SA’s New Spam Law: The Double Compliance Burden for Businesses - Labournet

By Samantha Walker 

South Africans received approximately 30 billion spam or scam calls last year. That works out to roughly 236 unwanted calls per cellphone. For consumers, it has become a daily irritation; for regulators, it became an obligation to act.

On 15 April 2026, Minister Parks Tau gazetted amendments to Regulation 4 under Section 11(3) of the Consumer Protection Act (CPA). These regulations are now in force with the impact on businesses being significant. And the stakes are much higher than the prospect that a R1 million fine suggests.

Three Obligations to Heed

The amendments operationalise a provision in the CPA that has been dormant for years. In practical terms, three things have changed:

1. The National Opt-Out Registry: The National Consumer Commission (NCC) now administers a formal National Opt-Out Registry. Any consumer can register a pre-emptive block, meaning that a single registration with the NCC legally prohibits all registered direct marketers from contacting that person.

2. 
   

For businesses, the implication is immediate: If someone on your contact list is registered, contacting them breaches the CPA.

2. Mandatory marketer registration and monthly cleansing:

   Any person or business conducting direct marketing to South African consumers must now register with the NCC. There is an initial registration fee of R2,574 in 2026, which will rise incrementally to R2,979.73 by 2029. Annual renewal starts at R1,930.50.

   
   

Beyond registration, businesses are required to cleanse their marketing databases monthly against the NCC registry. A cleansing fee of 12 cents per data record applies in 2026, rising to 18 cents by 2029.

Consumer and direct marketer registration is expected to open in July 2026, with the NCC to provide further operational guidance.

3. Penalties with real teeth: Non-compliance carries a fine of up to R1 million or 10% of annual turnover, whichever is greater. The CPA penalty framework therefore scales with the size of the offender. Marketers with large, unverified contact lists face the highest exposure.

   
   

The First-Call Loophole and Its Closure

For years, the Protection of Personal Information Act (POPIA) was positioned as the primary framework regulating direct marketing, and for years, telemarketers exploited a gap. Section 69 of POPIA restricts unsolicited electronic communications for direct marketing purposes, but it was widely interpreted as permitting one initial call to seek consent. That first call became a standard industry practice: Call first, ask for permission second.

The Information Regulator subsequently issued a guidance note confirming that telephone calls constitute electronic communications under POPIA, given the shift from analogue to VoIP technology. That guidance closed the interpretation loophole while the CPA amendments have closed the practical one.

Combined, there is now no lawful basis for an unsolicited call or message to a person who has registered a pre-emptive block or who has not consented, regardless of whether it is framed as a consent-seeking exercise.

The Dual Compliance Blind Spot

Understanding the scale of the problem is one thing, but understanding what it demands of your business is another.

It is critical to note that the CPA Amendment Regulations do not replace POPIA’s direct marketing provisions, but rather sit alongside them. Businesses now face overlapping obligations under two separate pieces of legislation, administered by two different regulators:

• The NCC enforces the CPA.

• The Information Regulator enforces POPIA.

  
  

This means that you cannot satisfy one framework and assume that you have satisfied the other. The tests are different, the enforcement bodies are different, and the remedies available to affected consumers are different.

Under POPIA, you need prior consent before sending electronic direct marketing to non-customers. Under the CPA, you additionally need to be registered with the NCC and have cleansed your database against the opt-out registry. Satisfying the POPIA consent requirement does not exempt you from the NCC cleansing obligation, and vice versa.

Businesses that invested in POPIA compliance over the past few years and assumed that they were covered for direct marketing purposes need to revisit that assumption urgently.

Immediate Priorities

Right now, every business needs to:

• Conduct an immediate audit of all direct marketing activities, including SMS campaigns, WhatsApp broadcasts, email newsletters, and outbound calling programmes.

• Identify whether those activities constitute “direct marketing” under both the CPA and POPIA definitions, which are not identical.

• Review existing consent records to determine whether they are adequate under POPIA and whether they were they obtained and documented correctly.

• Prepare for NCC registration – a process which is expected to open in July 2026.

• Build monthly database cleansing into your marketing operations schedule as a recurring compliance obligation.

• Ensure that your marketing agency or third-party service providers are aware of both frameworks. Regulatory risk does not transfer to your vendor. It stays with you.

  
  

Consequences Beyond a Penalty

The fine gets attention, but the longer-term commercial consequence is what businesses tend to underestimate. A breach on record has a way of appearing during a tender process, a credit application, or an institutional procurement review where good regulatory standing is expected before the relationship can progress.

A business under investigation by the NCC or the Information Regulator for direct marketing violations is a business with a visible compliance gap. In environments where reputational risk is priced, that has real consequences.

Regulatory environments do not become less demanding over time. The businesses that treat this moment as an opportunity to build something solid, rather than as a problem to manage, will be better placed for whatever comes next.