POPIA — South Africa's Data Protection Law
What the Protection of Personal Information Act means for websites and cookie consent in South Africa.
The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law. Fully effective since July 2021. It’s one of the broadest privacy laws on the planet, and one of the most under-discussed.
If you process personal information from people in South Africa, POPIA applies. There are no revenue thresholds. No size exemptions. Everyone.
What makes POPIA different
Two things set POPIA apart from laws like the GDPR and CCPA:
- It protects companies too. “Juristic persons” (companies, trusts, nonprofits, partnerships) have the same data privacy rights as living individuals. That’s unique among global privacy laws.
- No thresholds. Every organization, regardless of size or revenue, must comply if they process South African personal information.
Who must comply
- Any organization in South Africa
- Any organization outside South Africa that processes personal information from people inside South Africa
No exceptions for small businesses. No exceptions for low revenue.
What counts as personal information
Broad. Includes names, contact details, opinions, health data, biometrics, online identifiers (IP addresses, cookies, device IDs), browsing history, location data, and even private correspondence.
If your website uses cookies or trackers and someone from South Africa visits, you’re processing personal information under POPIA.
Consent requirements
POPIA requires one of six legal grounds for processing. Consent is one. But “consent” must be:
- Voluntary
- Specific
- Informed
- You must be able to prove it
Pre-ticked boxes are explicitly not consent. This aligns closely with GDPR consent standards and the meaningful-consent rule under PIPEDA in Canada.
Special personal information
Certain categories require extra protection and are generally prohibited from processing unless the data subject explicitly consents:
- Race or ethnic origin
- Religious or philosophical beliefs
- Trade union membership
- Political persuasion
- Health or sex life
- Biometrics
- Criminal history
Eight conditions for lawful processing
All eight must be satisfied for compliance:
- Accountability: you’re responsible, end to end
- Processing limitation: have a legal ground, collect only what you need
- Purpose specification: tell people why you’re collecting
- Further processing limitation: don’t repurpose data
- Information quality: keep it accurate
- Openness: be transparent
- Security safeguards: protect the data
- Data subject participation: let people access and correct their data
Data subject rights
South Africans have the right to be notified about data collection, access their data, request corrections or deletion, object to processing, and opt out of direct marketing. They can also complain to the Information Regulator and seek civil remedies.
Cookie compliance
POPIA does not mandate cookie banners in the same explicit way PECR/GDPR do, but the conditions for lawful processing effectively require informed consent for non-essential cookies and trackers. Transparency is mandatory. So, broadly, you need a CMP, the same conclusion you reach working through the GDPR vs CCPA vs ePrivacy comparison.
Cross-border transfers
Transferring personal information outside South Africa is restricted. The recipient country must have adequate data protection laws, or you need the data subject’s consent, or the transfer must be necessary for a contract.
How Zest handles it
Zest’s consent-first approach aligns with POPIA’s consent and transparency requirements. Block non-essential trackers until consent is given. Provide clear notice. Make withdrawal easy. Zest does all three.