South Africa’s Protection of Personal Information Act has been fully enforceable since July 2021, and yet most small business owners we speak to are still a bit vague on what it actually means for their email marketing. Some assume it works the same as the European GDPR. Some have been told (incorrectly) that they need to delete their entire database and start over. And plenty are running campaigns the way they always have, hoping for the best.
Here is the part everyone misses: POPIA isn’t designed to stop you from doing email marketing. It’s designed to stop you from doing it badly. Once you understand the rules, POPIA email marketing is genuinely manageable, and in most cases it makes you a better marketer too.
This is a working guide. It isn’t legal advice. But it’ll get you 90% of the way to a compliant, sensible setup.
What POPIA actually does
POPIA is the Protection of Personal Information Act. It governs how South African businesses collect, store, and use personal information of anyone in the country. An email address is personal information, so any email marketing you do falls inside its scope.
The Act is enforced by the Information Regulator, and yes, fines can be issued. They’re real and meaningful (up to R10 million, or imprisonment for serious offences). In practice, most enforcement has been around poor data handling rather than email marketing specifically. But that doesn’t mean you can ignore the rules.
Consent is the big one
To email someone for marketing purposes in South Africa, you generally need one of two things: their explicit consent, or an existing customer relationship.
Consent under POPIA means voluntary, specific, and informed permission. In plain language:
- The person actively opted in. A pre-ticked checkbox doesn’t count. A buried “by using this site you agree to marketing” line doesn’t count either.
- They knew what they were agreeing to. “Sign up for our newsletter” is fine. A bare “Sign up” with no context isn’t.
- They can withdraw consent at any time, easily, and you’ll honour it quickly.
This is why almost every South African website now has explicit checkboxes near its sign-up forms. It isn’t paranoia. It’s the law.
The existing customer exception
If someone has bought from you, you have an existing relationship. POPIA allows you to email past customers about similar products or services without separate marketing consent, as long as you gave them a clear opportunity to opt out at the time of the original purchase, and you give them an easy opt-out in every email after.
This is the part of the law most people get wrong in the friendly direction. You can email your customers. You just can’t import a random LinkedIn export and start blasting.
What every marketing email must include
Every commercial email you send needs four things:
- A clear sender identity. Your business name, not a cryptic
info@address with no context. - A valid physical address. Your registered business address. A PO Box is fine.
- A working unsubscribe link. One click should do it. No login required.
- Clear identification as marketing. Don’t disguise a sales email as a personal message from a person.
Every reputable email platform (Mailchimp, Brevo, Klaviyo, ActiveCampaign) includes these by default. Which is one good reason not to send marketing emails through Gmail or Outlook.
What about contacts already on your list?
This is where people panic and shouldn’t. POPIA didn’t require South African businesses to nuke their pre-2021 contact lists. But it does require that you be able to demonstrate, on request, how each contact ended up there.
If you have records (form submissions, sign-up data, sales records) showing how someone opted in, you’re fine. If you scraped a list, bought a list, or grabbed contacts from networking events without permission, you’ve got a problem. The honest answer is to either re-permission those contacts (send a single email asking them to confirm they still want to hear from you) or remove them.
Yes, your active list will shrink. Yes, that’s painful. But a smaller list of people who actually want to hear from you will outperform a bloated list every time.
B2B versus B2C
This trips a lot of people up. POPIA applies to information about “data subjects,” which includes individuals. Generic business addresses like info@company.co.za aren’t personal data. But a named work address like sarah@company.co.za is.
So sending cold outreach to named business contacts without consent is risky. Sending to generic business inboxes is more defensible, but still not what we’d call best practice. The cleaner play is always to earn the opt-in.
The short version
You can do email marketing in South Africa. Here is what you need to do POPIA email marketing properly:
- Earn explicit opt-in for new subscribers. No pre-ticked boxes, no buried consent.
- Use a proper email platform that handles compliance basics for you.
- Include your business name, address, and a working unsubscribe in every email.
- Honour unsubscribe requests immediately.
- Keep records of how each contact ended up on your list.
- If your existing list is dodgy, send a single re-permission email and clear the rest.
That’s it. POPIA isn’t designed to make life difficult. It’s designed to stop the worst practices. Doing email marketing properly was always going to be more effective anyway.
Read next
If you’re starting from scratch or rebuilding a tired list, our guide to what to put in your welcome sequence is a good next stop. And if you’re still weighing email against social, we compared the two honestly here.
Need a hand?
If your email setup needs a tidy-up, or you’re starting from scratch and want to do it right the first time, that’s what we do. Have a look at our email marketing service, or get in touch for a quick chat about where you’re stuck.
