South Africa’s Protection of Personal Information Act affects how you, as a website owner, may use cookies and track visitors online.
If your website, company or organisation is located in South Africa and you process personal information, you are legally obliged to comply with the new regulations.
Moreover, if your website is not located in South Africa but processes personal information on SA citizens within SA borders, you have to comply.
The act took effect on 1 July 2020 and enforcement is scheduled to begin on 1 July 2021.
The new laws will replace the provisions in the Electronic Communications and Transactions Act (ECTA) from 2002. This act regulated the collection of personal information but compliance was voluntary for companies and organisations.
You need to take the necessary steps to protect the personal information you collect and use – if you haven’t already.
What exactly is personal information?
The POPI Act defines personal information as: “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.”
In other words, this information is the data that can be used to identify a person.
It may include:
• names, addresses, telephone numbers and email addresses
• information about age, race, gender, appearance, characteristics, sexual orientation, political persuasion, religious beliefs and language
• health data such as mental wellbeing and disabilities
• online identifiers such as email addresses, IP addresses, cookies, unique identifiers, search and browser history and location data
The introduction of the POPI Act means that South African citizens have the right to:
- protect their data and privacy
- gain insight into what data is collected about them (for example, through the use of website cookies)
- request that it be corrected or deleted
In terms of the new laws, there are eight conditions that must be satisfied when processing personal information. Read more about them here.
Remember, though, that website compliance is only one aspect of wider company compliance with the act.
After 30 June 2021, a business could face fines for non-compliance if they ignore POPI’s eight conditions for the handling (“processing”) of a customer’s personal information.
Bryan Hutchinson, an attorney at Durban law firm Ramdass and Associates, advises business owners to familiarise themselves with these conditions.
He urges business owners to find out whose personal information they have access to, and if they still need it, to ensure that any databases of personal information are secure.
This means that electronic documents should be encrypted and hard copies locked away.
“If the personal information isn’t required, assess if it should be destroyed,” says Hutchinson. “For example, if a customer hasn’t been contacted in over seven years, their personal information should be destroyed.”
The likelihood that personal information could go missing or be stolen should also be determined.
Conducting a risk rating and documenting the processes that need to be followed in the event of a data breach is recommended, notes Hutchinson.
He adds it’s also a good idea to have a draft communication to customers ready in the event of a data breach.
Ensure that customers’ consents to direct marketing and handling (“processing”) have been obtained for new and established customers. A practical way to do this is to get customers to sign updated terms of business – Bryan Hutchinson
What does the POPI Act have to do with my website?
Most websites collect some form of customer or user data. Data collection from a website can come from:
• Cookies
• Comments
• Email newsletters
• Contact forms
According to Kyle Torrington, one of the biggest mistakes website owners can make is to bury their heads in the sand when it comes to compliance.
If your business is online, you should be asking:
• Do I collect user data?
• How do I become compliant and stay compliant?
Torrington adds that becoming “superficially compliant” – becoming compliant for the sake of it – should also be avoided.
Presenting an “incorrect document to your users means that you are knowingly not complying with the POPI Act and can potentially damage both your business’s image as well as your bank balance,” he writes.
Failure to comply with the new regulations by the deadline on 1 July 2021 could result in a maximum of 10 years in prison or being charged with a R10 million fine by the Information Regulator.
Torrington advises website owners to have a professionally drafted comprehensive privacy policy. The policy must outline how you collect, process and store personal user data as well as document what you intend to do with the data.
Wait . . . what’s a cookie again?
Cookies are small text files stored in your visitor’s browser by your website. These files typically contain information about your visitor’s preferred language settings or location. They can also store a wide range of information including personally identifiable information.
Cookies basically perform two actions:
• they improve your visitor’s experience of your website
• they track your user’s behaviour on your site
A cookie policy can be set out in your website privacy policy. It details how you will use cookies on your site.
Use Google Analytics? You need a privacy policy!
There are two reasons for this.
- Google specifies this requirement in its Terms of Service
- In terms of the POPI Act, privacy policies are a legal requirement when a company stores, transfers, or handles someone’s personal information.
POPI and direct marketing: stay on the right side of the law
Direct marketing is a great way for companies to quickly grow a customer base. But as the POPI Act is enforced, companies will have to review their marketing channels to ensure they are compliant.
POPI gives privacy rights to an individual (the “data subject”) by requiring that a business can only engage in direct marketing by electronic means (e.g. email, SMS) if the prospective customer has consented to receive direct marketing (i.e. a customer has chosen to ‘opt-in’).
This contrasts with the current status-quo where direct marketers should only stop making unsolicited calls, emails, etc. to a prospective customer if that customer objects to the direct marketing (i.e. the customer wishes to ‘opt-out).
But, as Hutchinson explains, the aim of the act is not to end all marketing.
The act does allow:
- A business makes a once-off request to a prospective customer to opt in to receive marketing (unless that customer hasn’t already opted out).
- A business to market directly to established customers if the further marketing is in the “legitimate interest” of the customer or the website owner. For example, marketing is to alert the customer of a similar product or service offered by the website owner that the customer has already obtained.
He says to ensure marketing compliance, website owners should:
- Obtain a prospective customer’s consent to direct marketing at the start of the business relationship (for example, include a tick-box in the terms of business the customer will sign)
- Clearly set out any opt-outs to ensure that customers are not intentionally marketed ton(for example, create a “do not email” list and ensure all emails have an unsubscribe option)
- Market directly to established customers only if it is relevant to the business relationship (in other words, the business should only market its own products and services).
- In its POPI roundup, law firm CliffDekkerHofmeyr says marketers can stay on the right side of the law by also including sender contact details on all direct marketing communications. This is so that a recipient can request that these communications are no longer sent.
Wapping up
Publishing a privacy policy on your website is important because it tells your users that you take their personal data, and their privacy, seriously.
Privacy is a big issue. And when correctly implemented, privacy policies benefit website owners and their users.
They enable businesses to understand consumer behaviour to improve their marketing. And it satisfies the rights of consumers to have their privacy respected.
- The above information is only intended as a guide and isn’t legal advice.