Cleanse Or Consent? The ZAR0.12 Question Every South African Direct Marketer Must Answer

On 15 April 2026, the Minister of Trade, Industry and Competition gazetted the Consumer Protection Act Amendment Regulations, 2026 (“Amendment Regulations”), overhauling the direct marketing regulatory landscape in South Africa. Six days later, the Information Regulator issued a media statement reminding responsible parties that compliance with the Protection of Personal Information Act (“POPIA”) remains mandatory irrespective of a consumer’s registration status on the pre-emptive block. Together, these instruments raise two pressing questions: must an existing client who has expressly consented to direct marketing still have their data cleansed monthly? And what are the true cost implications of the newly prescribed cleansing fee of ZAR0.12 per data entry?

The 2026 amendments insert a new subregulation (7) into Regulation 4 of the Consumer Protection Act Regulations, 2011 (“Principal Regulations”), imposing stringent obligations on direct marketers. A direct marketer must register on the opt-out registry administered by the National Consumer Commission and annually renew that registration. Most critically, a direct marketer must “not directly market any goods or services to any consumer who has registered a relevant pre-emptive block” and must “remove, from its database, all data of persons who have registered a relevant pre-emptive block by cleansing such data monthly with the Commission”. “Cleansing” is defined as “the process of removing consumers who have opted out of any electronic communication from the direct marketer’s database, ensuring that they are no longer contacted”.

The original Regulation 4(3)(g) provides that a direct marketer need not assume a comprehensive pre-emptive block has been registered in respect of existing clients who have expressly consented to receiving direct marketing after the commencement of the Principal Regulations in 2011 and that no cleansing obligations applies in respect of such clients. This exception has not been expressly repealed: the 2026 amendments delete paragraphs (i), (j) and (k) of subregulation (3), but paragraph (g) remains intact.

However, the new subregulation (7)(h) and (7)(i) impose blanket obligations - no marketing to blocked consumers and mandatory monthly cleansing of all blocked data - without carving out any exception for existing clients. The tension is immediately apparent.

Two competing interpretations arise. The first holds that because Regulation 4(3)(g) has not been repealed, consent remains a shield against the cleansing requirement. The second holds that subregulation (7)(i) is absolute in its terms: it requires the removal of “all data” of persons who have registered a relevant pre-emptive block, with no qualifying language such as “unless the direct marketer holds proof of express consent”. Importantly, Regulation 4(3)(g) addresses the situation where the direct marketer does not know whether a block has been registered and must make a presumption, whereas subregulation (7)(i) addresses the situation where a block has in fact been registered. The consent exception logically applies only to the former.

The 2026 Amendment Regulations prescribe a “Filing cleansing fee per data entry” of ZAR0.12 in 2026, increasing to ZAR0.14 in 2027, ZAR0.16 in 2028, and R0.18 in 2029, as set out in the new Annexure N. Although the fee is not expressly described as “per month”, the practical effect of subregulation (7)(i), which mandates that direct marketers cleanse their databases against the Commission’s opt-out registry on a monthly basis, is that the fee is incurred each month. The fee is charged per data entry submitted for cleansing, not per consumer ultimately found to have registered a pre-emptive block, meaning the entire database attracts the fee each time it is cleansed.

The Information Regulator’s media statement adds a further dimension, emphasising that POPIA compliance remains mandatory “irrespective of whether a consumer (data subject) is registered on the pre-emptive block, in the opt-out registry, or not”. Consumers who have not registered a pre-emptive block “are still protected by POPIA”, and the Regulator’s view is that “by merely opting out, a data subject cannot be regarded as having given consent”. The implication is clear: even if a direct marketer holds consent under the CPA framework, it must independently ensure POPIA compliance. The two regimes operate in parallel, and compliance with one does not discharge obligations under the other.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.