FAQs: How does POPI affect my remarketing activities?

Recently we received a question from an IAB SA member regarding the use of remarketing practices under South Africa’s Protection of Personal Information (POPI) Act.

The question contained a scenario: A website that makes use of remarketing on a product site wants to implement the tracking code used onto another third-party publishing site in order to track user interaction. Is such a thing allowed under POPI?

What is remarketing?

Remarketing is a marketing technique used by companies or organisations that want to advertise their products or services to users online who have previously visited their websites.

It is often used to enhance the visibility of a brand and remind specific web users of its existence; generate sales by showing existing customers new products; and cross-sell and up-sell to the customer – all based on the fact that the consumer has on a prior occasion shown interest in the brand by visiting its website, looking at specific items or buying certain products or services.

Its power lies in the fact that it is customisable and targeted while reducing redundant advertising. Facebook and Google are examples of companies that offer remarketing services.

How does remarketing affect privacy?

For remarketing to work, user profiles are compiled that include buying and browsing behaviour and identifiers. Cookies and other devices are used to track user behaviour. Relevant advertisements can then be shown to users while they are surfing other websites – via Google Ads, for example. This means users’ privacy is affected as their behaviour is being monitored.

What are the POPI implications?

POPI defines personal information widely, but a good rule to remember is that the act only considers information to be personal information if it can be used to identify a specific person. This means that if pieces of information separately cannot point to a specific identity, POPI does not apply; if the collated information can identify a specific person, it will.

Considering the type of information collected, remarketing could use identifiable information and so it is necessary to consider the implication of the act to remarketing.

First, before processing any personal information, it is necessary for the organisation that is using the information (“the Responsible Party” in POPI) to get consent to do so from the person to whom the information relates (the “Data Subject” in POPI). Second, sharing of personal information by the Responsible Party with any third party also requires consent from the Data Subject.

Third parties – general

Should personal information be transferred to any third parties, it is necessary that users are made aware of the fact that transfer of their personal information will occur and where it will be transferred to (that is, who the third parties are and what, exactly, they will be doing with the information). Our question is therefore answered: a tracking code from one website can be placed on a third-party website legitimately under POPI, so long as the user consents to the transfer and understands who the third party is, and what processing the third party will be doing.

Third parties – operators

If personal information is shared with a remarketing service provider such as Google, it is necessary that the user consents to the transfer and the specific purpose for the processing, as the remarketing service provider is a third party. In terms of POPI, Google is defined as an “Operator”: a person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.

Operators have certain obligations under POPI: an Operator is obliged to process the information only upon authorisation of the Responsible Party and must treat the information as confidential. The Responsible Party must enter into a written contract with the Operator ensuring that the Operator maintains security measures to protect the integrity and confidentiality of the personal information in question and that, if a security breach occurs or is believed to have occurred, the Operator must inform the responsible party immediately.

POPI and marketing

When it comes to direct marketing to any person, section 69 of POPI applies. This section prohibits directly marketing to a consumer on any electronic platform (such as online by remarketing) unless consent from the specific consumer has been given or the consumer is a customer of the party processing the information.

This means that if users have bought a product or service from the website, remarketing can occur without gathering further consent. If not, the Responsible Party will need to obtain consent from users before processing their information for remarketing purposes. When the Responsible Party collects this consent, users must consent to the specific use of their personal information (such as for remarketing).

Best practice

We have established the consents needed to use remarketing, but the online environment might not seem like the easiest place to get consent from visitors to a website. One way to gather the consent needed is through a well-written privacy policy that is placed on the website in a visible spot.

A privacy policy will usually warn that using the website is an act of tacit consent to the terms within the privacy policy placed on the website. It is similar to how a person accepts the terms and conditions of a sale at a brick-and-mortar store, which are printed on the receipt of the purchase. In this way you are able to get consent from website visitors simply by placing a privacy policy on it in a spot that makes it visible to all users.

Include the following in your privacy policy:

  • The fact that by using the website users are tacitly agreeing to the terms in the privacy policy.
  • A description of how you are using remarketing to advertise to them online.
  • A list of third-party vendors, such as Google, that provide the remarketing service and show your adverts to the user on sites across the internet.
  • A list of other third parties to whom the user’s personal information is transferred and for what purpose.
  • An explanation of exactly how third-party vendors, including remarketing service suppliers, use cookies or other tracking devices (be specific) to collect information.
  • Opt-out information such as Google’s Ads Settings page, which allows users to adjust their preferences for receiving advertising, and The Network Advertising Initiative, which allows web users to opt out of web advertising from NAI Member advertisers.
  • Remind users that if they do not want to be marketed to, POPI allows them to withdraw their consent at any time, and provide a method (such as writing to an email address) to do so.

Natalie Reffo
EndCode Advisory

PICTURE: Sebastien Wiertz with Creative Commons Attribution 2.0 Generic licence