Web Design

POPIA, Cookies & Your Website: What South African Businesses Need to Know

If you run a website in South Africa, you’re collecting personal information – even if you don’t realise it. Names through your contact form. Email addresses through your newsletter signup. Behaviour data through Google Analytics. IP addresses through your hosting.

All of that falls under POPIA – the Protection of Personal Information Act – which has been fully enforceable since July 2021. Most small business websites in South Africa are still not compliant.

Here’s the practical version of what you actually need to do, without the legalese.

(Important: this is a guide, not legal advice. For complex compliance questions, talk to a lawyer who specialises in data protection.)

What POPIA actually requires

POPIA gives South African individuals control over how businesses collect, store, and use their personal information. The eight conditions of lawful processing boil down to:

  • You only collect information you actually need
  • You collect it for a specific, stated purpose
  • You tell people what you’re collecting and why
  • You only keep it as long as you need it
  • You keep it secure
  • People can ask you to show them what you have, correct it, or delete it

That’s the spirit. The compliance work is making your website actually do these things- transparently.

The minimum compliance checklist

1. A privacy policy

Every website that collects any personal information needs a privacy policy. Not a generic template – one that actually describes what your specific business collects, how, why, and what you do with it.

It should cover:

  • What information you collect (and how)
  • What you use it for
  • Who you share it with (e.g. Google Analytics, Mailchimp, your hosting provider)
  • How long you keep it
  • How users can request access, correction, or deletion
  • How users can complain (and to whom – the Information Regulator)
  • How to contact your Information Officer

Link to it in your website footer, on every page.

2. An Information Officer

By law, every business has an Information Officer responsible for POPIA compliance. For most small businesses, this is the owner by default – but you should formally register them with the Information Regulator. It’s a free online process at justice.gov.za.

3. Cookie consent

If your website uses cookies (it almost certainly does – Google Analytics alone uses several), you need to inform users and give them the choice to accept or reject non-essential ones.

The standard implementation: a banner that appears on first visit, with options to:

  • Accept all cookies
  • Reject non-essential cookies
  • Customise preferences

There are several free WordPress plugins that handle this well – we typically use Complianz or CookieYes for client sites.

4. Form consent

Every form on your website that collects personal information should have:

  • A clear statement of why you’re collecting it
  • A tick-box for the user to consent (not pre-ticked)
  • A link to your privacy policy

“By submitting this form you agree to our terms” as a buried line in light grey text doesn’t cut it. The consent must be active, informed, and specific.

5. Email marketing consent (POPIA + Section 45)

You can only send marketing emails to people who have explicitly opted in. The legacy “we assume you want our emails because you’re a customer” doesn’t fly under POPIA.

Practical implications:

  • Newsletter signup forms must be opt-in (no pre-ticked boxes)
  • Existing customer lists need a re-consent campaign before being used for marketing
  • Every marketing email must include an unsubscribe link
  • Unsubscribe requests must be processed promptly (we recommend within 7 days)

6. Data security basics

If you store customer data on your website (CRM integrations, form submissions, e-commerce orders), you have a legal duty to keep it secure. The minimums:

  • SSL certificate on your website (the padlock in the browser)
  • Strong passwords for your WordPress admin and hosting
  • Two-factor authentication on admin accounts
  • Regular backups (so you can restore if breached)
  • Up-to-date WordPress, themes, and plugins

If your WordPress maintenance is patchy, you’re carrying compliance risk as well as security risk. Our guide on WordPress maintenance covers what should be happening monthly.

What you don’t need to panic about

POPIA is enforceable but the Information Regulator has been pragmatic with small businesses making genuine effort. The pattern is: warnings and remediation requests for first-time good-faith issues, escalating fines for repeated or wilful non-compliance.

You don’t need to:

  • Hire a dedicated data protection officer (the Information Officer can be the business owner)
  • Pay for an expensive compliance audit (most small business compliance is straightforward)
  • Stop using Google Analytics or similar tools (you just need to inform users via cookie consent)

The cookies question, simply

Three categories of cookies:

  • Essential cookies (e.g. logged-in session) – no consent needed
  • Functional cookies (e.g. remembering preferences) – consent recommended
  • Analytics and marketing cookies – consent required before they fire

Properly configured consent management plugins handle this automatically – they block analytics scripts until the user opts in.

Practical compliance checklist

If you do all of these, you’re in reasonable shape:

  1. Privacy policy live and linked from footer
  2. Information Officer registered with the Regulator
  3. Cookie consent banner active on the site
  4. All forms have explicit consent tick-boxes
  5. Email marketing list re-consented (or built fresh post-POPIA)
  6. SSL certificate active
  7. WordPress and plugins updated monthly
  8. Daily backups running

Where it gets complicated

If your business handles particularly sensitive data – health records, children’s information, financial detail, biometrics – the requirements escalate significantly. That’s when professional legal advice is genuinely worth the cost.

For most small service businesses with a marketing website and basic forms, the checklist above is the practical compliance baseline.

Want help getting compliant?

We build POPIA-aware websites by default – cookie consent, privacy policy templates, secure forms, the lot. If your existing website needs a compliance refresh, we can do that as a once-off project. Browse our web design services or get in touch for a free compliance audit.