The POPI Act in South Africa: Everything Website Owners Need to Know
POPIA in South Africa: A Summary:
What is POPI?
POPI is shorthand for the Protection of Personal Information. Regardless of there being a law in place or not, organisations need to consider how best to secure the personal information they capture, manage and store in their databases.
POPI is all about privacy, which also means the security of any personal information. To secure information satisfactorily, organisations need to understand what information is gathered and kept. Doing this will require a detailed investigation and shouldn’t be seen as an inconsequential task. Once all is completely acknowledged and understood, steps need to be taken to protect the information.
What is the difference between POPI & POPIA?
POPIA is shorthand for the Protection of Personal Information Act, Act No. 4 of 2013 or POPI Act. This is a new law and is something that the majority of organisations will need to follow.
POPI is the act of protecting Personal Information. It implies that organisations are practising POPI within all their policies, procedures and processes relating to personal information. You cannot practice POPIA, as this is simply just the name of the law.
To comply with POPIA, you need to implement a POPI programme. There is a multitude of steps that need to be followed and several documents and tools that will need to be developed.
Personal Information may be seen as:
- Names, addresses, telephone numbers and email addresses.
- Any information about age, race, gender, appearance, characteristics, sexual orientation, language, political and religious beliefs.
- All health data, such as your disabilities or mental wellbeing.
- Online identifiers such as email addresses, IP addresses, cookies, unique identifiers, social media handles or usernames, device fingerprints, pixel tags, MAC addresses, browser history and location data.
The POPIA gives South African citizens the right to:
- Protect all of their data and privacy
- To know what data is collected about them
- Request that any information about them be corrected or deleted
How does POPIA affect my Website?
South Africa’s Protection of Personal Information Act (POPIA) affects all website owners in South Africa, and failing to comply could result in hefty fines. Further, if your website is not located in South Africa but processes personal information on SA citizens within SA borders, you will have to comply.
POPIA came into law on the 1st of July 2020 and gave website owners 12 months to comply. The law was enforced from 1st July 2021, however, the gazetting of the law has now been postponed to 1st February 2022. The Amendment of Notice can be found here. Always remember that website compliance is only one aspect of a company’s compliance with the act.
Your website might be used by other brands to market their products or services. You are not legally responsible for this content, however, consumers may think otherwise. It is important to have the correct procedures in place if a customer lays a complaint about any particular ad.
POPIA offers all end-users a higher level of privacy on the internet and introduces consent to use, track and store personal data collected as a legal requirement. This consent will be when asking people for their email address, phone number and for permission to download cookies onto their computer.
Ways in which data is collected from a website:
- Cookies
- Comments
- Email newsletters
- Contact forms
What are Cookies?
Cookies are small text files that your website stores in your visitor’s browser. These files commonly carry information about your website visitors’ preferred location and language settings. They can also store a comprehensive list of information which will include personally identifiable information.
Websites keep cookies that contain customer data. The different types of cookies include:
- Preference Cookies – Cookies that remember usernames or passwords to make navigation easier.
- Statistic Cookies – Cookies that feed information back to Google Analytics so that site owners can see their visitor statistics.
- Marketing Cookies – Cookies that feed valuable marketing data back to platforms such as Facebook and Instagram, to create an audience of people visiting your page.
The POPIA Act requires that website owners ask their site visitors permission to use these cookies. If you do not comply with this, you may be fined. It also requires that users know exactly which cookies the website uses and have the means to change permissions that are granted, such as to delete all cookies.
You will need a Privacy Policy if you make use of Google Analytics
Google Analytics tracks data about visitors to your website by storing cookies onto their computers. A privacy policy is therefore required.
- Google specifies this requirement in their Terms of Service
- As per the POPI Act, privacy policies are a legal requirement when a company stores, transfers, or handles anyone’s personal information.
What Impact will the POPI Act have on marketing your business?
Direct marketing has always been an effective way for companies to quickly grow their customer base. With the POPI Act in place, companies will need to review their marketing mediums to ensure they are compliant.
POPI provides privacy rights to individuals by requiring that a business is only allowed to engage in direct marketing by electronic means such as email and SMS, if the potential customer has given consent to receive direct marketing.
This clashes with the past state of affairs where direct marketers were only liable to stop making unsolicited calls and sending emails, etc. to a potential customer if that customer objects to, or has opted out of the direct marketing.
When using a third party, such as someone who manages your company newsletters, have a written and signed contract in place to ensure that they will also keep your customers’ and prospective customers’ information safe.
The POPI Act allows the following Direct Marketing:
- Businesses may make a once-off request to a potential customer to opt-in to receive direct marketing unless the customer has already opted out.
- Businesses are allowed to market directly to established customers if the additional marketing is legitimately in the customer’s interest. Your marketing may apprise a customer of a similar service or product that is offered by a website owner, that the customer has acquired already.
How will the POPI Act affect my E-commerce Business?
The POPI Act will require that e-commerce companies have an extra opt-in level, alerting consumers to exactly what information they are sharing, and what will be done with that information.
The Electronic Communications and Transactions Act (ECTA) is still the main legislation that regulates e-commerce in South Africa. This controls how, where and when legal contracts are concluded, and imposes obligations on payment systems.
A number of e-commerce shop owners feel they don’t need a Privacy Policy. Many of these owners believe their e-commerce businesses are too small to warrant a Privacy Policy and are of the opinion that Privacy Policies are for big businesses only. No matter how big or small your business is, by law, you will need a Privacy Policy if you collect and process personal data from anyone.
Conclusion
Publish a privacy policy on your website. This is essential because it will let your users know that you take their personal data and privacy seriously.
Ask yourself the following questions:
- Do I collect user data?
- How do I become compliant, and stay compliant?
Having a privacy policy in place enables businesses to understand consumer behaviour to better analyse and improve their marketing. It assures and satisfies the rights of consumers to have their privacy respected. Get in touch with Semantica for assistance with the implementation of privacy policies and cookie notifications on your website.