South Africa enacted the Protection of Personal Information Act 4 of 2013 (POPI) in an effort to curb the misuse of customers’ personal information by organisations. The aim of this research was to establish whether the South African insurance industry is adhering to certain prescripts of POPI, focusing on direct marketing requirements. An experiment was utilised to monitor the flow of personal information submitted to 20 insurance companies requesting short-term insurance quotations, using new e-mail addresses and phone numbers. The results of the experiment indicate that 92% of the marketing communication received did not have prior consent from the researcher. Contact was made by companies outside the sample, indicating third-party sharing. 86% of the unsolicited short message service (SMS) communication received required customers to pay for unsubscribing from SMSs, which is not in line with regulatory requirements. The non-compliance evident in this experiment acts as an early warning to the insurance industry and South Africa, prompting a more concerted effort towards preparation of compliance with POPI. A personal information processing management framework is proposed to aid the insurance industry in understanding how personal information can be processed in line with the requirements of the Act.