Indaba
4notify South Africa · Government Gazette
OFFICIAL · Information Regulator · POPIA
Indaba No
IND-ZA-005
Date
2026-05-27
Status
In force
Category
Privacy

POPIA, the Information Regulator and consent: a consent framework for transactional and direct-marketing delivery to South African consumers

The Information Regulator enforces the Protection of Personal Information Act (POPIA). Direct marketing by electronic communication requires consent under section 69, and every processing operation needs a lawful basis. 4notify records the lawful basis and the section 69 consent at the API edge for each delivery, and propagates erasure across all four operators.

EmailSMSWebhook
Preamble

Section 1 — In terms of the Protection of Personal Information Act 4 of 2013 (POPIA) and the Information Regulator's direct-marketing rules, this Indaba is convened on consent management for electronic delivery.

Statutory basis
POPIA (Act 4 of 2013)

Lawful processing conditions; the Information Regulator as supervisory authority.

POPIA section 69 (direct marketing)

Consent for electronic direct marketing; the opt-in requirement for unsolicited messages.

POPIA section 22 (breach notification)

Notification to the Information Regulator and data subjects of a compromise of personal information.

Implementation
01

Lawful-basis record per delivery

Each delivery envelope carries a POPIA lawful basis (consent, contract, legal obligation, legitimate interest); fixed in the template record.

02

Section 69 consent check

For direct marketing the section 69 consent is verified at envelope level; deliveries without recorded consent are blocked at the API edge.

03

Erasure within the statutory window

POPIA erasure requests propagate within 24 hours through 4notify; the suppression list updates across all four operators and the email gateway.

04

Section 22 breach-notification webhook

Any envelope-level incident produces a webhook to the responsible party's Information Officer within one hour.

Delivery envelope
json
{
  "event": "delivery.consent_envelope",
  "responsible_party_id": "ZA-RP-12345",
  "lawful_basis": "consent",
  "s69_consent": {
    "consent_ref": "POPIA-2026-001234",
    "consent_date": "2025-09-14",
    "optout_link_present": true
  },
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "passed"
}
Sample message
EmailSubject: Your marketing preference has been updated

Dear Customer, Your marketing consent has been withdrawn as of today. You will no longer receive marketing emails, but transactional notices (order confirmations, delivery alerts) will continue. For your other rights under POPIA: [email protected]

Compliance checklist
  • Information Officer registered with the Information Regulator
  • PAIA manual and POPIA records up to date
  • Section 69 consent stored for every direct-marketing delivery
  • Section 22 breach-notification webhook reachable
The 4notify difference

4notify is the only A2P provider that stores the section 69 consent and POPIA lawful basis in every envelope, propagates erasure under 24 hours across all four operators and fires a section 22 breach-notification webhook on every incident.

Frequently asked questions
Does section 69 consent apply to SMS as well?

Yes — POPIA section 69 covers all electronic direct marketing: SMS, email and instant messaging. A recorded opt-in consent is required for each.

What if the responsible party has not registered an Information Officer?

4notify blocks direct-marketing delivery at the API edge until a registered Information Officer is on record; transactional delivery (contract basis) remains available.

Convened by
4notify Operations Office
2026-05-27 · IND-ZA-005

Start for free

14 days, no card required. South African business-hours support.

Other indabas in this edition