Direct marketing consent in South African corporate restructures
When a corporate restructure or acquisition closes, the acquiring entity typically inherits various commercial assets: customer contracts, supplier relationships, intellectual property and – increasingly – marketing databases. These databases are built over years and represent significant commercial value. Yet a question that is often missed in the transaction is whether the customer’s consent to receive direct marketing travels with the database to the new legal entity?
This question, which remains untested in South African courts, deserves closer attention from M&A practitioners, particularly as the Information Regulator continues to mature in its enforcement posture.
The legislative framework
Section 69 of the Protection of Personal Information Act, 2013 (POPIA) governs direct marketing by means of unsolicited electronic communications: a responsible party may only engage in direct marketing by electronic means if the data subject has given consent (i.e. opt-in consent). There is a limited exception for existing customers, but even that exception is tethered to the responsible party that originally collected the personal information in the context of a sale.
The POPIA Regulations elaborate on the mechanisms through which consent must be obtained and recorded. Notably, Form 4 of the Regulations require that opt-in consent wording identify the responsible party by name, linking the data subject’s consent to a specific legal entity. Neither POPIA nor the Regulations address the question of whether consent given to one responsible party may be relied upon by a successor entity following a corporate restructure.
The nature of the transaction matters
The answer to the transferability question is not uniform. It depends on the nature of the transaction.
In a share sale, the legal entity that holds the marketing database does not change. The target company remains the responsible party, and customers’ consent – given to that entity – is undisturbed. The change in ultimate ownership at the shareholder level does not, without more, alter the identity of the entity with which the customer has a direct marketing relationship. Share sales, therefore, present the lowest risk from a consent-transfer perspective, provided the target company continues to trade under its existing name and identity.
The position is materially different in a business transfer or asset sale. Here, the marketing database is transferred from the selling entity to the acquiring entity, i.e. a distinct legal person. The customer consented to receive marketing from Entity A; it is now Entity B that wishes to send the communication. Even if the business operations are materially identical (same brand, same products, same customer experience), the legal identity of the responsible party has changed. It is, at least, arguable on a strict interpretation of the regulations that consent given to Entity A does not automatically extend to Entity B.
The conservative approach
The most legally defensible approach is to treat existing consents as non-transferable and to conduct a fresh opt-in campaign before the acquiring entity engages in any direct marketing. This eliminates regulatory risk and ensures full compliance with the letter of section 69.
The practical difficulty is obvious. Re-consent campaigns are expensive, operationally burdensome and, critically, tend to yield low response rates. A marketing database of considerable commercial value can be reduced to a fraction of its size overnight. For many acquirers, particularly those who have priced the transaction on the assumption that the database is a usable asset, this outcome is commercially unpalatable.
A risk-based alternative
A more pragmatic approach, which carries a degree of regulatory risk but may be defensible in the right circumstances, involves a risk-based assessment coupled with enhanced transparency measures.
This approach may be supportable where the original consent wording is sufficiently broad to encompass successors or affiliated entities; where the nature of the business relationship remains unchanged from the customer’s perspective; where customers are clearly and proactively informed of the restructure and the change in the legal entity responsible for their data; where customers are given a prominent and accessible opportunity to opt out of marketing from the new entity at the point of notification; and where opt-out preferences are diligently honoured.
Acquirers adopting this approach should ensure that all post-restructure communications clearly identify the new entity as the responsible party, and should document their rationale in a personal information impact assessment. Monitoring for complaints and regulatory action is essential, and marketing to any data subject who objects must cease immediately.
Practical recommendations for dealmakers
M&A practitioners would be well served to address this issue early in the transaction lifecycle. During due diligence, the scope and wording of existing marketing consents should be reviewed with care. The commercial value of the marketing database should be assessed against the cost of a re-consent campaign, and consideration should be given to whether a phased approach offers a workable middle path (for instance, prioritising re-consent for high-value customer segments).
The transaction structure itself may also be relevant. Where the marketing database is a material asset, a share sale may present fewer complications than a business transfer, and this factor ought to feature in structuring discussions.
Until the South African courts or the Information Regulator provide definitive guidance, the transferability of direct marketing consent will remain a question of risk appetite rather than legal certainty. The prudent dealmaker will plan accordingly.
Priyanka Raath is an Executive in Technology, Media and Telecommunications | ENS
This article first appeared in DealMakers, SA’s quarterly M&A publication.
DealMakers is SA’s M&A publication.
www.dealmakerssouthafrica.com
