Enjoying the read?
Get more tips like this
Practical SA business marketing advice. No spam.
By subscribing you agree to our Privacy Policy.
Is Your Website POPIA Compliant? A Simple Checklist
POPIA has been fully enforceable since 2021. The Information Regulator has already issued fines and enforcement notices, including to companies as large as the Department of Justice. Yet the majority of small business websites in South Africa still don't comply with even the basics.
If your website has a contact form, a newsletter signup, a WhatsApp chat widget, or even just Google Analytics enabled, you're collecting personal information. POPIA applies to you. This is not a big-business-only problem.
The good news is that for most businesses — sole traders, partnerships, small companies — compliance isn't complicated. You don't need a legal team. You need a checklist and the willingness to actually implement it.
Why you should actually care about this
The biggest reason: the Information Regulator can fine your business up to R10 million for serious non-compliance, and criminal prosecution is technically possible including imprisonment. That's not theoretical — enforcement actions are happening in South Africa right now.
The business-level risk is also worth considering. When someone fills in a form on your website, they're trusting you with their information. If something goes wrong — a data leak, an unauthorised email, information shared without consent — it's not just a compliance issue. It's a trust issue. And in a market where customer trust drives referrals, that matters.
The reality is: POPIA compliance for a typical SME website is a few hours of work, and a one-time cost if you outsource it. Leaving it undone risks fines, legal exposure, and customer trust.
The website POPIA checklist
Run through each of these. If you can't tick them all off, you've got work to do.
Privacy policy page: Your website needs a dedicated, clearly accessible privacy policy page that explains what data you collect, why, how it's stored, who has access, and how long you keep it. If your visitors need three clicks to find your privacy policy, it's effectively hidden.
Cookie consent banner: If you use cookies — and if you have Google Analytics, a Facebook Pixel, or any third-party tracking, you do — you need to ask for consent before setting non-essential cookies. A simple banner with accept/decline options is sufficient.
Contact form consent: If you have a contact form, you need a clear consent mechanism. A checkbox (not pre-ticked) with text explaining what will happen with their information. Something like: "I agree that Optimiz may use this information to respond to my enquiry."
Opt-in for marketing: If you're collecting emails for newsletters or marketing, you need explicit opt-in consent. If your contact form automatically subscribes people to your mailing list, that's a violation.
Secure data transmission: Your website should use HTTPS (SSL certificate). If your URL still shows http:// without the padlock, you're transmitting personal data insecurely — and it's a POPIA compliance issue.
Data retention practices: You need a policy for how long you keep personal information. Contact form submissions shouldn't live in your inbox forever. Define retention periods and stick to them.
Information Officer appointed: Every business in SA must appoint an Information Officer and register them with the Information Regulator. For small businesses, this is typically the owner.
Third-party disclosure: If data collected through your website is shared with third parties — CRM tools, email marketing tools, hosting providers — this needs to be disclosed in your privacy policy.
What most SA websites get wrong
The privacy policy is imported from a US template. This is surprisingly common. South African businesses grab a generic privacy policy template that references GDPR, California privacy law, US-specific regulations — without mentioning POPIA or the Information Regulator. It's not just unhelpful, it's not compliant.
Cookie banners that don't actually do anything. Many sites have a banner that says "We use cookies" with a single OK button. That's not consent. Proper implementation lets users choose between essential and non-essential cookies.
Contact forms with no consent checkbox. The most common gap. Your contact form captures names, email addresses, phone numbers. That's personal information. Without a consent mechanism, you're processing it without permission.
What to do next
Go through the installation above with your actual website open in front of you. Be honest with yourself. If you're missing more than two items, prioritise the privacy policy and the contact form consent first — these are the most visible compliance gaps.
If your website was built by a developer or agency, ask them about POPIA compliance. If they look confused, that tells you something important about who built your site. When we build websites, POPIA compliance is built in from the start — not bolted on later. Not sure if your site passes the test? Run a free audit — it includes a POPIA compliance check.
Need a website built with compliance in mind?
We build POPIA-compliant websites for SA businesses — privacy policy, cookie consent, and data handling done right from day one.
See Our Web Design ProcessKeep reading
