Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

POPIA — South Africa's Data Protection Law

What the Protection of Personal Information Act means for websites and cookie consent in South Africa.

The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law. Fully effective since July 2021. It’s one of the broadest privacy laws on the planet, and one of the most under-discussed.

If you process personal information from people in South Africa, POPIA applies. There are no revenue thresholds. No size exemptions. Everyone.

What makes POPIA different

Two things set POPIA apart from laws like the GDPR and CCPA:

  1. It protects companies too. “Juristic persons” (companies, trusts, nonprofits, partnerships) have the same data privacy rights as living individuals. That’s unique among global privacy laws.
  2. No thresholds. Every organization, regardless of size or revenue, must comply if they process South African personal information.

Who must comply

  • Any organization in South Africa
  • Any organization outside South Africa that processes personal information from people inside South Africa

No exceptions for small businesses. No exceptions for low revenue.

What counts as personal information

Broad. Includes names, contact details, opinions, health data, biometrics, online identifiers (IP addresses, cookies, device IDs), browsing history, location data, and even private correspondence.

If your website uses cookies or trackers and someone from South Africa visits, you’re processing personal information under POPIA.

POPIA requires one of six legal grounds for processing. Consent is one. But “consent” must be:

  • Voluntary
  • Specific
  • Informed
  • You must be able to prove it

Pre-ticked boxes are explicitly not consent. This aligns closely with GDPR consent standards and the meaningful-consent rule under PIPEDA in Canada.

Special personal information

Certain categories require extra protection and are generally prohibited from processing unless the data subject explicitly consents:

  • Race or ethnic origin
  • Religious or philosophical beliefs
  • Trade union membership
  • Political persuasion
  • Health or sex life
  • Biometrics
  • Criminal history

Eight conditions for lawful processing

All eight must be satisfied for compliance:

  1. Accountability: you’re responsible, end to end
  2. Processing limitation: have a legal ground, collect only what you need
  3. Purpose specification: tell people why you’re collecting
  4. Further processing limitation: don’t repurpose data
  5. Information quality: keep it accurate
  6. Openness: be transparent
  7. Security safeguards: protect the data
  8. Data subject participation: let people access and correct their data

Data subject rights

South Africans have the right to be notified about data collection, access their data, request corrections or deletion, object to processing, and opt out of direct marketing. They can also complain to the Information Regulator and seek civil remedies.

POPIA does not mandate cookie banners in the same explicit way PECR/GDPR do, but the conditions for lawful processing effectively require informed consent for non-essential cookies and trackers. Transparency is mandatory. So, broadly, you need a CMP, the same conclusion you reach working through the GDPR vs CCPA vs ePrivacy comparison.

Cross-border transfers

Transferring personal information outside South Africa is restricted. The recipient country must have adequate data protection laws, or you need the data subject’s consent, or the transfer must be necessary for a contract.

How Zest handles it

Zest’s consent-first approach aligns with POPIA’s consent and transparency requirements. Block non-essential trackers until consent is given. Provide clear notice. Make withdrawal easy. Zest does all three.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.