Who Needs to Be POPIA Compliant?
Any South African business or individual that collects, stores, uses, or shares personal information. If your website has any of the following, you are processing personal information under POPIA:
- A contact form (name, email, phone)
- A newsletter signup
- An online booking or appointment system
- A quote request form
- An e-commerce checkout
- Google Analytics or any tracking pixel (Meta Pixel, LinkedIn Insight Tag)
- A client login portal
- WhatsApp click-to-chat buttons (initiating a chat creates a record)
If any of these apply to you, every item below is a legal requirement, not a suggestion.
The Complete POPIA Website Checklist
1. Privacy Policy
- Your site has a dedicated Privacy Policy page (not buried in Terms and Conditions)
- The Privacy Policy identifies your organisation as the Responsible Party
- It lists every category of personal information you collect
- It explains the specific purpose for collecting each type of data
- It states your data retention period (how long you keep the data)
- It identifies any third parties you share data with (hosting provider, email service, CRM)
- It provides contact details for your Information Officer
- It explains how data subjects can request access, correction, or deletion of their data
- The policy was drafted or reviewed for POPIA specifically (not a generic GDPR template)
2. Consent Collection
- Every form that collects personal information has an explicit, unticked consent checkbox
- The consent language is specific — it names what data is being collected and why
- Consent for marketing communications is separate from consent for service delivery
- Data subjects can withdraw consent (unsubscribe link in emails, deletion request process)
- Consent records are stored (timestamp, IP, version of consent text shown)
3. Information Officer
- Your organisation has appointed an Information Officer (can be the owner for small businesses)
- The Information Officer is registered with the Information Regulator at inforegulator.org.za
- The Information Officer's contact details are published on your website
- The Information Officer has completed the Information Regulator's prescribed training
4. Data Security (Technical Measures)
- Your website runs on HTTPS (SSL certificate active and valid)
- Form submissions are encrypted in transit
- Collected personal data is not stored in plaintext
- Access to collected data is restricted to authorised personnel only
- Third-party processors (email providers, CRMs) have signed a Data Processing Agreement with you
- Your hosting provider's data centre is in South Africa, or you have documented justification for offshore processing
5. Cookies and Tracking
- Your site has a Cookie Notice that explains what cookies are set and why
- Non-essential cookies (analytics, advertising) are only set after consent
- Google Analytics is configured in privacy-compliant mode (IP anonymisation enabled, no cross-site tracking)
- Meta Pixel and other ad tracking pixels are disclosed in your Privacy Policy
- Users can opt out of tracking without losing access to the site
6. Data Breach Response Plan
- You have a documented procedure for detecting a data breach
- The procedure includes notifying the Information Regulator within 72 hours of discovery
- The procedure includes notifying affected data subjects without unreasonable delay
- Breach notification templates are prepared in advance
- Your IT provider or developer has a contact escalation process for security incidents
7. PAIA Manual (Public Access to Information)
- If your organisation has 50+ employees: a PAIA Manual has been compiled and submitted to SAHA
- For smaller businesses: you have a documented process for responding to information access requests
- Your Privacy Policy references how to submit a formal access request
Common Mistakes South African Websites Make
Using a GDPR template as a POPIA policy
GDPR (Europe's privacy law) and POPIA share principles but have different requirements, different authorities, and different enforcement mechanisms. A GDPR template will not satisfy the Information Regulator. POPIA specifically requires reference to your Information Officer and compliance with the Promotion of Access to Information Act — neither of which appears in GDPR templates.
Pre-ticked marketing consent checkboxes
This is explicitly unlawful under POPIA. Consent must be "voluntary, specific, informed, and unambiguous." A pre-ticked box satisfies none of these criteria. The fine for this alone can be substantial — and it's trivially easy for the Regulator to detect.
Storing personal data in shared spreadsheets
If your contact form submissions go to a shared Google Sheet or an email inbox that multiple people can access, you are likely in violation of POPIA's security safeguards requirements. Access must be controlled and logged.
No cookie consent for analytics
Google Analytics sets cookies that track individual users across sessions. This is processing of personal information. Under POPIA, you need consent before setting these cookies — and that consent must come before the cookie fires, not after.