POPIA at a Glance: What the Law Actually Says
The Protection of Personal Information Act (POPIA), sometimes called the POPI Act, is South Africa's primary data protection law. Parliament signed it into law in November 2013, but its substantive provisions only commenced on 1 July 2020, with a twelve-month grace period giving organisations until 30 June 2021 to reach full compliance.
POPIA governs how public and private bodies collect, store, use, and share personal information. It created the Information Regulator - an independent body responsible for monitoring and enforcing the Act - and granted South African residents (and, unusually, legal entities) a set of enforceable rights over their personal data.
If you run a website that processes personal information within South Africa, or you use automated means located in South Africa to process data, POPIA applies to you. That includes setting cookies.
Who Does POPIA Protect? The Juristic Person Difference
Most privacy laws protect natural persons - living, breathing individuals. POPIA goes further. It extends protection to juristic persons: companies, trusts, partnerships, and other legal entities. This is one of the sharpest distinctions between POPIA and the EU's General Data Protection Regulation (GDPR), which covers only natural persons.
What does that mean in practice? If your website collects information about a business - a company registration number, a trading name linked to identifiable data, or financial details tied to a specific entity - POPIA treats that information with the same care as an individual's home address or ID number.
The definition of "personal information" under POPIA is broad. It covers names, contact details, identity numbers, online identifiers (including cookies), email addresses, financial history, employment records, biometric data, and even another person's opinion about an individual. If a piece of data can identify a living person or an existing legal entity, directly or indirectly, it qualifies.
The Eight Conditions for Lawful Processing
POPIA is built around eight conditions that every responsible party must satisfy when processing personal information. Section 4 of the Act lists them, and they function as the minimum requirements for lawful data handling.
| Condition | POPIA Sections | What It Requires |
|---|---|---|
| Accountability | Section 8 | The responsible party must ensure compliance with all conditions, both when determining the purpose and means of processing and during the processing itself. |
| Processing Limitation | Sections 9-12 | Personal information must be processed lawfully, be adequate, relevant, and not excessive for the stated purpose. Consent is the default legal basis. |
| Purpose Specification | Sections 13-14 | Collect data for a specific, explicitly defined, and lawful purpose. Do not retain it longer than necessary. |
| Further Processing Limitation | Section 15 | Any further processing must be compatible with the original purpose of collection. |
| Information Quality | Section 16 | Personal information must be complete, accurate, not misleading, and updated where necessary. |
| Openness | Sections 17-18 | Data subjects must be informed about who is collecting their data, the purpose, and their rights - before or at the time of collection. |
| Security Safeguards | Sections 19-22 | Appropriate technical and organisational measures must prevent unauthorised access, loss, damage, or destruction of personal information. |
| Data Subject Participation | Sections 23-25 | Individuals have the right to access, correct, and request deletion of their personal information. |
These conditions mirror the principles found in the GDPR, but the terminology differs. Where the GDPR refers to "data controllers" and "data processors", POPIA uses "responsible parties" and "operators". Where the GDPR grants a right to data portability, POPIA is silent on the matter entirely.
POPIA and Cookies: What Website Owners Must Know
POPIA does not mention cookies by name. There is no dedicated "cookie article" equivalent to Article 5(3) of the EU's ePrivacy Directive. But that does not mean cookies fall outside the Act's scope.
Cookies that collect personal information - and most analytics and marketing cookies do, through unique identifiers, IP addresses, and behavioural data - are squarely within POPIA's definition of personal information processing. The Act defines personal information to include online identifiers, which means cookies like _ga, _fbp, or any tracker that assigns a unique ID to a visitor are covered.
South African privacy law firm Michalsons has noted that the Information Regulator is likely to follow international guidelines on cookies, including the EDPB's position that merely scrolling a website does not constitute informed consent. Only strictly necessary cookies - those essential for a website to function - can be set without prior consent.
For website owners, this means three practical requirements:
- Display a cookie notice that clearly explains what cookies your site uses and why.
- Obtain informed, voluntary, and specific consent before setting non-essential cookies. Pre-ticked boxes and cookie walls are not compliant.
- Provide an easy mechanism for visitors to withdraw consent or update their preferences at any time.
If your site uses cookies for direct marketing purposes and the visitor is not an existing customer, Section 69 of POPIA requires explicit opt-in consent before those cookies fire.
Consent Under POPIA: Not Quite the Same as GDPR
POPIA defines consent as a "voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information." That language closely tracks the GDPR's requirements - but there are differences worth noting.
Consent is only one of several lawful bases for processing under POPIA. Others include contractual necessity, legal obligation, protection of a legitimate interest of the data subject, performance of a public law duty, and the legitimate interests of the responsible party or a third party. In practice, most cookie-based tracking on websites will require consent, because it is difficult to argue that setting a _ga analytics cookie on an anonymous visitor's browser serves a contractual obligation or the visitor's legitimate interest.
POPIA does not impose a specific time limit for breach notification the way the GDPR does with its 72-hour window. Instead, it requires notification "as soon as reasonably possible" after a security compromise is discovered. In April 2025, the Information Regulator launched a new eServices Portal for mandatory digital breach reporting, replacing the older manual Form SCN1 process and bringing South Africa closer to international best practices for streamlined incident handling.
How POPIA Compares to the GDPR
If you already comply with the GDPR, you have a significant head start on POPIA. The two laws share the same DNA - principle-based data protection, consent requirements, data subject rights, and an independent supervisory authority. But several key differences trip up organisations that assume GDPR compliance automatically covers them.
| Feature | GDPR | POPIA |
|---|---|---|
| Scope of protection | Natural persons only | Natural persons and juristic persons (companies, trusts) |
| Territorial reach | Extraterritorial - applies wherever EU residents' data is processed | Focuses on processing within South Africa or using means located there |
| Data Protection Officer | Required in certain circumstances (Article 37) | Information Officer automatically assigned to the CEO; Deputy Information Officer also required |
| Right to data portability | Yes (Article 20) | No equivalent provision |
| Breach notification deadline | 72 hours to supervisory authority | "As soon as reasonably possible" - no fixed deadline |
| Maximum financial penalty | EUR 20 million or 4% of global annual turnover | ZAR 10 million (approximately EUR 490,000) |
| Criminal penalties | Left to member states | Up to 10 years' imprisonment for serious offences |
| Cookie-specific rules | ePrivacy Directive (Article 5(3)) works alongside GDPR | No separate cookie law; cookies fall under general POPIA principles |
The penalty gap is striking. A GDPR fine can reach tens of millions of euros. POPIA's financial ceiling is ZAR 10 million - roughly half a million euros. But POPIA compensates with something the GDPR does not mandate at EU level: criminal imprisonment of up to ten years for offences such as obstructing the Information Regulator, failing to comply with an enforcement notice, or making false statements under oath.
Enforcement: The Information Regulator Means Business
For the first two years after POPIA became fully enforceable, the Information Regulator focused on education and conducting compliance assessments rather than issuing fines. That changed in July 2023.
The Regulator imposed its first administrative fine - ZAR 5 million - on the Department of Justice and Constitutional Development (DoJ&CD). The department had suffered a ransomware attack in September 2021 that compromised approximately 1,204 files containing personal information including names, banking details, and contact information. An investigation found that the department had let its antivirus, SIEM, and intrusion detection system licences expire, leaving its network unprotected. The Regulator issued an enforcement notice in May 2023 ordering the department to renew those licences within 31 days. The department neither complied nor appealed. The ZAR 5 million fine - half the statutory maximum - followed.
Since then, enforcement activity has accelerated. During 2024, the Information Regulator issued three further enforcement notices related to security compromises and one against a social media platform for applying weaker privacy protections to South African users than to users in other jurisdictions. The Regulator also conducted over 30 compliance assessments across industries, including law firms, social media platforms, and public bodies.
In February 2024, the Regulator issued its first enforcement notice for direct marketing non-compliance, targeting a consulting firm that had continued sending unsolicited marketing emails after the recipient had opted out multiple times. The Regulator's chairperson, Advocate Pansy Tlakula, has publicly asked Parliament to amend POPIA to allow immediate sanctions rather than waiting for the full enforcement notice process to run its course.
Key Rights POPIA Grants to Data Subjects
POPIA creates a set of rights that website visitors and customers can exercise. If you collect personal information through your site, you need to be able to respond to these requests.
Data subjects have the right to be notified when their personal information is collected, including who is collecting it, the purpose, and whether any third parties will receive it. They can request access to the personal information a responsible party holds about them. They can request correction of inaccurate data, and they can request deletion or destruction of personal information that is no longer needed for its original purpose.
There is a right to object to processing - particularly processing for the purpose of direct marketing via unsolicited electronic communications. Data subjects also have the right not to be subject to decisions based solely on automated processing of their personal information, though the safeguards here are narrower than under the GDPR. POPIA provides a right to make representations about an automated decision, while the GDPR offers a broader trio: human intervention, the ability to express a point of view, and the right to contest the decision.
One right POPIA does not include is data portability. Under the GDPR, individuals can request their data in a structured, machine-readable format and have it transmitted to another controller. POPIA has no equivalent provision.
2025 Regulatory Updates: Amended Regulations and New Obligations
On 17 April 2025, the Information Regulator published amendments to the POPIA Regulations that took effect immediately. These changes are significant for website owners and businesses alike.
The amended regulations simplify the processes for data subjects to object to processing, request corrections or deletions, and provide consent for direct marketing. They also expand the duties of Information Officers, requiring them to develop and continuously improve a POPIA compliance framework - not just create one and forget about it.
Complaints can now be submitted by any person with a sufficient personal interest, or by anyone acting in the public interest. That broadened standing means advocacy groups or concerned third parties could potentially file complaints about your website's cookie practices, not just the affected individuals themselves.
The same month, the Regulator announced its intent to address the ethical use of AI and automated decision-making. Businesses using AI tools for customer profiling, personalised marketing, or automated cookie categorisation should prepare for additional compliance requirements on the horizon.
Cross-Border Data Transfers Under POPIA
Section 72 of POPIA restricts the transfer of personal information outside South Africa. This matters for any website using third-party analytics, advertising, or marketing tools hosted abroad - which is nearly every website.
A transfer is permitted if the recipient country provides an adequate level of protection substantially similar to POPIA's conditions, if the data subject consents, if binding corporate rules are in place, or if the transfer is necessary for the performance of a contract. Unlike the GDPR, POPIA does not refer to standard contractual clauses or approved codes of conduct as transfer mechanisms.
The National Data and Cloud Policy, published in May 2024, adds a further layer: government data involving national security must be stored on digital infrastructure within South Africa's borders. While this primarily affects public bodies, it signals a broader direction of travel for data localisation expectations.
Practical Compliance Checklist for Your Website
Getting your website POPIA-compliant does not require a complete overhaul if you already follow basic privacy principles. But there are specific steps you should not skip.
Start by scanning your website for cookies. You need a full inventory of every cookie your site sets - first-party and third-party - along with its purpose, duration, and the data it collects. Without this audit, you cannot write an accurate cookie notice or configure consent categories correctly. Kukie.io's cookie scanner detects and categorises cookies automatically, giving you a clear baseline.
Draft a cookie notice that is specific to your site. Generic templates copied from another business will not satisfy POPIA's openness condition (Sections 17-18), which requires you to tell data subjects who you are, what you collect, and why. Your notice should be written in plain, understandable language.
Implement a consent mechanism that allows visitors to accept or decline non-essential cookies before those cookies are set. The mechanism must offer genuine choice - no pre-ticked boxes, no "accept all" as the only visible option, and no cookie walls that block content until the visitor agrees. Record and store proof of consent, because POPIA requires responsible parties to demonstrate that valid consent was obtained.
Publish a comprehensive privacy policy covering all personal information processing, not just cookies. Include details about cross-border transfers, data retention periods, and how data subjects can exercise their rights. Link this policy from your cookie banner and from your website footer.
Appoint an Information Officer. Under POPIA, this role automatically defaults to the CEO or head of the organisation if no other appointment is made. You must also register your Information Officer with the Information Regulator. A Deputy Information Officer should be designated as well.
Frequently Asked Questions
Does POPIA apply to websites based outside South Africa?
POPIA applies t
