There is a persistent myth circulating in South African startup circles: that POPIA — the Protection of Personal Information Act — effectively prohibits cold outbound sales. Founders pause campaigns, SDRs second-guess sequences, and sales teams waste months waiting for legal sign-off that never quite arrives. All of it is based on a misreading of what the Act actually says.
POPIA does not ban outbound sales. What it does do is set clear, enforceable rules around how personal information can be processed, stored, and acted upon. Understanding those rules is not optional for any South African startup doing outbound — but understanding them also reveals a practical, compliant path forward.
The legitimate interest basis: your legal foundation
Section 11 of POPIA lists the conditions under which personal information may be processed. Condition 4 — legitimate interest — is the one that makes B2B outbound sales lawful. It states that you may process personal information if it is necessary for pursuing the legitimate interests of the responsible party or a third party, provided those interests are not overridden by the data subject’s rights.
In plain English: if you have a genuine, proportionate business reason to contact a prospect, and that reason is relevant to their role and circumstances, POPIA permits it. A SaaS founder contacting a CFO about a relevant financial automation tool has a legitimate interest basis. A lead generation company selling irrelevant consumer offers to a recycled list does not.
POPIA’s legitimate interest condition (Section 11(1)(f)) is the standard legal basis for B2B outbound sales in South Africa — the same framework used for outbound across GDPR-regulated European markets.
The three practical requirements that flow from this are non-negotiable. Most outbound tools get all three wrong.
The 3 things you must do
-
01
Log consent signals and sourcing records Every contact you reach out to needs a documented sourcing record: where the data came from, when it was collected, on what legal basis it was obtained, and what the intended use is. This is not a once-off exercise. It is a per-contact record that must be retrievable if a data subject or regulator ever asks. If you cannot answer the question “where did you get my details?” with a specific, dated, verifiable answer, you are not compliant.
-
02
Honour unsubscribe requests immediately, with a timestamp When a prospect opts out — whether by replying “unsubscribe”, clicking an unsubscribe link, or explicitly asking to be removed — that request must be honoured immediately, and the timestamp of that action must be recorded. POPIA section 11(3) establishes the data subject’s right to object to processing for marketing purposes. There is no grace period. There is no “we’ll remove you from the next campaign”. The removal is effective immediately, and the record of it is the evidence that it happened.
-
03
Never re-contact suppressed contacts This is the step where most outbound operations fail quietly over time. A contact opts out. They are removed from the current campaign. Six months later, they are imported from a new list, re-enrolled in a sequence, and receive a cold email again. Under POPIA, that second contact is a violation. The suppression list must be permanent, actively applied to every new import, and maintained across the entire responsible party — not just the tool that processed the original opt-out.
What most tools get wrong
The majority of outbound platforms were designed for US or European markets and then sold into South Africa without meaningful modification. The compliance gaps are consistent and predictable.
No suppression management
Most tools maintain a per-campaign unsubscribe list. A contact who opts out of Campaign A is not automatically suppressed from Campaign B, Campaign C, or a future re-import. There is no cross-campaign, cross-workspace suppression layer. This means that compliance depends entirely on the human remembering to check a list before launching — a process that fails at scale.
No consent records
Tools that pull from major lead databases or scraped LinkedIn data typically record nothing about where the data came from. There is no sourcing log, no collection date, no basis statement. If a contact or regulator asks how you obtained their information, the honest answer is “we don’t know” — which is not a defensible position under POPIA.
No POPIA-auditable logs
When a regulator investigation begins, the first thing requested is a log of all processing activities related to the data subject in question: when they were contacted, on what basis, what communications were sent, and when and how they opted out. Most outbound tools produce no such log. The campaign history exists in fragments across an inbox, a CRM, and a sequence tool — none of which were designed to produce a coherent compliance record.
How KIND handles it
POPIA compliance is not a feature in KIND — it is a structural requirement that shapes how every campaign is built and operated.
Every campaign has a POPIA compliance record. When leads are sourced or imported into KIND, the source, collection date, and legitimate interest basis are recorded per contact. This record is attached to the contact permanently, not to the campaign.
Suppression is permanent and timestamped. When a contact opts out through any channel — email reply, unsubscribe link, or manual removal — the suppression is recorded with a precise timestamp and applied across all future campaigns in the workspace. Re-importing that contact from a new list will not override the suppression; it will be flagged and excluded automatically.
Unsubscribes are logged per POPIA section 11. The opt-out record includes the contact identifier, the timestamp, the channel through which the request was received, and the action taken. This record is exportable in a format suitable for regulatory review. If the Information Regulator ever asks, you have an answer.
Running compliant outbound in South Africa is not hard. It is just precise. And precision is exactly what most outbound tools were not built for.