Compliance with the protection of personal information act and consumer privacy expectations: A comparison between the retail and medical aid industry

The Protection of Personal Information Act of 2013 (POPIA) regulates the processing of personal information in South Africa and also includes provisions for the use of personal information for the purposes of direct marketing. While it is anticipated that the law will commence in the near future, many organizations are still in the process of implementing measures to comply with POPIA. The objective of this research was to establish if the retail and medical aid industries comply with certain conditions of POPIA and specifically the opt-in and opt- out preferences for direct marketing. Other aspects, such as the secure processing of personal information, availability of a privacy policy on websites and possible data leakage with third parties, were also investigated. A case study research design was followed where personal information was deposited on websites in the retail and medical aid industries. The data indicates that preferences for direct marketing were not honored and that personal information was shared with third parties, especially in the retail industry. The majority of the medical aid companies included in the sample did not have secure websites or a privacy policy on their website. In order to maintain consumer trust and to comply with regulatory requirements, organizations in South Africa should ensure that they implement the necessary processes and technology to process information in a lawful and secure manner at all times.