Blog

Business SMS in South Africa: POPIA, WASPA, and the One-Approach Rule

Written by Insights by Telerivet | Mar 16, 2026

The Information Regulator of South Africa has been explicit about what changed in 2024. For the first five years after POPIA came into force, the regulator's approach was education. That phase is over. In February 2024, the regulator issued its first enforcement notice for a direct marketing violation under POPIA. In December 2024, it published a Guidance Note spelling out exactly what Section 69 requires. In April 2025, it amended the POPIA Regulations to simplify how data subjects can object to marketing and request deletion of their data. The signal across all three actions is the same: enforcement has begun.

Business SMS in South Africa is governed by POPIA Section 69, which prohibits marketing by electronic means including SMS unless the recipient has given explicit prior consent or is an existing customer under specific conditions. For non-customers, you are permitted exactly one unsolicited approach to request consent. Unless the individual later provides consent through another lawful interaction, you should not make further unsolicited electronic marketing approaches. The WASPA Code of Conduct adds industry-level obligations on top of the statutory framework, including a Do Not Contact list, time restrictions that prohibit marketing SMS on Sundays and public holidays, and a 24-hour opt-out processing window.

This is not the same compliance structure as Nigeria or Ghana, where the primary challenge is sender ID registration and DND filtering at the carrier level. South Africa's framework places the legal burden almost entirely on the sending organization's consent management and record-keeping. The carrier infrastructure does not stop you from sending a message without valid consent. The Information Regulator does.

POPIA Section 69: the statutory framework for SMS marketing

The Protection of Personal Information Act came into full force on 1 July 2021 after a one-year grace period. Section 69 is the provision that specifically regulates direct marketing by electronic means, and its requirements for SMS are explicit and strict.

For non-customers: you can only contact a data subject by electronic means once to request consent to send them marketing communications. If that person withholds consent or does not respond, you should not make further unsolicited electronic marketing approaches unless they later provide consent through another lawful interaction. There is no waiting period after which you can simply try again, and there is no workaround through a different number or sender name.

For existing customers: a limited exception applies. You can send marketing SMS to an existing customer without fresh consent if three conditions are all met. You obtained their contact details in the context of a sale or service relationship. The marketing relates to your own similar products or services, not third-party offerings and not a different product category. And you gave the customer a clear opportunity to opt out when you collected their details, and you give them the same opportunity in every subsequent marketing message.

The Information Regulator's December 2024 Guidance Note makes clear that legitimate interests, which can justify some forms of non-electronic marketing under Section 11 of POPIA, are not an appropriate basis for electronic direct marketing such as SMS to non-customers under Section 69. Consent is the required basis for non-customers. The existing customer exception is the only alternative, and it is narrow.

Penalties for violation of Section 69 can reach R10 million or imprisonment for up to ten years, or both. The February 2024 enforcement notice against FT Rams Consulting, a training institution that continued sending marketing messages after a data subject had opted out multiple times, resulted in an order to immediately cease all unsolicited communications and implement a compliant consent management program. The Information Regulator has made clear that this type of case is now a threshold for enforcement rather than an occasion for further education.

WASPA: the industry layer and why it matters separately

The Wireless Application Service Providers' Association operates a Code of Conduct that applies to WASPA members and their clients. WASPA is an industry self-regulatory body, but its code carries practical enforcement weight through a consumer complaints mechanism that operates independently of the Information Regulator. Most bulk SMS providers in South Africa are WASPA members, which means their clients are also subject to the code through their service agreements.

The WASPA Code adds obligations that POPIA does not specify, including the most operationally specific sending restriction in the South African market. Direct marketing SMS cannot be sent on Sundays or South African public holidays, unless the individual recipient has expressly agreed to receive communications at those times. This parallels the Sunday restriction in Ghana, but applies to public holidays as well, and South Africa has a significant number of statutory public holidays. A campaign scheduled to run across a long weekend will reach subscribers on Friday and Saturday but must stop on Sunday and may need to pause again on Monday if it falls on a public holiday.

WASPA also operates a Do Not Contact list that is separate from the Consumer Protection Act's National Opt-Out Register maintained by DMASA. WASPA members are required to check the WASPA DNC List weekly and block registered numbers from receiving direct marketing SMS sent through the platform. Both lists need to be checked. They are not the same register and they are not automatically synchronized.

On opt-out mechanics: STOP, END, CANCEL, UNSUBSCRIBE, and QUIT are all required to be honored as opt-out keywords. The WASPA Code requires a confirmation message acknowledging the opt-out when someone exercises it. The opt-out must be processed within 24 hours. These are operational requirements, not aspirational best practices. Sending a further marketing message to someone who has opted out within the 24-hour window or failing to send the confirmation message are both WASPA Code violations that can result in consumer complaints and sanctions.

Consent records must be kept for at least three years in accordance with the Code. If the Information Regulator or WASPA asks how and when a recipient consented, you need to be able to answer with documentation.

Good records matter as much as good consent. South Africa's enforcement model assumes organizations will be able to demonstrate how consent was obtained, when an opt-out was received, when it was processed, and which suppression lists were checked before a campaign was sent. If those records cannot be produced, it becomes much harder to demonstrate compliance after a complaint, even if the original marketing program was well intentioned. The question an investigator asks is not only whether you had consent, but whether you can show it.

ECTA and the CPA: the broader regulatory context

POPIA and WASPA sit alongside two older pieces of legislation that also touch business SMS. The Electronic Communications and Transactions Act of 2002 established early requirements around unsolicited electronic communications, including a mandatory opt-out and identification in every commercial message. The Consumer Protection Act of 2008 established the National Consumer Opt-Out Registry, now administered by DMASA, which allows individuals to preemptively block direct marketing contact across channels.

POPIA supersedes some of the ECTA framework for data-related obligations but does not replace it entirely. Practically, organizations running SMS programs in South Africa need to be aware of all three layers. ECTA for the baseline electronic communications rules. CPA and the National Opt-Out Registry for consumer protection. POPIA for the data processing and consent framework. WASPA for the industry operating standards.

The intersection of these frameworks is where most compliance gaps appear. An organization that has valid POPIA consent but has not checked the WASPA DNC List is still exposed. An organization that checks the DNC List but has not retained consent records for three years cannot demonstrate compliance under POPIA if questioned. Compliance in South Africa is not satisfied by any single layer.

Sender ID in South Africa

South Africa does not operate a mandatory national sender ID register equivalent to Australia's ACMA system. Alphanumeric sender IDs are available and widely used for business SMS, but registration is handled through your SMS provider and coordinated with the major carriers: Vodacom, MTN, and Cell C. International long codes are treated differently by some carriers and may be blocked or flagged as international traffic, which affects deliverability for programs routing from outside the country.

The more significant deliverability consideration in South Africa is carrier classification of traffic. MTN, Vodacom, and Cell C each maintain their own standards for how A2P traffic is routed and filtered. Direct carrier connections through your provider rather than indirect routing deliver more reliably and provide genuine delivery receipts rather than gateway-generated confirmations. The same grey route risk that affects other African markets applies in South Africa, and given the Information Regulator's increasing attention to marketing compliance, having accurate delivery reporting matters more than in markets with lower enforcement activity.

How South Africa compares to other markets in this cluster

South Africa's compliance framework is structurally different from Nigeria, Ghana, and Tanzania in one important way: the statutory burden falls almost entirely on the sending organization rather than on carrier-level enforcement mechanisms.

Nigeria's DND system filters messages at the network level for registered DND numbers. Ghana's NCA framework restricts sending hours through carrier-enforced rules. South Africa's Information Regulator enforces POPIA through investigations and enforcement notices after the fact, triggered by complaints from data subjects or proactive regulatory action. The message is not blocked at delivery. The organization is held accountable after it is sent.

That places a heavier weight on internal processes: consent management systems, suppression lists, record-keeping, and opt-out workflows. For organizations already operating programs in high-enforcement markets like Australia, the compliance architecture transfers directly. The underlying discipline of consent-at-collection, documented suppression, and automated opt-out processing is the same. The penalties and the enforcement posture are comparable.

BYOC architecture is relevant in South Africa for the same reason it matters everywhere with active enforcement: your consent records, suppression lists, and program logic should not be dependent on a single connectivity provider's system. A compliance program built on properly documented consent records that travel with the organization is significantly more defensible than one where those records are effectively held hostage to a carrier or platform relationship. Twilio and Vonage both carry South African routes. Provider flexibility means route flexibility if delivery quality or pricing shifts.

Frequently asked questions

How many times can I contact a non-customer to ask for consent under POPIA? Once. Section 69 of POPIA permits a single unsolicited approach to request consent to send marketing communications. If the data subject withholds consent or does not respond, you should not make further unsolicited electronic marketing approaches unless they later provide consent through another lawful interaction. There is no waiting period and no workaround through a different sender name or number.

Can I send SMS to existing customers in South Africa without fresh consent? Yes, under specific conditions. You must have obtained their contact details in the context of a sale or service relationship. The marketing must relate to your own similar products or services only. And you must have given them a clear opt-out opportunity when you collected their details, and include an opt-out in every subsequent marketing message. All three conditions must be met simultaneously.

Are there restricted times for marketing SMS in South Africa? Yes. Under the WASPA Code of Conduct, direct marketing SMS cannot be sent on Sundays or South African public holidays, unless the recipient has explicitly agreed to receive communications at those times. There are also general sending hour expectations from WASPA and POPIA's broader requirement to respect data subject rights, which includes not messaging at antisocial hours.

What is the WASPA DNC List and is it the same as the National Opt-Out Register? No, they are separate. The WASPA Do Not Contact List is maintained by WASPA and must be checked weekly by WASPA members to block registered numbers from receiving marketing SMS sent through their platforms. The National Opt-Out Register is maintained by DMASA under the Consumer Protection Act and operates across communication channels. Both need to be checked. They are not automatically synchronized.

Does POPIA apply to organizations based outside South Africa that send SMS to South African recipients? POPIA can apply to organizations processing the personal information of South African data subjects even where elements of the processing occur outside South Africa, depending on the circumstances covered by the Act. Phone numbers are personal information. If you send marketing SMS to South African recipients, the Information Regulator can investigate and take enforcement action.

This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal or data protection professionals regarding their specific compliance obligations under South African law.

Talk to our team about building a SMS program for your South African operation: