Contact us
04 May 2026

South Africa’s 2026 CPA Amendment Regulations and the National Opt Out Regime

On 15 April 2026, the new regulations to the Consumer Protection Act came into effect. These Regulations fundamentally change how unsolicited electronic marketing, such as spam calls, SMSs and digital platform messages, are regulated under the CPA.  

 

At the centre of the new framework is a National Consumer Commission (NCC) administered opt‑out registry, which replaces the fragmented, marketer‑by‑marketer opt‑out approach that was previously in place. Consumers can now register a pre‑emptive block on a single, central registry to prevent unwanted electronic communications from all direct marketers, rather than having to opt out individually from each one.

 

The Regulations were issued by the Minister of Trade, Industry and Competition under section 120(1)(a), read with section 11(6), of the CPA, following consultation with the NCC and provincial consumer authorities. They amend the Consumer Protection Act Regulations, 2011 by providing the necessary prescribed forms and tariff schedules required to operate a functional registration and opt‑out system. Importantly, the Regulations state expressly that they take effect on publication, being 15 April 2026, meaning the compliance obligations are already mandatory.

 

A key innovation is the introduction of new, clearly defined concepts that convert consumer rights into operational duties. These include:

  • “Direct marketer”, broadly defined to include any person engaging in direct marketing, regardless of channel;
  • “Pre‑emptive block”, being a consumer’s registration on the NCC opt‑out registry to prevent marketing communications; and
  • “Cleansing”, defined as the process of removing opted‑out consumers from a marketer’s database.

Together, these concepts transform opt‑out rights into a recurring compliance obligation for all businesses engaging in direct marketing, rather than a once‑off or reactive exercise.

 

Under the amended regulations, all direct marketers must register with the NCC in order to lawfully conduct direct marketing. Registration is not optional. A marketer may not contact any consumer for direct marketing purposes unless it is registered on the registry. Registration must be renewed annually, with prescribed fees payable, and marketers must ensure their registration details remain accurate and current.

 

Beyond registration, marketers are required to cleanse their databases at least monthly against the NCC’s opt‑out registry, removing all records of consumers who have registered a relevant pre‑emptive block. This obligation gives the registry real teeth by ensuring opted‑out consumers are continuously protected, even as new lists are compiled or data is refreshed.

 

The Regulations also impose enhanced transparency and identification requirements. Every direct marketing communication must clearly identify the marketer’s name, electronic address, physical address, and contact number, and communications must be clearly identifiable as originating from the sender. Marketers must remain identifiable even on public digital platforms and may not disseminate marketing communications from platforms where the originator cannot be identified, closing long‑standing anonymity loopholes exploited by spammers.

 

For consumers, the system introduces both empowerment and responsibility. Consumers may register a pre-emptive block at any time using the prescribed form, but they must ensure that the information they submit is accurate and kept up to date to ensure effective protection.

 

From an enforcement perspective, the Regulations significantly elevate the NCC’s role. Within the CPA framework, responsibility for day‑to‑day anti‑spam compliance now sits squarely with the Commission, supported by a central registry, verification duties, guidance publication requirements, and fee‑funded operations. Non‑compliance by businesses may result in enforcement action, including referral to the National Consumer Tribunal and the imposition of administrative fines.

 

The Amendment Regulations do not operate in isolation. They must be read alongside the Protection of Personal Information Act 4 of 2013 (POPIA), particularly section 69, which governs electronic direct marketing and generally requires prior consent, subject to narrow exceptions. Compliance with the CPA’s opt‑out regime does not remove the obligation to comply with POPIA—businesses must satisfy both legal frameworks.

 

In practical terms, the message is clear. South Africa has moved from a consent‑heavy, complaints‑driven system to a centralised, preventive and enforceable “do not contact” regime. Direct marketing is not prohibited, but it is now tightly regulated, with registration, identification, and ongoing data hygiene as non‑negotiable requirements.

 

In short, responsibility for curbing unsolicited direct marketing has been translated into a functioning compliance machinery anchored by the NCC. For marketers, this demands immediate operational change. For consumers, it finally offers a single, effective mechanism to say “Do not call me — I’ll call you.”

 

Given the immediate commencement of the amendments to the CPA, any businesses involved in direct marketing should take urgent proactive steps to ensure their compliance.

Share this article

Kevin Dam
Director
Commercial Attorney – South Africa
+27 11 324 4050
kevind@kisch-ip.com

We use cookies to make your experience with us better. By continuing to use our website, you are agreeing to our use of cookies. To find out more see our privacy statement.

Close