POPIA, the Protection of Personal Information Act, has been fully enforceable since July 2021. And yet a massive number of South African business websites still aren't compliant. Some owners genuinely don't know the law applies to them. Others figure it's only a big-company problem. Most have just been putting it off.
If your website collects any personal information (and nearly every website does) POPIA applies to you. Penalties go up to R10 million in fines. Serious offences carry prison time. And practically speaking, a data breach or complaint to the Information Regulator can wreck your reputation in ways no fine can match.
What Counts as Personal Information?
POPIA's definition is far wider than most people assume. It covers any information that can identify a living person, directly or indirectly.
On a typical business website, that includes names, emails, and phone numbers from contact form submissions. It includes delivery addresses, payment details, and order history from e-commerce. Newsletter signups count. Cookies and tracking data like IP addresses, browser fingerprints, and browsing behaviour count. Job applications with CVs and ID numbers count. Customer account logins, saved preferences, and purchase history all fall under POPIA. Even WhatsApp and chat data, including phone numbers and conversation content, are covered.
Got a contact form? A newsletter signup? An online store? Google Analytics? Even just Facebook Pixel? You're collecting personal information. POPIA applies.
The 8 Conditions for Lawful Processing
POPIA lays out eight conditions you must meet whenever you process personal information, and "process" covers collecting, storing, using, or sharing it.
First is accountability. You need a designated Information Officer. For private companies, this defaults to the CEO or owner. This person is responsible for ensuring compliance and must be registered with the Information Regulator.
Processing limitation means you only collect what you actually need. Your contact form asks for a name, email, and message? Fine. Don't also ask for an ID number. Minimum data, lawful purpose.
Purpose specification requires you to tell people why you're collecting their information, and to only use it for that stated reason. Someone gives you their email to get a quote, you can't quietly add them to your marketing list. That requires separate consent.
Further processing limitation stops you from repurposing data. Email addresses collected for order confirmations shouldn't later be used for unrelated promotions.
Information quality means taking reasonable steps to keep the information you hold accurate and current. Openness means being upfront about what you collect and why, which is where your privacy policy does its job.
Security safeguards require you to protect personal information against loss, damage, and unauthorised access. For websites, that means SSL certificates, secure hosting, encrypted databases, and strong admin passwords. The basics, but non-negotiable.
Finally, data subject participation gives people the right to ask what information you hold about them, request corrections, and ask for deletion. Your website needs a clear way for them to do this.
What Your Website Specifically Needs
A Proper Privacy Policy
Every website needs one, linked somewhere easy to find, typically the footer. It must clearly state what personal information you collect, why you collect it, how you store and protect it, who you share it with (third parties, payment processors, etc.), how long you keep it, how users can access, correct, or delete their data, and your Information Officer's contact details.
A generic privacy policy copied off some international template won't work. It needs to reference POPIA specifically and reflect your actual data practices.
Cookie Consent
If your site uses cookies (and it almost certainly does if Google Analytics, Facebook Pixel, or any third-party scripts are running) you need a cookie consent banner. It must appear before non-essential cookies fire. It must explain what cookies you use and why. Users must be able to accept or decline non-essential cookies. And declining must actually stop the cookies, not just hide the banner.
Form Consent
Every form collecting personal information needs a consent mechanism. At minimum, include a link to your privacy policy near the submit button. If marketing consent is applicable, add an unchecked checkbox. Pre-ticked boxes don't count as valid consent under POPIA. Use clear language explaining what happens with the submitted data.
Secure Data Storage
Form submissions, customer accounts, anything with personal data must be encrypted and stored securely. Using third-party services like Mailchimp or PayFast? Make sure they're POPIA-compliant, and mention them in your privacy policy.
Mistakes We See Constantly
After reviewing hundreds of SA business websites, the same issues come up again and again.
No privacy policy at all, even on sites with contact forms and full e-commerce. Surprisingly common. Collecting data you don't need, like a plumbing quote form asking for a date of birth. No cookie consent banner despite Google Analytics being installed. Pre-ticked marketing boxes, which POPIA demands explicit opt-in consent for. No SSL certificate, meaning data is sent over unencrypted HTTP. And no breach response plan, even though you're legally required to notify the Information Regulator and affected individuals after a breach.
When Things Go Wrong
POPIA says you must notify the Information Regulator and affected individuals "as soon as reasonably possible" after discovering a breach. Your notification needs to cover what happened, what data was compromised, the steps you've taken, and your Information Officer's contact details.
Having a documented response plan before anything goes wrong is crucial. Nobody thinks clearly during an actual breach.
What Happens If You Don't Comply
The Information Regulator can issue administrative fines of up to R10 million. Criminal prosecution carries up to 10 years for serious offences like selling personal data. Individuals affected by your non-compliance can also sue for damages.
Early enforcement has focused on larger organisations, yes. But small businesses are not exempt. As enforcement accelerates, a compliant website is your first line of defence.
For most small business websites, POPIA compliance comes down to a handful of practical steps. A proper privacy policy, cookie consent, secure forms, and transparency about what you collect and why. Our POPIA compliance add-on handles all of it, tailored to your specific site and business.
Running or planning an online store? POPIA becomes even more critical when e-commerce is involved. Our guide on starting an e-commerce business in South Africa covers the legal side of selling online in more detail.
Need help with your full web presence? Explore our services or get in touch directly.