Skip to main content

Kickstart your POPIA compliance and avoid legal fines

Align your business with POPIA’s conditions for consent in just minutes with our end-to-end cookie consent solution.

Become POPIA Compliant

14-day free trial Cancel anytime

The #1 cookie consent solution, trusted by 1.5 Million+ websites

Brand logos of global companies that are CookieYes customers.

Protection of Personal Information Act (POPIA or POPI Act) is a data protection law in South Africa that aims to regulate the processing of personal information by public and private entities. The Act seeks to protect the privacy of individuals and ensure that their personal data is processed in a fair and transparent manner. POPIA came into full effect on July 1, 2020.

POPIA Compliance Checklist for Websites

  • Obtain user consent for cookies and trackers
  • Maintain a record of all user consent
  • Include an accurate, up-to-date privacy policy
  • Limit data collection only for legitimate purposes
  • Notify data breaches to DPAs and users

Prepare for POPIA compliance with CookieYes

Obtain informed consent for cookies

POPIA requires that business process personal data after obtaining informed consent from users and let users withdraw consent easily.

With CookieYes you can

  • Scan your website against a 100,000+ cookie database
  • Display a custom cookie banner that fits your brand
  • Show a consent revisit widget for users to withdraw consent

Put consent management in auto-pilot

As obtaining consent is a key provision in POPIA, businesses should take measures to ensure ongoing compliance with the requirements for consent and proof of consent.

With CookieYes you can

  • Auto-block all third-party cookies prior to user consent
  • Schedule cookie scanning for continuous compliance
  • Record consent logs for proof of consent during audits

Generate POPIA-compliant policies

Under POPIA, businesses should implement a privacy policy to meet ‘openness’, a required condition for the processing and include information on the personal data collected, the purpose of collection, and more.

With CookieYes you can

  • Use our pre-built, legally-compliant policy templates
  • Generate your privacy policy and cookie policy in minutes
  • Simply copy-paste the legal policies to your website

Achieve cookie compliance
without spending hours

Become POPIA Compliant

14-day free trial Cancel anytime

Learn more about POPIA and take the
next step towards compliance

What is POPIA?

The Protection of Personal Information Act (POPIA) is a South African data protection law that imposes obligations on companies for processing personal data and grants certain rights to individuals to protect their privacy. POPIA aims to achieve a balance between the constitutional right to privacy and other competing rights and interests. POPIA was first passed in 2013 and came into effect on July 1st, 2021.

Who does POPIA apply to?

POPIA or the POPI Act applies to organisations processing the personal information of South Africans. Under POPIA, personal information can be related to a “natural person” and a “juristic person” i.e. an independent legal entity such as a company. POPIA also applies to processors outside of South Africa if they make use of automated or non-automated means within South Africa.

POPIA also provides for certain exclusions and exemptions, including data processing for purely personal or household activities, for personal irretrievably de-identified data or if the data processor is a public body involved in national security, defence, public safety, anti-money laundering, Cabinet or Executive Council of a province or as part of a judicial function.

What are consumer rights under POPIA?

Right to be informed

The right to know about the personal data a business collects about them and how it is used and shared.

Right to access

The right to access personal data and to have it available in a clear and readable format, free of cost.

Right to correct

The right to request to correct, update, or complete personal data about them.

Right to object

The right to object and restrict the processing of personal data, and have information on the consequences of refusal.

Right to opt-out of automated processing

The right to not be subject to a decision which is based solely on the automated processing of personal information.

Right to complain

The right to challenge an organization’s compliance with an individual accountable for the organization’s compliance.

Right to civil action

The right to institute a civil action for damages against an organization for breach of any provision of the Act.

What is the penalty for non-compliance?

POPIA outlines penalties for non-compliance, which depend on the nature and severity of the violation. The monetary fines for more serious offences can go up to ZAR10 million (approx. €490,000). Individuals may also face up to 10 years imprisonment for certain violations of the Act.

For less serious offences, the maximum penalty can be imprisonment not exceeding 12 months or a reduced fine. Data subjects who suffer as a result of a violation of POPIA can also initiate civil proceedings for damages.

FAQ on POPI Act Compliance

The Protection of Personal Information Act 4 of 2013 (POPI Act) is a South African law that aims to protect the personal information of individuals. The Act aims to regulate how personal information is processed and provide individuals with rights and remedies to protect their personal information. POPIA highlights eight foundational conditions that organizations must comply with in order to protect personal information.

POPIA or POPI Act took effect on July 1, 2020, and enforcement began after a 1 year grace period on July 1, 2021.

Personal information in POPIA is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” It is important to note that POPIA’s definition of PI also includes a juristic person, i.e. an organization recognized by law to have rights and responsibilities like a natural person.

This information about a person includes but is not limited to demographic details like name, age, race, gender, contact information such as email address, physical address, phone number, financial, employment and educational information, medical history and biometric information.

There are some exceptions to the applicability of POPI Act South Africa. It does not apply if:

  • Data processing is carried out for personal or household activity,
  • Data is de-identified and cannot be re-identified again
  • Data processing is done by or on behalf of a public body
    • For national security
    • For the purpose of prevention, detection, and assistance in the identification of the proceeds of unlawful activities
    • By the Cabinet and its committees or the Executive Council of a province
    • Judicial functions of a court or
    • Terrorist and related activities

POPIA limits the transfer of personal data outside South Africa unless at least one of the prescribed safeguards set out by the Act is met and the transfer does not put the personal information at risk of breach of confidentiality or security.

Section 72 of POPI Act sets out the conditions for the cross-border transfer of personal information. These include consent from the data subject, the recipient of the PI is subject to Binding Corporate Rules (BCRs) and processing conditions should be established “in harmony with international standards” and if the transfer is necessary to fulfil the terms of a contract.

The Information Regulator is the regulatory authority for POPI Act South Africa. It is the independent statutory body established by the Act and is responsible for monitoring and enforcing POPIA compliance by public and private bodies. 

The Information Regulator has the power to investigate complaints, issue fines and take legal action against non-compliant entities. It will regulate both POPIA and the Promotion of Access to Information Act or PAIA.

The GDPR has extra-territorial scope, meaning entities outside of the EU/EEA that collect the personal data of EU/EEA residents can come under the purview of GDPR. 

This means businesses in South Africa that process the personal data of EU consumers must ensure that it is adequately protected, in accordance with GDPR standards. 

As POPI Act of South Africa shares many similarities to GDPR, compliance with POPIA can also be a step towards compliance with GDPR.

Here are some links you can refer to for additional reading:

Fast-track your POPIA compliance in minutes

Set up a cookie consent banner in 3 simple steps and automate your compliance.

Become POPIA Compliant

14-day free trial Cancel anytime