Why POPIA Matters for Your Website
The Protection of Personal Information Act (POPIA) governs how South African organisations collect, store, and use personal information. Almost every website processes some personal information — contact form submissions, newsletter sign-ups, or analytics identifiers — which means compliance is not optional. The good news is that the essentials are achievable for any business with a methodical approach.
This article is general guidance, not legal advice. For your specific obligations, consult a qualified professional.
The Website Compliance Checklist
1. Publish a Clear Privacy Policy
Your privacy policy should explain what personal information you collect, why you collect it, how long you keep it, who you share it with, and how visitors can exercise their rights. Write it in plain language and link to it from your footer and every form.
2. Collect Only What You Need
POPIA favours minimal collection. Review every form on your site and remove fields you do not genuinely use. If you only need a name and email to respond to an enquiry, do not ask for more.
3. Get Consent Where It's Required
For activities like marketing emails and non-essential cookies, obtain clear, informed consent. That means an unticked checkbox the visitor actively selects — not pre-ticked boxes or assumed agreement. Keep a record of when and how consent was given.
4. Handle Cookies and Analytics Responsibly
Analytics and advertising tools often set cookies and process identifiers. Use a cookie banner that lets visitors accept or decline, and ensure non-essential tools only load after consent. Essential cookies that make the site function can be exempt, but be transparent about them.
5. Secure the Data You Hold
POPIA requires reasonable security safeguards. At a minimum: serve your site over HTTPS, keep software and dependencies updated, restrict who can access submitted data, and use reputable, secure providers for forms and storage. Avoid emailing personal information in plain text where possible.
6. Honour Data-Subject Rights
Visitors have the right to access the information you hold about them, to correct it, and to request deletion. Make sure you have a simple internal process — and a contact address — for handling these requests promptly.
7. Appoint and Register an Information Officer
Every organisation has an Information Officer responsible for POPIA compliance (by default, the head of the organisation). Registering them with the Information Regulator is part of meeting your obligations.
8. Have a Breach Response Plan
If personal information is compromised, POPIA requires you to notify the Information Regulator and affected individuals. Decide in advance who is responsible, what steps you will take, and how you will communicate, so you are not improvising during an incident.
A Quick Self-Assessment
- Is your privacy policy current and linked site-wide?
- Does every form collect only what you actually use?
- Do marketing sign-ups and non-essential cookies require active consent?
- Is the site served over HTTPS with access to submissions restricted?
- Do you have a process for access, correction, and deletion requests?
- Is your Information Officer registered, and do you have a breach plan?
How ADigital Can Help
We build websites and digital platforms with privacy and security designed in — consent-aware analytics, secure forms, HTTPS, and clear data-handling practices. If you are unsure whether your current site measures up, we can review it and help you close the gaps.
Want a privacy-ready website that earns customer trust? Get in touch with ADigital today.