Email marketing is one of the most valuable channels available to South African cannabis brands — no platform can ban it, no algorithm can suppress it, and it reaches your audience directly. But it operates within the bounds of POPIA: the Protection of Personal Information Act. For cannabis brands, POPIA compliance is not optional, and the consequences of non-compliance range from reputational damage to regulatory enforcement.

This guide covers what POPIA requires of SA cannabis brands doing email marketing, what constitutes compliant consent, how to manage your list correctly, and how to build an email programme that is both legally sound and commercially effective.

What POPIA Requires for Email Marketing

POPIA (Protection of Personal Information Act) came into full effect in South Africa in July 2021. It regulates the processing of personal information by South African organisations and aligns broadly with GDPR principles. For email marketing, the key requirements are:

• Lawful basis for processing. You must have a lawful basis for processing a person's email address. For marketing purposes, the most common lawful basis is consent. Consent must be voluntary, specific, informed, and unambiguous.
• Purpose limitation. You can only use an email address for the purpose for which it was collected. If someone gave you their email for order notifications, you cannot use it for marketing newsletters without obtaining separate marketing consent.
• Data minimisation. Collect only the personal information you actually need. For most cannabis email marketing, name and email address are sufficient — do not collect birth dates, phone numbers, or physical addresses unless you have a specific reason.
• Right to access. Subscribers have the right to request what personal information you hold about them. You must be able to provide this within a reasonable timeframe.
• Right to erasure. Subscribers have the right to have their personal information deleted. Unsubscribes must result in the removal of the email address from your marketing list — not just a marketing suppression.
• Data security. Personal information must be processed securely. For email marketing, this means using a reputable ESP (Klaviyo, Mailchimp, ActiveCampaign) with appropriate security standards, limiting access to your subscriber list, and not sharing subscriber data with third parties without consent.

Building POPIA-Compliant Email Consent for Cannabis Brands

Consent is the foundation of POPIA-compliant email marketing. For cannabis brands, the consent mechanism must meet all of the following criteria:

What Constitutes Valid Consent

• Voluntary: The person must have a genuine choice. Consent cannot be a condition of purchase — if you require email sign-up to complete a purchase, you are effectively conditioning the sale on consent, which is not voluntary.
• Specific: The person must know what they are consenting to. "I agree to receive marketing emails from [Brand Name]" is specific. "I agree to the terms and conditions" buried in which is a marketing consent is not.
• Informed: The person must understand who is collecting their data, how it will be used, and that they can withdraw consent. Your sign-up form must link to your privacy policy.
• Unambiguous: Consent must be given through a clear affirmative action. Pre-ticked checkboxes do not constitute unambiguous consent under POPIA.

What Does NOT Constitute Valid Consent

• Pre-ticked marketing consent checkboxes on order forms
• Adding customers to your list because they purchased from you (without separate marketing consent)
• Purchasing email lists from third parties
• Importing contacts from WhatsApp groups without individual consent
• "Implied consent" from following you on social media

Building a POPIA-Compliant Email List for Cannabis Brands

The good news: building a POPIA-compliant list is not significantly harder than building a non-compliant list — it just requires more deliberate sign-up mechanisms.

Website Opt-In Forms

The primary list-building mechanism. Your opt-in form must include:

• A clear statement of what the subscriber is signing up for: "Subscribe to receive cannabis marketing insights and brand updates from AtlasFlow"
• An unchecked checkbox (or equivalent affirmative action) — not pre-ticked
• A link to your privacy policy
• Confirmation that the subscriber can unsubscribe at any time

Lead Magnets

Lead magnets (compliance checklists, brand strategy guides, dosing calculators) are among the most effective list-building tools for cannabis brands. POPIA compliance: the lead magnet must be genuinely valuable (not a bait-and-switch), the consent must be clear and specific, and you cannot withhold the resource if someone unsubscribes after downloading.

Post-Purchase Consent

When a customer completes a purchase, you can include a marketing opt-in — but it must be separate from the order confirmation and clearly optional. "Would you like to receive exclusive offers and product updates via email? [Tick here to opt in]" is POPIA-compliant. "By purchasing, you agree to receive marketing emails" is not.

Managing Unsubscribes and Data Deletion

Every marketing email must include a clear, functional unsubscribe link. This is both a POPIA requirement and an ESP requirement (Mailchimp, Klaviyo, and ActiveCampaign will terminate your account for sending emails without unsubscribe options).

When someone unsubscribes, POPIA requires:

• Immediate cessation of marketing emails (within 1–2 business days maximum)
• Removal from marketing lists (not just suppression — the data should be deleted unless you have another lawful basis to retain it, such as an existing customer transaction record)
• No re-adding to marketing lists without fresh consent

Cannabis Email Content: POPIA Meets Compliance

POPIA governs the collection and processing of personal data. SAHPRA and ASA govern the content of your marketing claims. Both apply simultaneously to cannabis email marketing.

A POPIA-compliant list with non-compliant medical claims in the email content is still a liability. Ensure your cannabis email content follows the same claim guidelines that apply to your website and social content: general wellness language, no unsubstantiated therapeutic claims, and age-appropriate messaging. See our SAHPRA CBD marketing guidelines post for the full content compliance framework.

Frequently Asked Questions

Can I email customers who have purchased from my CBD store without separate marketing consent?

Under POPIA, transactional emails (order confirmation, shipping notification) are permitted without marketing consent. Marketing emails (promotions, newsletters, product updates) require explicit marketing consent. If your customer provided their email for transactional purposes, you need to obtain separate marketing consent before sending promotional emails.

What happens if I violate POPIA with my cannabis email marketing?

POPIA enforcement is handled by the Information Regulator. Penalties for serious violations can include fines of up to R10 million or imprisonment. For most cannabis brand email marketing violations (non-compliant consent mechanisms), the likely outcome is a compliance notice requiring you to fix the issue. Building compliance in from the start is significantly cheaper than remediation.