How Popi will change retail

Retailers have to be prepared to deal with customers’ questions about the type and amount of personal information that they are collecting, why they are collecting it and how they intend to protect it against abuse. By Jana van Zyl.

Jana van Zyl

Jana van Zyl

Given the upcoming Protection of Personal Information (Popi) Act, retailers have to be prepared to deal with customers’ questions about the type and amount of personal information that they are collecting, why they are collecting it and how they intend to protect it against abuse.

Popi provides a wide definition of personal information, which could include diverse forms of data — addresses, ID numbers, cellphone numbers, biometric information and even personal views on certain issues.

It also differentiates between “normal” personal information, special personal information (such as information about health) and children’s personal information, all of which have different rules that will apply to the processing of the personal information.

There isn’t a defined list of information that retailers are prohibited from collecting, but as a rule any business should collect only what is necessary to achieve a specific purpose.

A good example of this is the use of an ID to verify a customer’s identity. Retailers have to justify why they should be entitled to collect the information. For example, do they really need a copy of a customer’s ID or is it sufficient for that customer to merely display the document? If they don’t need a copy, why keep it? And even if they can justify why they need a copy, they should use if only for the purpose they originally collected it. Should they wish to use the information for any other purpose they will need to notify the customer.

Consent as such does not always have to be given in written format, as it won’t always be practical to get it. If a supermarket has a lucky draw box on the counter where customers place their till slips with their phone numbers to enter a competition, it won’t want them to have to fill in lengthy permission forms. But they will only be able to use the information they receive for entry into the draw. Any other purpose will need to be specified explicitly.

Similarly, if a customer has signed up for a loyalty programme, the retailer is entitled to track their purchases and use this to promote products based on buying behaviour, but only if it received consent to do so when the customer signed up.

Of course, not all retailers’ communication occurs in-store. Many frequently communicate with customers via social media platforms like Facebook. Social media has meant that many customers make information publicly available. This does not mean that Popi in its entirety won’t apply.

If a company wishes to collect data via its Facebook page, it will still be responsible for securing and protecting that the information and it will still have to limit its use, disclosure and retention in line with the purpose for which it was collected.

Naturally, security is a large concern for retailers, many of which frequently receive and retain sensitive hard copy information, such as credit card slips. Retailers will have to retrain their employees in preparation for Popi. There isn’t an exact list of specific measures to be implemented, but retailers will need to review their processes and educate their staff about the importance of safeguarding personal information.

Popi also has implications for future human resources activities. These will include revising current policies and employee contracts. Although this may be a costly exercise, most retailers regard Popi as positive. Most understand that the misuse of customer information will have serious reputational consequences. It is necessary to create awareness among staff members about the use of customers’ personal information.

Responsible use is key. Most retailers are eager to safeguard their customers’ information and upgrade their security measures and policies accordingly. And Popi has forced retailers to reconsider and improve existing processes.

  • Jana van Zyl is a partner at Dommisse Attorneys

Share this article

Why TechCentral?

We know that as a prospective advertiser, you are spoilt for choice. Our job is to demonstrate why TechCentral delivers the best return for your advertising spend.

TechCentral is South Africa’s online technology news leader. We don’t say that lightly. We believe we produce the country’s best and most insightful online tech news aimed at industry professionals and those interested in the fast-changing world of technology.

We provide news, reviews and comment, without fear or favour, that is of direct relevance to our fast-expanding audience. Proportionately, we provide the largest local audience of all technology-focused online publishers.

We do not constantly regurgitate press releases to draw in search engine traffic — we believe websites that do so are doing their readers and advertisers a disservice. Nor do we sell “editorial features”, offer advertising “press offices” or rely on online bulletin-board forums of questionable value to advertisers to bolster our traffic.

TechCentral, which is edited and written by award-winning South African journalists, cares about delivering top-quality content to draw in the business and consumer readers that are of most interest to technology advertisers.

We’d like the opportunity to demonstrate the value of directing a portion of your advertising budget to TechCentral, whether your company is in the technology field or not. Numerous opportunities exist for companies interested in reaching our audience of key decision-makers in South Africa’s dynamic information and communications technology sector. We offer packages that will deliver among the best returns on investment available in the online technology news space.

For more information about advertising opportunities, and how your organisation can benefit by publicising itself on TechCentral, please call us on 011-792-0449 during office hours. Or send us an e-mail and ask for our latest rate card and brochure.