The Protection of Personal Information Act, 4 of 2013 (POPIA) comes into effect today, 1 July 2021.
Consumers and legitimate businesses should welcome the next stage in the implementation of a law to better protect your privacy and to allow legitimate businesses to engage with you on a basis that will make doing business better.
It was first enacted in 2013 with the last of the provisions coming into effect from 1 July 2021. While it will be in force it does not mean that everything will enforced right away as the Information Regulator that oversees the compliance may not be in a position to begin responding to transgressions right away and everyone acknowledges that there is a lot to get done and so many of the lapses will not be intentional or nefarious.
Why do we need it?
The earliest collections of personal information would have been census polls to help nations determine how many people lived in the state. From members of a family, to the residents of a town to the entire kingdom and even the empire if the state included conquered territories.
There was not much need to know the individuals just the numbers, their age and possibly occupation and gender.
In the last century, businesses would have wanted to know more about who they could sell their products to. Advertising would be most effective when directed at people who could both use and want to use your product. The cost to reach them would be offset by increase in sales.
Newspapers were the first to see the value of a model to supplement the cost of the publication with ads from businesses that would like to reach the readers of a particular newspaper. The level of information about the readers would effectively be that they lived in a particular location and had the means to buy and read the paper in question.
Besides business ads, personal ads could also be bought to announce significant events like births, deaths and marriage. You could also buy small ads listing items you had for sale.
As newspapers grew the kind of ads changed too. National newspapers would typically runs ads from companies that were available nationwide, local papers would be favoured for smaller companies that only served one City.
With the introduction of radio, there was a period when no-one knew how to make money from the near instant audio medium. Some of the first large corporate broadcasters were also telephone companies that opted to sell airtime like phone calls, by the minute.
Once again stations with big broadcast areas would cost more and be used by larger advertisers that sold products everywhere, while smaller stations would feature the local businesses.
The model was used again when TV came along and the advertising industry had come of age with many channels and location and audiences to choose from to ensure the greatest return on the money they spent on ads.
The world wide web was supposed to add another layer, instead it brought about the most significant disruption the media and advertising industry had ever experienced, the effects are still being felt and the final configuration is still to be seen.
The attention economy
Print and magazines had physical presence and could be read by multiple people but typically needed to be regularly replaced.
Radio was instant with rich sound to transport you to where the news was happening or create a concert or play in your home, but it was gone just as soon as it arrived. There was no pause or record, instead everything needed to be repeated often.
TV offered images and sound and typically had a very big broadcast area. Initially it also had to rely on repeats to ensure content would be seen or scheduling to put the best content on when people were most likely able to watch.
This is all history, but when the web was still in its infancy, few saw the potential of how it could do everything that print, broadcast and TV could do, but it could be permanent, on demand, local and global all at the same time.
Advertisers saw this as the great way to not only be able to reach everyone, but as it promised you could tell who you were reaching it would be much more effective and much cheaper too.
The first casualty was newspaper classifieds. Websites offering free listings attracted huge audiences and thousands of ads, to make money the site operators would allow you to pay for a bigger ad or one that displayed more prominently.
Not many in the media industry seemed too concerned, smart media owners started building an online presence and slowly began building their content offering online. First to grow the small market with vague plans on how to make as much money online as they did with the traditional mediums.
Search engines, blogs and social media all looked like only minor threats to traditional media companies even as online media began to start learning a lot more about their audience.
Facebook was not the first or only social media, but it did do something that at the time was genius even though it was the spark that lit the online privacy issue.
Most online spaces operated with usernames chosen by the users and then offered you access to people who shared your interests, back then they were typically academic or technical.
Facebook first asked university students and then anyone what their actual name was. They asked where they were studying and where they went to school and who their partners and family were. As more people signed up, Facebook was able to connect them online. Many that you had lost contact with like former colleagues, team mates and school friends.
Initially it seemed like magic that this free service somehow knew who all your friends were and gave you easy ways to say hi and share what you were up to.
It was so popular that many businesses would block Facebook for the amount of time staff would spend on it.
Facebook had built the perfect attention tool using content that its users created. Next it needed a way to make money and that was of course advertising. But because Facebook knew so much about you, advertisers could be very specific about who would see their ads and only have to pay for the ones that were actually seen.
At this point media companies realised the game was changing and their businesses were at risk.
It was not only Facebook, Google’s search engine could find what you were looking for and if that was for a product or service, advertisers could pay to be included in the results.
Data mining and manipulation
In 2007 Apple introduced the iPhone, the web was now in your hand and everywhere you were. Anything you did on your phone could be tracked and we did everything on our phones and the default was to make everything public.
An early YouTube video showed that by turning on the location for posts, you could find users around you. If they had posted recently you could find them still there. In the video the person looks back at previous posts and then introduces himself, mentioning the details of the previous posts. The users’ surprise turns to unease as the stranger tells them about some quite private events in their lives. Once explained that the information was public, the users almost all undertake to change their settings afterwards.
As users did wise up to limiting who else had access they continued to share everything with the likes of Google and Facebook and advertisers could buy that.
South Africa first recognised that personal information required protection in 2009 but did not have much in place to prevent multinational companies from using personal data because at the time, the issue was mobile number abuse and a growing issue with email spam and sms scams.
By 2016, the pushback had started in earnest but not before one of the most audacious and naïve lapses by Facebook to allow political parties and even governments to buy ads targeted at specific communities to sway public opinion.
It is hard to say that Brexit and the election of Donald Trump are thanks to Facebook allowing their users to be manipulated for ad revenue, but the risk was real and something was needed to limit it.
A light at the end of the tunnel
The EU was first to implement the General Data Protection Regulations in 2018 that required companies to take responsibility and accountability of what data they collected and how they used it. Users need to give full consent before data could be used or they could be contacted.
South Africa updated the 2009 regulations in 2013 with more regulations relating to various parts about how data is gathered, used, stored and sold added over the years. The next big roll-out is now and it follows the EU guidelines quite closely.
Express permission must be given to contact consumers so no more unsolicited communication. Hacks might still happen, but besides the data breach and embarrassment, there are now also legal consequences which include big fines and even jail time.
Cookies are the next piece of the web that while perfectly useful and for the most part harmless have been used to follow our every move and subject us to ads that while targeted can have the same effect as that YouTuber pretending to know you.
Initially they tracked what you had done on a website to save on time and server loads. When you see something on a website you want to buy, the click to add it to your cart is stored in a cookie, but so are all the other items you looked at. When you next return they might show them again or offer a discount.
Site publishers would like to know how much time a user spent on the site, what they looked at and how often they returned. This is done via a cookie.
But now you also get cookies that can track you from one site to the next, comparing what you did on social media with what you did on the web. Know not just what you searched for but when you might need it again and even know what you might need the next time you are in a specific place.
On the face of it, it can be very helpful. An alert to let you know there is a clothing sale on at a shop you like that is near you based on your recent search for certain items at that shop online could be great, but if you were not aware all that info was being collected and used and not so subtly trying to get you to act on it thanks to payments from advertisers, it is not so good. The move is slowly moving away from the most intrusive versions and in time should at least be better understood if not always welcome.
For many businesses there will need to be significant effort to become compliant, but in the medium term an easy way for users to find service providers would be to check they are compliant and to simply reject anyone that is not.
Pandora’s box has been opened and we will never return to that innocent anonymous age, but if hope was all that was left in the box, here is hoping that POPI while hated by some, a complete head scratcher to many and a sea of pop-ups clicked and not sufficiently read will still give us a level of protection we have not had online before.