The Consumer Protection Act Amendment Regulations, 2026 deliver the long‑awaited operational framework for South Africa’s statutory opt‑out regime by establishing a National Consumer Commission (“NCC“) administered opt‑out registry, mandating direct‑marketer registration and annual renewal, imposing monthly “cleansing” of marketing databases against the registry, and prohibiting marketing to consumers who have registered a pre‑emptive block, with immediate effect from 15 April 2026.

In short, the practical machinery to curb unsolicited electronic marketing under the CPA is finally in force.

While privacy enforcement under other statutes remains important in the broader ecosystem, these Regulations make clear that, within the Consumer Protection Act (“CPA“) framework, the  NCC now has custody of the national opt‑out registry and the associated compliance lifecycle for direct marketers, thereby addressing persistent concerns about spam call and messages.

The Regulations are issued by the Minister of Trade, Industry and Competition under section 120(1)(a), read with section 11(6), of the CPA, following consultation with the NCC and provincial consumer regulatory authorities, which situates the new regime squarely within the CPA’s consumer rights to restrict unwanted direct marketing.  The Regulations amend the 2011 Consumer Protection Act Regulations by adding three annexures, reflected as Annexures N, O and P, which supply the operative forms and tariff schedules required to run a functioning opt‑out and direct‑marketer registration system. The amended Regulations states expressly that it comes into effect on the date of publication of the Notice, which means the obligations and processes described are already live as of 15 April 2026.

The reliance on section 11(6) is significant because section 11 of the CPA addresses a consumer’s right to restrict unwanted direct marketing, and the amendments implement the mechanics for that right through a Commission‑run registry, rather than leaving it as an unenforced principle.

The Regulations introduce a defined concept of “cleansing”, which is described as the process of removing consumers who have opted‑out of electronic communication from a direct marketer’s database to ensure they are no longer contacted. This is important because it transforms the opt‑out right into a recurring operational duty on marketers.  The term “direct marketer” is expressly defined to capture any person who engages in direct marketing, thereby pulling both traditional and digital outreach actors within the compliance perimeter regardless of specific channel. The Regulations also define an “electronic communication recipient” as a consumer who receives electronic communication from a direct marketer and has registered a pre‑emptive block, which clarifies that registry protection attaches to recipients who have taken the step to opt‑out.

The pivotal instrument for exercising that protection, “pre‑emptive block”, is defined as registering a block on the opt‑out registry established by the Commission to prevent unwanted electronic communications from direct marketers.

Collectively, these definitions move compliance from general notions of consent and preference into a concrete taxonomy that underpins duties to register, verify, and purge marketing databases against the official registry.

The amended Regulation 4 makes clear that the opt‑out registry is administered by the Commission, and it must be accessible at all times, save for unforeseen technical interruptions, to all persons in the Republic for the purpose of registering a pre‑emptive block, which positions the NCC as the operational hub and guarantees public access to exercise the opt‑out right. The Regulations require direct marketers to register on the Commission’s opt‑out registry using the dedicated Direct Marketer Registration Form, which internalises a single point of onboarding into the system for all entities engaging in direct marketing. A corresponding Consumer Pre‑emptive Block Form specifies the data elements a consumer must provide to register a pre‑emptive block, embedding a standardised, recordable process for opt‑outs. To preserve integrity and privacy of registry information, the Commission must use information it receives solely to operate the opt‑out registry and may not disclose confidential information without consent, except where required by law, which both limits secondary use and recognises lawful disclosure obligations. The Commission is also obliged to verify all information submitted for registration with other relevant state organs before registering profiles, to publish guidance on its website for consumers and direct marketers on how to use the registry, and to inform the public if the registry is unavailable for 24 hours or more, which together create a governance framework for accuracy, transparency and service continuity.

At its core, the Regulations impose a hub‑and‑spoke compliance model in which every direct marketer must register on the opt‑out registry and must renew that registration annually on the anniversary date by paying the prescribed renewal fee, thereby ensuring that only current, identified entities interface with consumers for direct marketing. Each direct marketing communication must enable the recipient to identify the name, electronic address, physical address and contact number of the direct marketer, and any communication transmitted to a recipient’s device must itself be identifiable, which elevates transparency and traceability across channels. The marketer must ensure that information kept on the opt‑out registry is up to date, must be identifiable even on public platforms, and may not disseminate electronic communication from a public platform where the originator is unidentifiable, which closes anonymity loopholes in social or messaging contexts. A categorical prohibition is placed on direct marketing to any consumer who has registered a relevant pre‑emptive block, and marketers may not contact any consumer for purposes of direct marketing unless the marketer is registered on the opt‑out registry, which together create both a substantive contact bar to protect opted‑out consumers and a procedural registration gate for all outbound marketing activity. Crucially, marketers must remove from their databases all data of persons who have registered a relevant pre‑emptive block by “cleansing” such data monthly with the Commission, translating the opt‑out registry into a recurring data‑hygiene obligation rather than a one‑off scrub.

For marketing teams, the immediate implication is that registration on the NCC’s opt‑out registry is now a gatekeeping requirement for any direct marketing contact, and failure to register forecloses lawful outreach regardless of consent arrangements a marketer may believe it holds, because contact is prohibited unless the marketer is registered.  Transparency rules requiring identification of the marketer and contact details in every electronic communication, and prohibitions on unidentifiable dissemination from public platforms, will make it harder for bad actors to hide behind generic handles or anonymous broadcasts when engaging in promotional outreach. From a consumer‑experience perspective, universal public access to register pre‑emptive blocks, combined with Commission website guidance and uptime communication commitments, creates the infrastructure necessary for scale adoption of opt‑out protections, which should, in practice, reduce unsolicited electronic marketing as registry coverage expands.

Organisations engaging in any form of direct marketing should register on the NCC opt‑out registry without delay, and templates for electronic communications should be updated immediately. Consumers who wish to cease unsolicited electronic marketing can complete the Annexure O form to register a pre‑emptive block and should keep their registry information current to maintain effective protection, in line with Commission guidance available on its website.

The message is clear: responsibility for curbing unsolicited direct marketing is now distributed through a concrete CPA compliance machinery anchored by the NCC’s opt‑out registry, and marketers must adapt their processes immediately to the new rule set.