Why South Africans are still flooded with spam, and what parents need to know
When South Africa’s Protection of Personal Information Act (POPIA) came fully into effect in July 2021, many people expected an immediate and noticeable reduction in spam calls, unsolicited WhatsApp messages, and relentless marketing emails. Several years later, the lived reality feels very different. If anything, spam appears to have increased. This apparent contradiction has left parents frustrated and confused, asking a reasonable question: if POPIA exists, why is this still happening, and how do we protect our children?
This article unpacks the gap between legislation and reality, explains how parents can report infringements, and outlines practical steps to reduce children’s exposure to spam and data misuse.
What POPIA was designed to do
POPIA is fundamentally about control and accountability. It regulates how organisations collect, store, process, and share personal information. In principle, it requires that:
- Personal data is collected for a specific, lawful purpose
- Individuals give informed consent for marketing communication
- Data subjects can opt out at any time
- Organisations secure personal data against loss, misuse, or unauthorised access
In theory, this should have dramatically reduced unsolicited marketing. In practice, enforcement and behavioural change have lagged behind legislation.
Why spam is still everywhere
1. Enforcement is reactive, not automatic
POPIA does not operate like a spam filter that blocks messages by default. It relies on complaints being reported to the regulator. Many organisations continue questionable practices because they assume most people will delete the message rather than lodge a formal complaint. This creates a low-risk, high-reward environment for spammers.
2. Legacy databases still exist
Much of today’s spam originates from old data sets, collected years before POPIA came into force. While organisations are legally required to clean and validate these databases, compliance has been uneven. Some companies continue to rely on historic “implied consent,” despite POPIA setting a far higher bar.
3. Third-party data brokers and lead sellers
A significant portion of spam does not come directly from well-known brands, but from data brokers and lead-generation companies. These entities harvest data through online competitions, quizzes, free apps, and social media promotions, then sell it onward. Tracing accountability across this ecosystem is complex and slow.
4. Cross-border data flows
Many spam campaigns originate outside South Africa. While POPIA does regulate cross-border data transfers, enforcement against foreign operators is difficult, especially when they mask identities or operate through automated systems.
5. Children’s data is particularly vulnerable
Children often share personal information without understanding the long-term consequences. Gaming platforms, social media apps, and “free” educational tools frequently encourage data sharing, creating digital footprints that are later exploited for marketing or worse.
How parents can report POPIA infringements
Reporting matters. POPIA only becomes effective when individuals exercise their rights.
Parents can lodge a formal complaint with the Information Regulator if:
- Marketing messages continue after opting out
- Consent was never given
- Children’s personal data has been used unlawfully
- An organisation refuses to delete personal information
What to do before reporting
- Opt out first – Reply “STOP,” unsubscribe, or use the provided opt-out mechanism
- Keep evidence – Screenshots of messages, call logs, and email headers
- Identify the sender – Company name, website, or contact details
Complaints can be submitted via the Information Regulator’s official website. While the process is not instant, repeated complaints build enforcement momentum and regulatory pressure.
Protecting children from spam and data exploitation
1. Limit where children share personal information
Teach children to avoid entering names, phone numbers, email addresses, or school details into online forms, games, or competitions without parental approval. Many “free” platforms monetise data rather than charge subscription fees.
2. Use parental controls and privacy settings
Enable child profiles, restrict app permissions, and review privacy settings on devices and platforms. Pay particular attention to messaging apps, social networks, and online games that allow direct contact from unknown users.
3. Create separate email addresses
Use dedicated email addresses for school platforms or gaming accounts, rather than a child’s primary email. This limits spillover into everyday communication channels.
4. Talk openly about digital manipulation
From a cognitive and behavioural psychology perspective, children are more susceptible to persuasive design and reward-based prompts. Explain how spam messages are designed to trigger curiosity, urgency, or fear, and encourage children to pause before clicking.
5. Model good data habits
Children learn digital behaviour by observation. When parents actively unsubscribe, report spam, and question data requests, children internalise those norms.
POPIA is necessary, but not sufficient
From a systems perspective, POPIA represents structural regulation, not behavioural transformation. Laws change rules, but culture changes outcomes. Until enforcement becomes more visible and digital literacy improves, spam will remain part of the online environment.
For parents, the most effective strategy is a combination of legal awareness, active reporting, and everyday digital hygiene. POPIA gives families rights, but those rights only protect children when they are exercised consistently.
Keeping kids safer online starts with informed, empowered adults.