POPIA in one paragraph

The Protection of Personal Information Act, known as POPIA, regulates how organisations collect, store and use personal data in South Africa. It came into full force in 2021 and applies to any business processing personal information about South African data subjects, regardless of where the business is based.

WhatsApp messages are personal information

A customer’s phone number, name, message content, location and chat history all qualify as personal information under POPIA. Some content may also qualify as special personal information, for example health-related details or religious beliefs, which carries stricter rules.

Lawful processing

POPIA requires that processing be lawful and reasonable. The most common lawful grounds for WhatsApp messaging are consent and performance of a contract. For marketing messages, you almost always need consent. Section 69 of POPIA specifically governs direct marketing and is strict about how consent is obtained and documented.

The eight conditions

POPIA sets out eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Build your WhatsApp practices to satisfy all of them, not just the consent piece.

Information officer

Every responsible party in South Africa must register an information officer with the Regulator. They are the named contact for queries and complaints, including those that arise from WhatsApp interactions. Your privacy notice should list how customers can reach the information officer.

Cross-border transfers

If your WhatsApp data is processed by a vendor outside South Africa, section 72 requires that the receiving country has adequate protection or that you have binding contractual safeguards in place. Many BSPs and AI vendors are based abroad, so contracts must be drafted with this in mind.

Data subject rights

South African customers can request access to their data, ask for corrections, object to processing for direct marketing, and complain to the Regulator. Set up an internal process to receive and act on these requests within reasonable timeframes.

Direct marketing

Section 69 only allows direct marketing by electronic communication with the recipient’s consent or where they are an existing customer and the marketing relates to similar products or services and they were given the chance to opt out at every interaction. WhatsApp marketing must respect both POPIA and Meta’s own opt-in rules.

Children

POPIA prohibits processing personal information of children under 18 without consent of a competent person. If your audience could include minors, you need extra controls, including age screening and parental consent flows.

Practical steps

Publish a POPIA-compliant privacy notice. Build a documented opt-in flow. Sign data processing agreements with every vendor. Train staff on customer rights requests. Monitor your retention and deletion practices. Done well, POPIA compliance is also good business hygiene.