Everlytic POPIA Q&A: Harvesting Data from the Internet & Social Media
In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers the questions we received on harvesting data from the internet and social media.
1. Can you harvest personal information from social media and the internet to use in marketing?
You should, wherever possible, get information directly from the person — unless that person made the information deliberately public. But, even if you get that information from a public place, like a person’s website, you still have to contact them to explain where you got their information.
You will also need a legal justification under section 11 of POPI to process the person’s information for direct marketing purposes. Depending on what channel you are doing the direct marketing by (e.g. electronic direct marketing versus telemarketing), consent or the legitimate interest of the responsible party will be the appropriate legal justification to use it.
If you go about harvesting data from the internet, you’ll need carefully worded consent that includes:
- Where you got their details and the permission to have it
- Transparency around what you want to use the information for, requesting permission to do so
Something that’s extremely problematic is when recruitment agents connect with someone on LinkedIn and harvest their contact data from their LinkedIn profiles without asking. This practice is illegal and will require consent as noted above.
2. Could we take followers from social platforms and target them through email or SMS?
Not without getting their permission first. Just because someone follows you on social media doesn’t mean they want direct marketing from you. People also complain a lot about people harvesting their data from social media, so if you do this, you’re more likely to be reported to the Regulator.
3. Do you need to get consent from a client list first if you plan on uploading the list to social media for ad targeting?
It depends what you told them when they signed up. Did you tell them that you’d display ads to them on social media? If the list was compiled via a transaction, like when a client purchases a product from you, you can position this as an opt-out kind of consent. i.e.: “Let us know if you don’t want to receive ads from us on social media.”
4. How will POPIA affect social media advertising, pay per click, and pay per impression?
Unless you’re collecting identifiable personal information, it doesn’t affect any of these. POPIA doesn’t have any specific provision on cookies yet, so if you’re uncertain, look at the Regulator’s cookie notice as an example of what’s acceptable.
5. If you harvest information from the internet and use it to enrich a database you already have, is that allowed?
Updating or enriching your existing data is allowed and encouraged by POPIA, but there are some risks involved. If you’re just verifying the data you already have and not adding new data, this should be fine.
However, if you decide to do this, you must only override data that is incorrect. If someone subscribes using one email address, for instance, you may not enrich the data with another email address unless the email address that you have is incorrect. If someone subscribes with an active email address, it’s usually because that’s where they want the mail to go.
For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.