The Protection of Personal Information Act (POPIA) has been fully enforceable in South Africa since July 2021, yet a staggering number of SA business websites still don't comply. Some owners don't know the law applies to them. Others assume it's only for big corporations. And many have simply been putting it off.
Here's the reality: if your website collects any personal information — and almost every website does — POPIA applies to you. Non-compliance carries penalties of up to R10 million in fines or even imprisonment for serious offences. More practically, a data breach or complaint to the Information Regulator can damage your reputation beyond repair.
This guide explains POPIA in plain English and tells you exactly what your website needs to be compliant.
What Counts as Personal Information?
POPIA defines personal information far more broadly than most people expect. It includes any information that can identify a living person, directly or indirectly. On a typical business website, this includes:
- Contact form submissions: Name, email address, phone number
- E-commerce data: Delivery addresses, payment details, order history
- Email newsletter signups: Email addresses and any associated preferences
- Cookies and tracking: IP addresses, browser fingerprints, browsing behaviour
- Job applications: CVs, ID numbers, employment history
- Customer accounts: Login credentials, saved preferences, purchase history
- WhatsApp and chat data: Phone numbers and conversation content
If your website has a contact form, a newsletter signup, an online store, Google Analytics, or even just Facebook Pixel installed — you're collecting personal information and must comply with POPIA.
The 8 Conditions for Lawful Processing
POPIA sets out eight conditions that must be met whenever you process (collect, store, use, or share) personal information. Here's what they mean for your website in practical terms:
1. Accountability
You must designate an Information Officer (for private companies, this defaults to the CEO or owner). This person ensures compliance and must be registered with the Information Regulator.
2. Processing Limitation
Only collect information you actually need. If your contact form asks for a name, email, and message — don't also ask for an ID number. Collect the minimum, and only for a lawful purpose.
3. Purpose Specification
Tell people why you're collecting their information and only use it for that stated purpose. If someone gives you their email for a quote, you can't add them to your marketing list without separate consent.
4. Further Processing Limitation
Don't repurpose data beyond its original intent. Customer emails collected for order confirmations shouldn't be used for unrelated promotions.
5. Information Quality
Take reasonable steps to ensure the information you hold is accurate and up to date.
6. Openness
Be transparent about what you collect and why. This is where your privacy policy comes in.
7. Security Safeguards
Protect personal information against loss, damage, or unauthorised access. For websites, this means SSL certificates, secure hosting, encrypted databases, and strong admin passwords.
8. Data Subject Participation
People have the right to ask what information you hold, request corrections, and ask you to delete their data. Your website must provide a clear way to exercise these rights.
What Your Website Specifically Needs
A Comprehensive Privacy Policy
Every website must have a privacy policy that's easily accessible (typically linked in the footer). It must clearly state:
- What personal information you collect
- Why you collect it (the purpose)
- How you store and protect it
- Who you share it with (third parties, payment processors, etc.)
- How long you retain it
- How users can access, correct, or delete their data
- Your Information Officer's contact details
Generic privacy policies copied from international templates won't cut it. Your policy must reference POPIA specifically and be tailored to your actual data practices.
Cookie Consent
If your website uses cookies — and it almost certainly does if you have Google Analytics, Facebook Pixel, or any third-party scripts — you need a cookie consent banner. This must:
- Appear before any non-essential cookies are set
- Clearly explain what cookies you use and why
- Allow users to accept or decline non-essential cookies
- Respect the user's choice (declining must actually stop the cookies)
Form Consent
Every form on your website that collects personal information needs a consent mechanism. At minimum, include:
- A link to your privacy policy near the submit button
- An unchecked checkbox for marketing consent (if applicable) — pre-ticked boxes are not valid consent under POPIA
- Clear language about what happens with the submitted data
Secure Data Storage
Form submissions, customer accounts, and any stored personal data must be encrypted and stored securely. If you're using a third-party service (like Mailchimp for emails or PayFast for payments), ensure they are POPIA-compliant and mention them in your privacy policy.
Common Mistakes SA Businesses Make
After reviewing hundreds of South African business websites, these are the most frequent POPIA failures we see:
- No privacy policy at all. Surprisingly common, even for businesses with contact forms and e-commerce.
- Collecting unnecessary data. Why does a plumbing quote form need a date of birth? Only collect what you need.
- No cookie consent banner. If you use Google Analytics, you need consent. Full stop.
- Pre-ticked marketing checkboxes. POPIA requires explicit, opt-in consent. Pre-ticked boxes are invalid.
- No SSL certificate. Transmitting data over unencrypted HTTP is a security violation.
- No data breach plan. You're legally obligated to notify the Information Regulator and affected individuals after a breach. Most small businesses have no plan for this.
Data Breach Procedures
POPIA requires you to notify the Information Regulator and affected individuals "as soon as reasonably possible" after discovering a breach. Your notification must include a description of what happened, what data was compromised, the steps you've taken to address it, and your Information Officer's contact details.
Having a documented response plan before an incident occurs is essential. It's far harder to respond correctly in the panic of an actual breach.
Penalties for Non-Compliance
The Information Regulator can impose:
- Administrative fines: Up to R10 million
- Criminal prosecution: Up to 10 years imprisonment for serious offences (such as selling personal data)
- Civil claims: Affected individuals can sue for damages
While the Information Regulator has focused on large organisations in its early enforcement actions, small businesses are not exempt. As enforcement ramps up, having a compliant website is your first line of defence.
Getting Compliant Doesn't Have to Be Hard
POPIA compliance sounds daunting, but for most small business websites, it boils down to a few practical steps: add a proper privacy policy, implement cookie consent, secure your forms, and be transparent about what you collect and why.
Our POPIA compliance add-on handles all of this for you — privacy policy, cookie consent banner, form compliance, and secure data practices, all tailored to your specific website and business.
If you're also running or planning an online store, POPIA compliance is even more critical. Read our guide on starting an e-commerce business in South Africa for more on the legal requirements of selling online.
Need help with your full web presence? Explore our services or get in touch directly — we'll make sure your website does its job without putting your business at risk.