The Mail Blaze Guide to POPI

What is POPI?

The Protection of Personal Information Act commonly referred to as the POPI Act is a lawful act with set conditions on how to process the personal information of data subjects.

While the POPI act does not stop you from processing personal information on data subjects it does require you to get consent from data subjects, which means it’s extremely important to comply with the conditions set forth in the act.

There are 8 general conditions and 3 extra conditions that you need to adhere to which can lead to hefty fines if not met.

The purpose of the act is outlined below: “(a) give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at— (i) balancing the right to privacy against other rights, particularly the right of access to information; and (ii) protecting important interests, including the free flow of information within the Republic and across international borders; (b) regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information; (c) provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and (d) establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.” (Source: Information Regulator South Africa: Protection of Personal Information Act, 2013).

About this guide:

The Mail Blaze Guide to POPI compliance does not construe professional legal advice. . It should be seen as a view and interpretation of the POPI Act and is solely meant to help you understand and achieve compliance specifically in terms of email marketing practices.

  • What is considered personal data
  • Why you need to know more about the POPI Act and how it affects your email marketing
  • What you should do to comply
  • Quick reference email checklist
  • More about Mail Blaze

What is considered to be personal data?

Personal data in terms of the POPI act is defined as any information that can be used to identify a person. This includes but is not limited to gender, age, religion, beliefs, culture, language, email address, telephone number, physical address, location, views, preferences etc.


From the above list, it’s clear to see that the data covered by the act is most commonly used in your email marketing and therefore as a marketer you need to adhere to the conditions set out by POPI to process this data.

Why do I need to know more and how does it affect my email marketing?

As stated above, there are many different personal identifiers that are commonly used in email marketing that require email marketers to adhere to the conditions of the POPI act.

Bought Lists: If you have previously relied on buying email marketing lists or databases, you will no longer be able to use these lists (PLEASE NOTE: Mail Blaze does not sell email databases or recommend that you use them under any circumstances).

Opt-In and Unsubscribe: You may have to adjust your subscription process if you are not expressly informing your subscribers how their information will be utilised.

Fines: Legal penalties or consequences for a responsible party includes: a fine or imprisonment of between R1 million and R10 million or up to ten years in jail Compensation to data subjects for damages suffered

You could also suffer reputation damage as well as losing customers as a result of non-compliance which means you could have a PR disaster on your hands. In other words, don’t take the act lightly and rather make sure you comply.

What should I do to comply in general? Steps to compliance

As mentioned there are 8 steps you need to comply with starting with appointing an information officer.

Step 1: Appoint an Information Officer

Accountability is key when it comes to the POPI Act. The first step a business needs to do is to appoint a dedicated Information Officer who will be responsible for POPI compliance.

Step 2: Update or create your Privacy Policy

If you don’t already have a privacy policy on your website, now is a good time to create one. The privacy policy should include specific reference to how you will be using subjects’ personal data.

Step 3: Ensure you raise awareness amongst all employees

To ensure compliance with the POPI Act, it is extremely important to ensure that all your employees are familiar with processes and rules regarding how personal data is processed (i.e. how it is used or handled). This also includes informing your employees how their own personal information is being used and processed.

Step 4: Ensure that you update your internal data and data processes

Clear practices should be established around data processing in terms of:

  • Deleting and editing documents
  • Saving documents to USB
  • Transferring data between devices
  • Any other method or different way that data is handled in all forms (not just online)

Step 5: Amend your contracts (where needed)

It’s really important to ensure you amend any contracts that you have with operators where personal information is processed and comes into play.

Step 6: Report data breaches to the regulator and data subjects

If any data breaches occur, it is extremely important that you inform the regulator as well as the affected data subjects.

Step 7: Transferring personal information to other countries

If you are dealing with clients outside of South Africa it is important to check that you are lawfully allowed to transfer personal information to other countries

Step 8: Ensure you don’t share personal information unlawfully

It’s important to ensure that you don’t share any personal information you obtain from a data subject illegally. If you are unsure, refer back to the terms of service you set up that would clearly state what the information you gathered is used for.

What should I do for my email marketing campaigns to comply?

Once you’ve got your house in order, so to speak, it’s important that you ensure that your email campaigns comply with the POPI Act too.

The first thing to pay attention to is your data collection process. This applies to the current data you hold and to data you collect in the future.


How up to date is your data? If you’ve got a list of subscribers that have been with you for years then you will be covered by a clause within the POPI Act called “soft opt in.” This clause makes provision for marketers that have been emailing clients for a reasonable period wherein the client hasn’t objected to receiving communications. If a client of this nature lodges a POPI complaint, you’ll be protected from people taking a chance. You could segment these client’s and send them a re-opt in campaign if you’d like to rest assured that you have the express consent to keep emailing them.

“Soft opt in” also protects you where you might no longer hold a record of how the subscriber signed up, just remember that the subscriber needs to always have the means to unsubscribe easily at any point. A common practice in the e-commerce space is to get subscriber information through the process of selling a client a product or service. In this case, you would need to inform customers how you will be using their data to give them a chance to provide consent for you to use their data outside the normal circumstances. A practical example: I buy a new shirt from an ecommerce retailer where I am required to provide my email address and other information to process the order, the ecommerce retailer can ask me to tick a box consenting to receive communications from them via email in the future which would act as consent for any future communications. During the purchase process the customer assumes that they will receive emails to update them on the order process, but for any further marketing communication after the order is complete there should be explicit opt in by the customer.


You need to ensure that you give individuals a chance to opt-in as well as tell them what they can expect from you. You should not use pre-ticked boxes on your sign up forms or website sign-ups. An individual needs to give express permission.

Now it’s time to look at what you need to include in your email campaigns

YOUR BRANDING - identify yourself

Subscribers need to immediately be able to recognise your business/brand, therefore you should pay special attention to your sender name as this is the first thing your subscribers will see when your email lands in their inbox. Don’t use a Gmail or Yahoo email address as your from name, as this can look unprofessional and cause confusion.

In terms of branding, it’s also extremely important to ensure that your campaigns always feature your logo prominently. You can choose to place your logo in the footer of your campaigns if you prefer this as a design option, but make sure it is there.

YOUR MESSAGING - stay on track

When individuals sign up to your email subscription list, it’s important that you tell them what type of communication they can expect from you and that you keep to that. If you decide to widen your offer or expand your original focus, you can inform subscribers throughout to ensure that they are still interested and still want to stay subscribed.


It might seem strange to have to provide a physical address in your email campaigns in a world where everything is done online, but the POPI Act requires that you do. You need to give individuals the opportunity to send an official notice to opt out physically if they choose. It may seem silly as your emails will already contain an unsubscribe link but it’s still something you need to do. We recommend adding this to your footer.


It’s really crucial that you ensure that you allow anyone who subscribes to your email marketing list to unsubscribe easily. You should give them the opportunity to unsubscribe via the channel they are receiving communication from. This means if they are subscribed to your email list, they shouldn’t have to SMS you to unsubscribe. Make the unsubscribe or opt-out process simple and easy to follow.


It’s important to keep an up to date list of all deleted and/or unsubscribed email addresses. This ensures that you don’t contact anyone who has expressly asked not to be contacted.

Who is Mail Blaze?

At Mail Blaze we believe that emails have the power to connect people in a personal way and that they are a key to fostering long-lasting relationships with your audience.

We’ve built a product we’re proud of. A product where clients are able to create functional, curated emails to speak to their audience in a way that matters. We’re invested in our client’s success and have built our platform with robust functionality based on what they need while always looking at functional opportunities that can help them grow.

Our vision is to empower our clients to deliver professional engaging communication exchanges with their customers through an exceptional product and a guided approach to promote growth and ongoing performance.

Your success is our fuel Together we can connect, create and cultivate exceptional email marketing experiences

Want to learn more about Mail Blaze?

We’d love to connect with you. Find out how you can start firing off beautiful, uncomplicated emails - for less.

DISCLAIMER: Any information displayed on our website, related marketing material or help guide is intended for general information purposes. It should not be construed as legal advice.


Contact us
for help

Fill out the form and we will get back to you.

Join Our

Ready to enhance your email marketing campaigns?
Sign up to our weekly email newsletter for email marketing news, tips and tricks.