South Africa’s Information Regulator is currently investigating the popular caller identification app, Truecaller, after complaints from businesses and individuals alleging that it violated the Protection of Personal Information Act (POPIA).

This investigation was lodged in late June 2025 following concerns over how personal data is collected and processed by foreign tech platforms operating in the country. We look into the investigation and Truecaller’s data collection. 

How does Truecaller collect your data?

Truecaller’s data collection methodology is at the centre of the investigation. This is how they collect their data.

Crowd-sourced Data: The app primarily relies on crowd-sourced data for spam identification. This means users contribute information to its database.

Address Book Uploads: A concern raised by legal experts is the platform’s past encouragement for users to upload their phone address books in exchange for additional features.

Unaware Non-Users: This practice is particularly troubling for non-subscribers whose data ends up on the platform without their knowledge. Truecaller builds its database from user uploads, which means that individuals who have never used the app might have their details shared and appear in its database without their awareness.

Lawful Basis for Processing: POPIA requires that any “responsible party,” in this case Truecaller, must have a lawful basis to process the personal information of a data subject.

Lack of Notification: Although Truecaller offers an unlisting function, individuals often don’t know their data has been shared or how to use this feature. 

Is Truecaller extorting users?

Beyond data collection, Truecaller’s business model has drawn sharp criticism, with some complainants comparing it to blackmail and extortion.

Businesses, including internet service providers (ISPs) and internet telephony providers, have complained that Truecaller flags their legitimate numbers as spam, blocking calls and damaging their reputations.

Once a number is flagged, Truecaller allegedly charges businesses a “ridiculous fee” to “whitelist” their numbers so their calls can reach clients again. One small ISP reported being charged $590 (approximately R10,400) per month for 5,000 calls, which translates to an extra R2.18 per call.

This practice not only adds financial strain but also disrupts customer service, leading to lost revenue and trust for businesses heavily reliant on outbound calls for sales or support.

Where does the POPI Act come in?

The Protection of Personal Information Act (POPIA), effective since July 2021, mandates that organisations process personal information lawfully, transparently, and securely, often requiring consent.

It’s worth noting that violations can lead to significant penalties, including fines up to R10 million or imprisonment.

The Information Regulator’s mandate specifically empowers it to act if Truecaller’s handling of personal information is not in accordance with POPIA.

The investigation will assess Truecaller’s practices against the eight conditions set out in POPIA, which include ensuring users are informed about data usage, secure data handling, and limiting data collection to what is necessary for its stated purpose.

The Regulator has a track record of enforcing POPIA, having previously fined companies for breaches, including a R5 million penalty against a direct marketer in 2023 for spam messages. It’s important to note that South Africa’s laws are somewhat unique in that businesses, not just individuals, are afforded personal information protections, giving companies the right to control how their details are used.

IOL 

Source link