Skip to content
Yoros
Back to Blog
Legal & Complianceby Yoros

POPIA in Practice: What South African Business Websites Actually Need to Comply

POPIA has been enforceable since 2021 — but most SA small business websites are still missing the basics. Here's a plain-English guide to what your site actually needs to comply.

POPIA in Practice: What South African Business Websites Actually Need to Comply

The Protection of Personal Information Act — POPIA — has been fully enforceable in South Africa since July 2021. The Information Regulator has the authority to investigate complaints, issue enforcement notices, and impose fines of up to R10 million for serious contraventions.

And yet, if you look at the websites of most South African small and medium businesses, the basic compliance requirements are either absent or implemented incorrectly.

This is not because business owners are careless. It is because nobody has explained clearly what a website actually needs to comply — as opposed to the 200-page academic breakdowns of the Act that appear when you search for guidance.

Here is the practical version.

First, Does POPIA Apply to Your Website?

If your website collects any personal information from visitors, POPIA applies. Personal information includes names, email addresses, phone numbers, IP addresses, and browser data collected by analytics tools.

For context, this means POPIA applies to your website if any of the following exist:

  • A contact form
  • A newsletter signup
  • A booking or enquiry system
  • A login/registration area
  • Google Analytics or any other analytics tool
  • A cookie that tracks user behaviour

That covers essentially every business website. The question is not whether POPIA applies — it almost certainly does — but whether you are meeting its requirements.

The Four Things Most SA Sites Are Missing

1. A Privacy Policy That Actually Says What It Needs To

A privacy policy is not optional. POPIA requires you to notify data subjects about what information you collect, why you collect it, who you share it with, and how they can exercise their rights.

The problems most SA sites have with their privacy policies:

  • They're copied from a foreign template and reference GDPR rather than POPIA
  • They're so generic they say nothing specific about what data is actually collected
  • They don't identify the Responsible Party (the business name and contact details)
  • They don't explain the data subject rights available under South African law
  • They're accessible from the footer but not referenced in the forms that collect data

A POPIA-compliant privacy policy needs to name your business as the Responsible Party, list the categories of personal information you collect, state the purpose for each category, name any third parties you share data with (including analytics platforms and email providers), state retention periods, and explain how a data subject can access, correct, or request deletion of their information.

2. Cookie Consent That Is Actual Consent

If your website uses cookies that are not strictly necessary for the site to function — which includes Google Analytics, Facebook Pixel, and most marketing tools — you need to obtain consent before setting those cookies.

What counts as consent under POPIA: an active, informed choice. Clicking "Accept" on a banner that clearly explains what cookies are being set.

What does not count as consent:

  • A banner that says "we use cookies, by continuing to use this site you agree" — this is assumed consent, which POPIA does not recognise
  • A pre-ticked "I agree" checkbox
  • A banner with no option to decline
  • No banner at all

The practical requirement: a cookie consent banner that offers a genuine choice (accept or decline non-essential cookies), that does not set non-essential cookies until consent is given, and that records the consent for audit purposes. Many SA websites have the banner but still set analytics cookies before the visitor has clicked anything — this is non-compliant.

3. A POPIA Notice on Every Form That Collects Personal Information

Every form on your website that collects personal information needs a notification to the person completing it. This is sometimes called a PAIA/POPIA notice or a data subject notice.

It does not need to be lengthy. It needs to cover:

  • Who is collecting the information (your business name)
  • Why it is being collected (the specific purpose — "to respond to your enquiry" or "to send you the newsletter you've signed up for")
  • Whether providing the information is voluntary or mandatory
  • The consequences of not providing it (if any)
  • Whether the information will be shared with third parties, and if so, who

A single sentence beneath your form that says "Your information will be used to respond to your enquiry. We will not share it with third parties. See our Privacy Policy for full details." covers the basics. Most SA contact forms have nothing.

4. A Way for Data Subjects to Exercise Their Rights

Under POPIA, individuals have the right to access their personal information, correct inaccuracies, and request deletion under certain circumstances. They can also object to the processing of their information.

Your website needs to provide a clear way for people to do this. At minimum: an email address designated for data subject requests (hello@yourbusiness.co.za is fine, but it should be stated), and a commitment to responding within a reasonable timeframe (30 days is the standard).

This does not require a complex technical implementation. It requires that the contact point exists, is visible, and is monitored.

The Information Regulator: What You Should Know

The Information Regulator of South Africa is the body responsible for enforcing POPIA. It handles complaints from data subjects whose rights they believe have been violated, and it has powers to investigate, issue enforcement notices, and impose fines.

Fines under POPIA can reach R10 million or up to ten years' imprisonment for serious contraventions. For a small business, the more realistic risk is an enforcement notice that requires remediation, and the reputational damage of a public complaint.

Complaints are processed via the Information Regulator's website at www.inforegulator.org.za. The volume of complaints is increasing as South African consumers become more aware of their rights.

What POPIA Compliance Looks Like in a Well-Built Site

A website built with POPIA compliance as a design requirement — rather than retrofitted after the fact — looks like this:

  • A privacy policy page at /privacy, linked from every page footer, that is specific to the business and reflects actual data practices
  • A cookie consent banner that genuinely controls cookie behaviour and records consent
  • A POPIA notice beneath every form, linking to the privacy policy
  • An email address or contact method clearly designated for data subject requests
  • Analytics set up to respect user consent (Google Analytics 4 with consent mode configured so it does not collect data from users who declined)

Every Yoros build includes all of the above as standard. For a once-off client, these are delivered as part of the handover. For subscription clients, we maintain and update them as requirements evolve.

A Note on Getting It Right

This article is a practical overview, not legal advice. For businesses that process sensitive categories of personal information — health data, financial records, children's data — or that operate at significant scale, the compliance requirements are more involved.

In those cases, a POPIA practitioner or privacy attorney is worth the engagement. The Information Regulator's website also has guidance documents that are more accessible than the Act itself.

For most small business websites, however, the four items above close the majority of the compliance gap. They are not complicated to implement — they just require deliberate attention, which most web development projects have not historically given them.

POPIACompliancePrivacySouth AfricaLegal