SOUTH AFRICA COMPLIANCE MATRIX MMA CATEGORY MMAWASPADMMADMASACPAPOPIECTA “Notice” Notice is an easily understandable and quickly discoverable description of the terms and conditions of a marketing programme. Notice should include information sufficient to permit a user to make an informed decision about his/her choices on how that information is used for that marketing programme. Marketers must inform the user of a both the marketers’ identity or products and services offered and the key terms and conditions that govern an interaction between the marketer and the user’s mobile device. Members must have honest and fair dealings with their customers. In particular, pricing information for services must be clearly and accurately conveyed to customers and potential customers. Members must make the terms and conditions of any of their services available to customers and potential customers, on request. (4.1) Members must not misrepresent themselves and must ensure transparency in their dealings with their customers (6.1). Members shall abide by the consumer protection provisions of the ECT Act including the publication of specific information such as contact details. Pricing information must be clearly and accurately conveyed to customers. Ensure that all advertising and promotional documentation are fair and reasonable and do not mislead (8). Marketers must not misrepresent a product, service or marketing programme and must not mislead by statement or manner of demonstration or comparison. Audio- visual portrayal must accurately and fairly describe the product or service offered. Ensure that the general impression of the communication does not deceive by omission or commission. Marketing communications must be executed in a manner that is simple and easy to understand.(9). Before concluding an agreement or transaction, a supplier must disclose the following information to a consumer, in an appropriate manner, having regard to the manner in which the supplier and consumer communicate in concluding the transaction…(S33 ). Have regard for the consumer’s right to information in plain and understandable language (S22). Any communication for the purpose of direct marketing must contain details of the identity of the sender or the person on whose behalf the communication has been sent; as well as contact details to which the recipient may send a request that such communications cease (S66). A supplier offering goods or services for sale, for hire or for exchange by way of an electronic transaction must make the following information available to consumers…. (list) including a sufficient description of the main characteristics of the goods or services offered by that supplier to enable a consumer to make an informed decision on the proposed electronic transaction (S43).

SOUTH AFRICA COMPLIANCE MATRIX MMA CATEGORY MMAWASPADMMADMASACPAPOPIECTA “Choice & Consent” Mobile marketers respect the right of the user to control which mobile messages they receive. Obtain consent by means of an explicit opt-in from the user by recognized and legitimate method. Implement consent for each programme. Similarly, implement easy-to- use opt-out process to allow users to stop receiving messages. How to opt-out explanations must be provided frequently. Customers may not automatically be subscribed to a subscription service without specifically opting in to that service (11.2). Any message originator must have a facility to allow the recipient to remove him/herself from the a direct marketing database, so as not to receive any further marketing messages. (5.1). - Recognizing that a consumer can opt- out of receiving marketing communications at any time, marketers must present consumers, including current customers, an easy-to-see, easy- to-understand and easy-to execute opportunity to decline further marketing, use of their name or other information at least once every three years (10.4) - The processing of personal information of a data subject for the purpose of direct marketing by means of automatic calling machines, facsimile machines, SMSs or electronic mail is prohibited unless the data subject has given his, her or its consent to the processing (S66). Any person who sends unsolicited commercial communications to consumers must provide the consumer with the option to cancel his or her subscription to the mailing list (S45). You must have express written permission for the collection, collation, processing or disclosure of someone’s personal information.(S51).

SOUTH AFRICA COMPLIANCE MATRIX MMA CATEGORY MMAWASPADMMADMASACPAPOPIECTA “Customization & Constraint” Ensure that mobile marketing reflects broad customer expectations. User information collected should be used to tailor marketing to the appropriate interests of the user. Take reasonable steps to ensure that user information is handled responsibly, sensitively and in compliance with law. Target and limit mobile messages to that which the users have requested and that would provide value. Value may be delivered in product- and service enhancements, reminders, sweepstakes, contests, information, entertainment or discounts. Members must have honest and fair dealings with their customers. In particular, pricing information for services must be clearly and accurately conveyed to customers and potential Customers (4). DMMA members must provide relevant and effective digital marketing channels, solutions and services to the South African marketplace. Members must not misrepresent themselves and ensure transparency in their dealings with their customers. Act fairly, reasonably, professionally and in good faith (6). Communication with potential customers should be factual, honest, decent and informative, and should not violate any of the laws of the country. Collection of personal information shall be limited to that which is necessary, adequate, relevant and not excessive (10). Marketers must promote responsible and transparent personal information management practices (8.1). Refer Part E of the CPA (Sections 29 to 39) re the consumer’s right to fair and responsible marketing including General standards: Bait marketing; Negative option marketing; Direct marketing; Catalogue marketing; Trade coupons; Customer loyalty: Promotional competitions; Alternative work schemes; Referral selling etc. Personal information may only be processed if a data subject consents to the processing; processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party etc. (S10). -

SOUTH AFRICA COMPLIANCE MATRIX MMA CATEGORY MMAWASPADMMADMASACPAPOPIECTA “Security” Mobile marketers must implement reasonable technical, administrative and physical procedures to protect user information collected in connection with mobile marketing programmes from unauthorized use, alteration, disclosure, distribution or access. Members must respect the constitutional right of consumers to personal privacy and privacy of communications; and must respect the confidentiality of customers' personal information and will not sell or distribute such information to any other party without the explicit consent of the customer, except where required to do so by law (4.2) Members must take reasonable measures to prevent unauthorised or unlawful access to, interception of, or interference with data as contained in the ECT Act; (6.1). Members shall respect a customer’s right of privacy and privacy of communications. Members shall make reasonable efforts to ensure that their web site is secure and that customer’s private and personal information is secure (7.3). Personal information shall be protected by security safeguards appropriate to the sensitivity of the information and integrity of personal information (10). The DMA Code refers to the nine privacy principles in the Protection of Personal Information Bill. Marketers must display a privacy policy on their website. - The marketer (responsible party) must have due regard to generally accepted information security practices and procedures which may apply, or professional rules and regulations (S18). Processing of personal information by someone on behalf of the marketer must be governed by a written contract to establish measures to ensure integrity of personal information (S20). The marketer (data controller) may not use a customer’s personal information for any other purpose than the disclosed purpose without express written permission., and may not disclose any of the personal information to a third party unless required by law; and must delete or destroy all personal information which has become obsolete. (S51).

SOUTH AFRICA COMPLIANCE MATRIX MMA CATEGORY MMAWASPADMMADMASACPAPOPIECTA “Enforcement & Accountability” The MMA expects its members to comply with the MMA Global Code of Conduct and has incorporated the Code into applicable MMA Guidelines as they apply to mobile marketers operating around the world, including the MMA Consumer Best Practices Guidelines, as applicable for certain national markets. Until such time as the Code can be enforced effectively by a 3 rd party enforcement organization, mobile marketers are expected to use evaluations of their own practices to certify compliance with the Code. Any person may lodge a complaint against any WASPA member who, in the view of the complainant, has acted contrary to the provisions of the Code of Conduct (14.1). Some companies may be required to comply with the WASPA code by virtue of a contract with one or more network operators and/or WASP. In such cases, the Code shall be binding on those companies (1.6). DMMA members shall comply with applicable legislation and judicial decisions that impact their business. Members shall provide adequate training to their personnel to comply with the Code (6). Responsibility for observing the Code rests primarily with the individual companies who sign an acknowledgment of compliance when joining DMASA. Members agree to comply with the Code and to participate in DMASA's Complaint Resolution programme. A person convicted of an offence in terms of the CPA is liable to a fine or to imprisonment. or to both a fine and imprisonment (S111). In addition to any other order that it may make under this Act or any other law, a court considering a matter in terms of this Act may award damages against a supplier for collective injury to all or a class of consumers (S76). A data subject or the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act (S94). A person convicted of an offence in terms of this Act, is liable to a fine or imprisonment (S99). A person convicted of an offence in terms of the ECT is liable to a fine or imprisonment (S89).