furthermore, the user can opt-out from push notifications (via their browser’s settings). 

Is there anything else that needs to be done from the legal side before implementing web push notifications?

Push notification is a form of direct marketing. In such cases, POPIA demands that an administrator (responsible party) is granted permission by data subjects to use this form of communication (opt-in). In the PushPushGo tool you can do it by sending them an invitation via browser, asking to enable push notifications.

If you process personal data you may need to sign an agreement on entrusting data processing with a push notification provider. Always consult this matter with your legal advisor before you entrust private data for processing. 

If you send personal data outside South Africa (i.e. to a provider that processes it in another country), bear in mind that international data transfer under POPIA law must meet requirements listed under section 72 of the act. Always check the exact rules with your legal advisors prior to transfer.

POPI Act imposes additional obligations on responsible parties and operators, i.e. information obligation towards people, whose data is being processed, appointment of information officer, and enabling the ‘‘data subject’’ (the person to whom the personal information relates) to access their data and remove it.

What information should be included in the subscription pop-up in order to meet the POPIA requirements?

Under POPIA processing personal data for direct marketing via electronic means of communication (like SMS, email or push notification) is forbidden unless the data subject gives their consent. The consent must be requested in the prescribed manner and form. Section 69 states that every direct marketing communication must include:

• details of the identity of the sender or the person on whose behalf the communication has been sent
• an address or other contact details to which the recipient may send a request that such communications cease.

You can send push notifications via PushPushGo only after you receive the user’s clear consent. The tool allows you to add all additional data required by POPIA to your request for allowing notifications. Such message can include information about data processing and responsible parties etc. 

Does the opt-out process from web push notifications comply with POPIA regulation?

Under POPIA a client must be able to withdraw their consent at any time. In the case of the PushPushGo tool, users can easily unsubscribe from push notifications via their browser settings. You may include this information, along with detailed instructions, in your privacy policy. 

Can you say that web push notifications are POPIA-compliant?

Push notifications are one of the most commonly used tools for direct marketing. They are engaging and allow for better communication between the brand and its clients. To receive such messages users must give their clear and informed consent, which they can withdraw at any time. That makes push compliant with basic POPIA regulations. 

Laws can be tricky, and if you add a layer of international regulations one short article isn’t enough to prepare you for every possible scenario. That’s why you should always consult your local legal advisors and follow their suggestions.