How to report and block spam and unsolicited messages in South Africa

Since my recent banning on MyBroadband where the main reason for the ban seems to have originated from providing consumer advice as an Afrihost customer in an Afrihost support thread, I think it is valuable for anyone affected by unsolicited messages (commonly called “spam”) to understand their rights and recourse if you are on the receiving end of spam.

Regulation of spam in South Africa was introduced by the Electronic Communications and Transactions Act, 2002 (ECTA) and further bolstered by the Consumer Protection Act, 2008 (CPA) and the recently promulgated Protection of Personal Information Act, 2013 (POPIA). Before going into the details of how to deal and stop spam, it is important that you familiarise yourself with at least portions of the act.

Spam or unsolicited bulk email/SMS is often done in large volume communications to advertise a service or product which the recipient seldom wants. Often spammers purchase email/SMS databases to spam users. Those spammers will also disregard opt-outs or any of the acts mentioned. With some effort and basic knowledge of the acts below, you can very efficiently fight spam:

Quick Link: Oh no, I will read all the legal mumbo-jumbo later, just show me the “Stop the frigging Spam template message“

The Electronic Communications and Transactions Act (ECTA)

Section 45 of the ECTA is quite specific about unsolicited messages – so much so, that it is deemed a criminal act. The ECTA provides that recipients of unsolicited communications are able to opt-out of future communications and may request information from the sender where their contact details were obtained. Section 45 of the ECTA will eventually be repealed and replaced by section 69 of the POPIA (Protection Of Personal Information Act – often referred to as “POPI”) once a commencement date has been proclaimed by the Presidency.

Section 45 of the Electronic Communications and Transactions Act, 25 of 2002:

45. Unsolicited goods, services or communications

(1) Any person who sends unsolicited commercial communications to consumers, must provide the consumer:

a) with the option to cancel his or her subscription to the mailing list of that person; and
b) with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer.

(2) No agreement is concluded where a consumer has failed to respond to an unsolicited communication.

(3) Any person who fails to comply with or contravenes subsection (1) is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1).

(4) Any person who sends unsolicited commercial communications to a person who has advised the sender that such communications are unwelcome, is guilty of an offence and liable, on conviction, to the penalties prescribed in section 89(1).

The Consumer Protection Act (CPA)

Section 11 of the CPA follows in the footsteps of the ECTA by providing that you may refuse to accept, request the discontinuation of (opt-out) or pre-emptively block direct marketing communications, and that any opt-out or pre-emptive block must be respected by marketers, have their receipt confirmed in writing and that the exercise of these right must be performed free of charge.

The introduction of the CPA resulted in the creation of a national opt out database which is managed by the IAB (Interactive Advertising Bureau – formerly known as DMMA = Digital Media & Marketing Association). The purpose of this DNCR (= do not contact registry) was to provide a national database which can be used by marketers to pre-emptively block or tailor the marketing frequency.

Although I hold the IAB in high regard, I do not believe that a providing your ID number, email address, first- and last-name as well as address information and phone numbers to a central database as a good idea. I have no doubt that the database is managed according to highest security standards but it is highly concerning (conspiracy theory?) that a central database with all your details is used for opt-out purposes for marketers. Yes, I agree, that there are many responsible companies and marketers out there, but there are many more marketers out there who do not comply with the most basic aspects of marketing communication (confirmed opt-in, opt-out).

I prefer to fall back on ECTA and POPIA to deal with spam and not providing all my personal details to some national opt-out database where I have no insight who accesses my data when.

Section 11 of the Consumer Protection Act, 68 of 2008

11. Right to restrict unwanted direct marketing

(1) The right of every person to privacy includes the right to –

a) refuse to accept;
b) require another person to discontinue; or
c) in the case of an approach other than in person, to pre-emptively block,

Any approach or communication to that person, if the approach or communication is primarily for the purpose of direct marketing.

(2) To facilitate the realisation of each consumer’s right to privacy, and to enable consumers to efficiently protect themselves against the activities contemplated in subsection (1), a person who has been approached for the purpose of direct marketing may demand during or within a reasonable time after that communication that the person responsible for initiating the communication desist from initiating any further communication.

(3) The Commission may establish, or recognise as authoritative, a registry in which any person may register a pre-emptive block, either generally or for specific purposes, against any communication that is primarily for the purpose of direct marketing.

(4) A person authorising, directing or conducting any direct marketing –

a) must implement appropriate procedures to facilitate the receipt of demands contemplated in subsection (2); and
b) must not direct or permit any person associated with that activity to direct or deliver any communication for the purpose of direct marketing to a person who has –

i. made a demand contemplated in subsection (2); or
ii. registered a relevant pre-emptive block as contemplated in subsection (3).

(5) No person may charge a consumer a fee for making a demand in terms of subsection (2) or registering a pre-emptive block as contemplated in subsection (3).

(6) The Minister [Trade and Industry] may prescribe regulations for the operation of a registry contemplated in subsection (3).

The Protection of Personal Information Act (POPIA / POPI)

Important: Although POPI has been signed into law in November 2013, the act is not in effect. As a start, the South African President must proclaim the act and no commencement date has been set. Once a date has been set, I am sure that there will be a transitional period / grace-period (similar to what e-commerce merchants had when adopting 3d-secure) and the government would have to form an “information protection regulator/ombudsman” who deals with POPI matters.

The POPIA is whoever a significant and more robust implementation of what the ECTA was supposed to represent and will therefore completely replace large aspects of the ECTA with regards to regulation of unsolicited communications.

Section 69 of the POPIA places significant limitations on the circumstances in which a party may engage in direct marketing by means of unsolicited communications by requiring individuals to have either consented to the use of their personal information (opt-in) or for there to be an existing relationship between the parties. An existing relationship between the parties is itself subject to additional limitations and does not result in a freedom to make repeated advances.

Notwithstanding the above, you will always be entitled to opt-out of future communications for the purpose of direct marketing.

Protection of Personal Information Act

Section 69 of the Protection of Personal Information Act, 4 of 2013

69. Direct marketing by means of unsolicited electronic communications

(1) the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject –

a) has given his, her or its consent to the processing; or
b) is, subject to subsection (3), a customer of the responsible party.

(2)

a) A responsible party may approach a data subject –

i. whose consent is required in terms of subsection (1)(a); and
ii. who has not previously withheld such consent.

only once in order to request consent of that data subject.

b) The data subject’s consent must be requested in the prescribed manner and form.

(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)-

a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
b) for the purpose of direct marketing of the responsible party’s own similar products or services; and
c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details –

i. at the time when the information was collected; and
ii. on the occasion of each communication with the data subject for the purpose of marketing if the subject has not initially refused such use.

(4) Any communications for the purpose of direct marketing must contain –

a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
b) an address or other contact details to which the recipient may send a request that such communications cease.

(5) “Automatic calling machine”, for the purposes of subsection (10, means a machine that is able to do automated calls without human intervention.

How to deal with unsolicited messages

Trace your email origin with the e-mail alias trick

You will find that most of the spam you receive are e-mails and often it is very difficult to trace how someone gained access to your email-address (or you forgot that you subscribed to something) and I deal with e-mail spam the following way:

• I use a Google Apps account which costs $5,00 per user per month but has the advantage over Gmail (or the ISP email account) that you can have your own domain name and don’t have to worry about giving up your email account if you move ISPs. Google Apps works the same way as Gmail, but you can manage your own users (wife, kids etc) and as many domains as you like. It also comes with the benefit that syncing of email, calendar, contacts works on Android and all modern phones and operating systems out of the box.
• If you don’t want to spend the $5,00 per user per month, just get a Gmail account or any email provider which allows you to use an email-alias.

The point of an email alias is that you can uniquely identify the source of the communication. Instead of using a unique email address per company (or website I sign up with), I use a unique email alias. With my Google Apps email address “[email protected]” I can use aliases and then sign up at Facebook with “[email protected]” and at Twitter with “[email protected]”. If Facebook for example sells my contact details to LinkedIn.com I will be able to see that when a LinkedIn spam message is sent to my “[email protected]”

The great thing about Google (and possibly Outlook.com and others) is that alias even work with regular freemail accounts (such as Gmail) – if my email is [email protected] I can use:

• The “+” trick: [email protected], [email protected] – easy – just add a plus behind your regular email prefix and after the plus you can add any text. You can create as many aliases as you like.
• The “.” trick: This is limited to inserting dots/periods into your regular email prefix. The “.” count for nothing and you can go nuts: [email protected] would be a valid alias. Or [email protected]

I prefer the “+”-trick as it gives more flexibility.

Fight the SMS spammers – Wireless Application Service Provider’s Association (WASPA)

SMS spam is probably the most annoying and intrusive way of spam as it lands on your personal device which you use to interact with family and friends and where you store precious memories. Although it is law, very seldom spammers offer a FREE opt-out option through an SMS reply mechanism. I would never reply to an SMS to opt-out as in most cases this will confirm to the spammer that you have received the SMS and in the worst case you might even respond to a premium number.

To fight SMS spam, I do the following:

• If you don’t know the sender, then go to http://smscode.co.za/ and find the sender (it helps with the next step)
• Lodge a complaint with WASPA – https://waspa.org.za/lodge­a­complaint/ (you can check your status here: http://old.waspa.org.za/unsub/status.php)
• Ensure that in the WASPA complaint you state “Do not opt­out / disable / blacklist my number. My complaint needs to be taken up with the SMS provider’s customer”. Some SMS spammers share the same SMS provider and if WASPA requests a DNC (do not contact) you might also be opted out from banking SMS, security alerts or other SMS notifications which are relevant.
• WASPA will normally take about 5-­7 working days to respond. Sometimes they are faster. Give it time. They normally will contact the SMS provider and the SMS provider in turn will contact you.
• Sometimes it happens that the SMS provider or their customer is full of non­sense, follow ECTA below
• Also highlight that if the message is a marketing message, there needs to be an opt­out. Some senders will argue that it is not marketing (if so, also follow ECTA)

Fight the ISP – Internet Service Providers Association (ISPA)

ISPA is great. The have assisted me in many cases and have a very thought through complaints process. ISPA should be the last resort of a complaint as it puts a significant burden on ISPA but is sometimes a necessity:

• If a company transmitting spam does not comply with your email-request, the next step is to report it to ISPA
• Big ISPs (such as MWeb, Afrihost, VOX) are ISPA members. If you receive spam from them and are not able to resolve the issue, report them to ISPA.
• If a non ISP transmits spam, find out via CO.ZA who their hosting provider is. Also check the mail-headers to find the source of spam (sometimes it might be Mailchimp, Everlytics, Mimecast – all have great abuse reporting processes)
• If a non ISP continues sending spam and you have identified the ISP (or the spammer is an ISP), verify that the sender or the hosting company is an ISPA member.
• Familiarise yourself with the ISPA complaints process – it’s important!
• Now lodge a complaint and provide the requested details

Protect your rights via the Promotion of Access to Information Act (PAIA)

The Promotion of Access to Information Act, 2000 (or PAIA; Act No. 2 of 2000) is a freedom of information-law in South Africa. It gives effect to the constitutional right of access to any information held by the State, and any information held by private bodies that is required for the exercise and protection of any rights. The Act is enforced by the South African Human Rights Commission (SAHRC). If this sounds too complex, in short: PAIA supports your Bill of Rights as laid out in the South African Constitution – you should read it, it is a very advanced construct to protect our freedom in so many ways.

In cases where you feel that your basic rights have been infringed you can exercise a PAIA-request via a “Form C Private Body Request Access Form” which requires you to request information held by the state or a company for the exercise and protection of your rights.

I will address PAIA in a separate post, but the following is relevant in the meantime:

• Anyone can serve a PAIA request to any company as long as valid reasons for access is provided
• The respondent has 30 days to respond to the PAIA request (either accepting the request or refusing it)
• Refusal of a PAIA request must be accompanied by a reason
• Responding to a PAIA request typically incurs a charge (admin fee, cost of media / paper / storage to prepare information) and sometimes fees are waived
• The only appeals process is via the SAHRC

Finally, section 51 of PAIA makes it compulsory for the head of every private body to compile a manual and to make the manual available as prescribed in section 51(3) – this is typically done via a link on a company website or can be requested by from the head of a private body. You will notice that many companies do not have links to their PAIA manual and the majority do not even have a basic understanding of how it works.

 

Responding to Spam

Thanks to internet.org.za, find below a generic template which can be used to address unsolicited messages of any kind (both email and SMS):

Dear Sirs,

On [insert date here], I received the following message from you:

[insert message here]

As the above is an approach for the purpose of direct marketing which relies upon personal information which I did not provide to you, your message constitutes an unsolicited communication in terms of section 45 of the Electronic Communications and Transactions Act (Act 25 of 2002)(ECTA), as read with section 11 of the Consumer Protection Act (Act 68 of 2008)(CPA) or alternatively, as the case may be, Section 69 of the Protection of Personal Information Act (Act 4 of 2013)(POPIA)

In terms of the acts listed above, this message serves as a notification that I do not wish to receive any further communications from you or your agents. Kindly confirm that you will discontinue all future communication in this regard.

Please note that a failure to comply with this request constitutes a criminal offense in terms of section 45 of the ECTA and that the continued receipt of unsolicited communications may lead to prosecution.

Additionally, I hereby request that you immediately disclose where you obtained my contact details, as per section 45(1) of the ECTA and/or section 22(1) of the POPIA. Failure to respond to this request may also constitute a criminal offense.

[Optional: If the message did not include an opt-out]
I note that your original message did not provide me with an option to cancel my subscription to your mailing list, as required by section 45(1) of the ECTA and/or section 69(4) of the POPIA. This means that you may already have committed an offense in terms of the respective Acts and may be subject to prosecution.

Should you wish to familiarise yourself with the relevant legislation, or check my facts, a copy of the ECTA, CPA and POPIA are available on-line via the Government's web site and can be found here:
- http://www.gov.za/sites/www.gov.za/files/37536_Act1of2014ElecCommAmend7Apr2014.pdf
- http://www.gov.za/sites/www.gov.za/files/32186_467_0.pdf
- http://www.gov.za/sites/www.gov.za/files/37067_26-11_Act4of2013ProtectionOfPersonalInfor_correct.pdf

Your urgent co-operation in this regard would be appreciated.