Popular caller identification app Truecaller is facing scrutiny in South Africa following complaints that it may be violating the country’s data protection law, the Protection of Personal Information Act (POPIA). The Information Regulator (South Africa) has launched a formal investigation into the company’s data practices after multiple reports alleged misuse of personal information and unfair business conduct.

Complaints Over Data Misuse and Spam Labelling

According to reports, several South African users and businesses accused Truecaller of wrongly tagging legitimate businesses as spam and demanding payment for their removal from its spam list.

Truecaller has denied the allegations, insisting that it does not charge for “whitelisting” and that its contact permissions and data processing methods comply fully with POPIA. The company also emphasised that its system is designed to protect users from unwanted calls, not to exploit or misuse data.

“Truecaller does not upload users’ contact lists to its servers for public sharing and strictly adheres to data privacy standards,” the company said in a statement.

Legal and Ethical Concerns

Despite Truecaller’s defence, privacy experts and legal professionals remain sceptical about how the app handles non-user data, information about individuals who have never downloaded or used the app.

Lucinda Botes, a senior associate at Phukubje Pierce Masithela Attorneys, noted that the app’s ability to display personal information about non-users raises significant legal and ethical concerns.

She explained that even if Truecaller does not technically upload contact lists, its data practices may still conflict with POPIA’s “openness principle”, which mandates organisations to inform individuals about how their data is collected, processed, and used.

“Individuals whose numbers appear in other people’s contact lists have not consented to have their details shared,” Botes said. “That poses a potential privacy violation under POPIA.”

Balancing Privacy and Innovation

POPIA gives South African citizens and businesses the right to control their personal data and to request clarification, correction, or removal from any digital database.

While Truecaller maintains that its “unlisting feature” allows anyone to remove their number from its directory, experts argue that this does not absolve the company of its responsibility to ensure transparency and consent, especially for non-users who are unaware their data is being shared.

Truecaller has countered that notifying every non-user individually would be technically and logistically impossible, given the app’s global reach and user-generated nature.

A Landmark Test for Data Protection in Africa

The outcome of this investigation could have far-reaching implications for digital privacy laws in Africa. As South Africa’s data protection framework continues to evolve, the Truecaller case could become a defining moment for how governments enforce consent, openness, and accountability in the digital economy.

For millions of users and non-users alike, the case represents a crucial test of how far innovation and convenience can stretch before crossing the boundaries of privacy.