by Tebogo Sibidla, Director

Many businesses assume that once a customer has consented to direct marketing, they may continue contacting that customer unless the consent is expressly withdrawn. South Africa’s updated direct marketing regime may challenge this assumption. Where a customer has expressly consented to receive direct marketing but later registers a pre-emptive block on the National Opt-Out Registry (the “Registry”), businesses face a difficult question: should the earlier consent or the later Registry entry prevail? The question is becoming increasingly important following recent amendments to the Consumer Protection Act Regulations, 2011 (the “CPA Regulations”), which operationalise the Registry and which the National Consumer Commission (the “NCC”) has indicated will commence practical registration and implementation processes in July 2026. South African law does not yet clearly prescribe a hierarchy between prior express consent and subsequent pre-emptive block in every scenario. Pending clearer regulatory or judicial guidance, the issue should be managed as both a legal interpretation question and a data-governance risk.

Why this matters operationally

For many companies, consent and opt-out records are fragmented across business units, legacy platforms, outsourced call centres, CRM systems, loyalty databases, and third-party lead-generation arrangements.

A customer’s marketing status may be recorded in multiple parallel datasets reflecting historical contractual consent, marketing preferences, channel-specific opt-outs, POPIA objections, customer‑service suppressions, and external opt-out registry requirements. (For ease of reading, this article refers generally to “customers”, while using “consumers” where the CPA is being discussed and “data subjects” where POPIA is being discussed.) One system may show that a customer previously consented to direct marketing, while another may show a later channel-specific opt-out.

Businesses will therefore need rules for dealing with conflicts between earlier consent, later Registry-based opt-outs, POPIA objections and channel-specific marketing campaigns. If a customer appears on the Registry, but remains marked as having “consented” to direct marketing, which instruction will prevail? How should the business treat customers who gave prior express, and sometimes written, consent before registering a pre-emptive block on the Registry? How should customer databases be cleansed where consent records, channel-specific opt-outs, POPIA objections and Registry suppressions conflict? How should third-party lead-generating databases be assessed before use? What audit trails must exist to demonstrate that the business has a lawful basis for sending direct‑marketing communication?

Until this hierarchy is clarified, direct marketers will need to implement a clear governance position that can be applied across systems, channels, and third-party data sources.

The CPA position

Section 11 of the CPA, headed “The Right to Restrict Unwanted Direct Marketing”, prescribes consumers’ rights in respect of direct marketing. In terms of this section, consumers have the right to refuse direct marketing, require that it be discontinued, or pre-emptively block unwanted marketing. The amended CPA Regulations give practical effect to this by recognising a pre-emptive block registered on the Registry established by the National Consumer Commission (“NCC”). This section also prohibits direct marketing to any person who has requested that direct marketing be discontinued or has registered a pre-emptive block.

In terms of the CPA Regulations (as amended), a “pre-emptive block” means “registering a block on the opt-out registry established by the Commission … to prevent any unwanted electronic communication from direct marketers”.

The use of the word “unwanted” is notable. It leaves room for the argument that direct marketing sent within the scope of a consumer’s specific, informed, and current consent is not “unwanted” direct marketing. On that view, a later Registry entry should not automatically override all prior or subsequent consent in every circumstance. However, this interpretation is not risk-free and would have to be weighed against the express prohibitions in the amended CPA Regulations.

The amended CPA Regulations strongly suggest that pre-emptive blocks are intended to have practical force. The CPA Regulations expressly prohibit a direct marketer from marketing any goods or services directly to any consumer who has registered a pre-emptive block. They also oblige a direct marketer to remove, from its direct‑marketing databases, the people who have registered pre-emptive blocks. The overall structure of the CPA regime appears designed to enable a consumer to (a) block direct marketing from a particular direct marketer by sending an opt-out message to that direct marketer; or (b) block direct marketing without having to opt out repeatedly from multiple marketers individually by registering a pre-emptive block on the Registry.

The Registry is therefore intended to create a centralised mechanism through which consumers can broadly signal that they do not wish to receive unwanted direct‑marketing communications. This is where the consent issue becomes significantly more complicated. Neither the CPA nor the amended CPA Regulations expressly or comprehensively address whether express consent for direct marketing can override a subsequent Registry entry.

The omission is significant because many organisations already rely on broad contractual or digital consent mechanisms. Consumers routinely “agree” to receive direct-marketing communications when opening accounts, downloading apps, entering competitions, or subscribing to services.

This lack of clarity is therefore not merely theoretical. It creates a real compliance, governance, and evidentiary challenge for businesses, especially those with large customer databases and legacy marketing systems.

The POPIA position

POPIA does not resolve the issue. In broad terms, section 69 of POPIA regulates direct marketing by means of unsolicited electronic communications and generally requires consent unless the existing-customer soft opt-in applies.

POPIA also recognises ongoing control by data subjects: data subjects who have provided prior consent may withdraw their consent at any time. Data subjects may also object to the processing of their personal information for direct‑marketing purposes.

POPIA therefore regulates the lawful processing of personal information, while the CPA regulates unwanted direct marketing from a consumer-protection perspective. Although the two regimes overlap substantially, in practice, they regulate different things and do not fit together neatly. It is therefore unclear how the exercise of rights under one statute affects rights and obligations under the other.

POPIA adds another layer to the difficult questions that arise under the CPA. It is unclear what role pre-emptive blocks under the CPA will play under the POPIA framework. Will registration on the Registry be treated as a withdrawal of earlier direct-marketing consent, an objection to processing, or a separate CPA-based suppression instruction?

Key unresolved questions

The current interaction between the CPA and POPIA creates several unresolved questions that affect business operations, including:

• Whether a pre-emptive block automatically constitutes withdrawal of prior consent.
• Whether a marketer may continue relying on consent obtained before a Registry entry.
• Whether a later and more specific consent can revive marketing after registration.
• Whether the answers to these questions differ for existing customers and prospective customers.

From a governance perspective, this creates a difficult compliance position for businesses attempting to design defensible direct marketing frameworks in advance of likely enforcement activity.

The regulatory position is also split across regimes. The CPA framework and the Registry are administered by the NCC and are aimed at addressing the consumer’s right to restrict unwanted direct marketing.  POPIA, on the other hand, regulates the processing of personal information and places specific limits on unsolicited electronic direct marketing. A single marketing campaign may therefore raise both consumer-protection and data‑protection issues, particularly where internal consent records, POPIA objections and pre-emptive block‑based suppressions are not aligned.

The timing and nature of the consent may also matter. Consent obtained before a customer registers a pre-emptive block may become difficult to rely on if the later Registry entry is treated as a broader suppression instruction. Consent obtained after registration may present a different question, particularly where it was recently obtained, is channel-specific and auditable. The law does not yet provide a comprehensive answer to this hierarchy issue, which is why businesses should distinguish between historical consent, post‑registration consent and broad bundled consent captured through standard customer journeys.

Comparative international frameworks indicate that laws often expressly clarify whether and when prior consent operates as an exception to do‑not‑contact registry protections. Certain countries, such as Canada, Australia, and the United States, expressly recognise consent-based exceptions to do‑not‑contact restrictions, although the scope and operation of those exceptions differ materially across regimes. The amended CPA Regulations currently do not provide equivalent clarity regarding the relationship between prior consent and later pre-emptive‑block based suppression rights.

What should you do in the meantime?

Pending clarification of the hierarchy between direct-marketing consent, pre-emptive blocks and POPIA opt-outs, businesses should consider adopting the following controls:

1. Screen marketing databases against the Registry before campaigns, and repeat that screening monthly in line with the amended CPA Regulations.
2. Reconcile Registry matches against internal consent records, channel-specific opt-outs, POPIA objections, customer-service suppressions, and legacy marketing preferences.
3. Apply a default suppression rule where the customer appears on the Registry unless there is a properly documented and supportable basis for continuing to market to that customer within the relevant channel and scope.
4. Require exceptions to be approved and documented with reference to the wording, date, source, scope, and channel of the consent relied on.
5. Allocate responsibility for suppression management to a defined business owner supported by legal, compliance, marketing operations, and data governance, rather than allowing consent status to be managed inconsistently across marketing, sales, customer service, compliance, and outsourced call centre teams.
6. Treat third-party lead lists as high-risk data assets and do not use them unless the origin, wording, scope, date, and transferability of the relevant consent can be verified before use, and the data have been screened against the Registry and other applicable suppression requirements.
7. Retain an audit trail showing how conflicts between consent records, Registry status and POPIA objections were identified, escalated, and resolved.

Until clearer regulatory or judicial guidance emerges, businesses engaging in direct marketing may need to adopt more conservative suppression frameworks. In practice, this may require organisations to treat pre-emptive block-based suppression rights as potentially overriding historical consent records unless the business can demonstrate a well-documented and defensible basis for continuing to market within the relevant channel and scope.