What is POPIA?
The Protection of Personal Information Act, also known as POPIA is South Africa’s new data protection law and is designed to provide citizens of South Africa with rights over how companies and organisations acquire, process, manage, safeguard and dispose of their personal information.
Effectively the equivalent of the European Union’s General Data Protection Regulation (GDPR), POPIA came into full effect on 1 July 2021 and is now enforceable by law.
The Act outlines how companies manage personal informational related to their employees, suppliers and customers and compels them to establish policies to ensure they manage personal information and take measures to safeguard the privacy of people’s information.
The Constitution is the supreme law in South Africa and Section 14 of the Constitution details individual’s right to privacy. The Electronic Communications and Transactions Act (ECTA) also makes provision for how personal information is collected but POPIA now provides a broad and clear definition for personal information and how this information can be collected, how it is recorded and organised. The Act also outlines how personal information can be shared and used, which is an important aspect especially in relation to how personal information is harnessed for the purposes of marketing.
What is personal information?
In terms of POPIA, personal information is any kind of information relating to an identifiable, living natural person, company or similar legal entity. This includes but is not limited to names, addresses, telephone numbers, email addresses, information about age, race, gender, appearance, characteristics, sexual orientation, religious beliefs, language, health data, well-being and disabilities.
Some of the less obvious personal information related to data subjects includes online identifiers such as IP addresses, cookies, location data and internet browser history.
What is an IP address?
An IP address is a unique address that identifies a computer or device on the internet. “IP” stands for “Internet Protocol” and the actual address is a set of numbers (e.g.;192.0.2.1) that is linked to all online activity that a particular computer or device engages in.
What is a cookie?
A cookie is a small piece of information stored on a computer or smart phone by a web browser (e.g., Google Chrome). A cookie file can contain various types of information, including a user ID that a website uses to track the pages which have been visited. Companies worldwide use cookies to monitor user behaviour and to improve website interactivity. If someone chooses to disable cookies or refuses to accept a cookie, they may not be able to utilise all features of a website.
Most browsers are initially set up to accept cookies however, it is possible to reset browser settings or change them to refuse all cookies or indicate when a cookie is being sent. The Help feature on most web browsers can provide information on how to accept cookies, disable cookies or to notify a user when receiving a new cookie.
What does “POPIA compliant” actually mean?
If a website, company or organisation is hosted or located in South Africa and processes personal information, it is automatically obligated to comply with POPIA. For most companies and organisations first contact with a potential customer is through a visit to their website. This is a crucial touch point to cover in terms of POPIA but by no means the only one.
- Providing a Cookie Policy notice with opt-out option on your website is one of the first recommendations. This is usually in the form of a pop-up notice which provides an option to accept or disable cookies with a link to a company Privacy Policy specific page.
- The Privacy Policy should provide details for how a company or organisation collects and manages personal information and other aspects of a visitors interactions with the website. This is especially important for websites that collect personal information by way of contact forms, through eCommerce order processing, surveys and questionnaires and other application or submission forms.
- The Privacy Policy should form part of a company or organisation’s overall POPIA Policy and other relevant company policies and procedures.