All you need to know about POPIA: South Africa's Data Protection Law

All You Need to Know about Compliance with POPIA

Haritha July 17, 2023 8 min read

POPIA is South Africa’s first comprehensive privacy statute, otherwise known as South Africa’s data protection law. It came into effect on 1 July 2021.

POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information.

Read ahead to find out more about POPIA and what you need to do for the compliance of WordPress sites.

Who Does POPIA Apply to?

POPIA will apply to any company any organization irrespective of the size, sector, or location that process the personal information if the organization is

Based in South Africa, or
Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through the country)

This means any non-South African business that does business in South Africa should comply with the POPIA regardless of whether or not the business has any physical presence in the country.

What’s the Purpose of POPIA?

By enforcing this data protection regulation the South African government aims to fulfill the following three objectives.

To promote the protection of personal information processed by public and private bodies.
To introduce certain conditions so as to establish minimum requirements for the processing of personal information.
To regulate the flow of personal information across the borders of South Africa.

What are the 8 Principles Covered under POPIA?

Accountability

The first principle implies the need for organizations to appoint an information officer for overseeing compliance with the Act.

Processing Limitation

The second principle puts control on how and when personal information is processed. It states that it should be reasonable, lawful, minimal, with consent, having proof, and subject to the objection of the data subject. Personal information should also be collected directly from the data subject.

Purpose Specification

The third principle covers the purpose of collecting information and its retention. The purpose should be specific, lawful, explicit, and that it shouldn’t be retained any longer than is necessary for achieving the purpose for which it was collected.

Further Processing Limitation

The fourth principle states the grounds on which processing of information should take place. It should only be for the purpose you collected the information and should comply with the purpose of collection within the third principle.

Information Quality

The fifth principle contemplates the information quality and states that it should be complete, accurate, not misleading, updated and that the responsible party must ensure it.

Openness

The sixth principle is all about the openness of processing and collection of information. It states your responsibility to maintain documentation of all information processing and letting the data subject know everything related to collecting information.

Security Safeguards

The seventh principle refers to your responsibility of keeping the information secure and notifying the regulator and the data subject in the event of loss or unauthorized access of data.

Data Subject Participation

The eighth principle extends the data subject with the right to access their information, information about any third parties that have had access to their information, and for the correction and deletion of their information.

What are the Exceptions Under POPIA?

Although all the above principles must be followed for achieving compliance under POPIA, in some cases a regulator can by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that processing is in breach of a condition. The circumstances for granting such exceptions are,

In matters of public interest including national security, prevention, detection, and prosecution of offenses, important economic and financial interests, historical, statistical, or research activity, freedom of expression
When the processing involves a clear benefit to the data subject that outweighs the interference with the privacy of the data subject.

What is Personal Information Under POPIA?

Personal information means any information relating to an identifiable, living, person or juristic persons (companies/organizations) including, but not limited to —

Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, disability, religion etc.
Information relating to the education, medical, financial, criminal or employment history, and biometric information
Identifiers like e-mail address, physical address, telephone number, location data, online identifier IP addresses, cookies, unique IDs, search and browser history

What are the Penalties for not Being POPIA Compliant?

The following are the consequences for not being compliant:

Administrative penalties
- Fines up to R10 million and/or 10 years in jail per incident.
Enforcement notices
- Stop processing personal information.
Civil Action
- May be bought on by data subjects for “distress” pay out millions in damages to a civil claim action.
- Suffer reputational damage.
General concerns
- Loss of reputation and subsequent loss of customers and possible failure of the organization/business.

What is Consent in POPIA?

POPIA mentions consent as a legal basis for processing personal information and includes provisions on how consent must be obtained and can be withdrawn. POPIA defines consent as “voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”

Consent must be given voluntarily
Consent should be taken for a specific purpose and shouldn’t be vague or ambiguous
Properly notify the data subject regarding what they are consenting to, how their data will be processed, etc.
Informed consent

How to Comply WordPress Site with POPIA?

As cookies are considered online identifiers in POPIA, they fall under the scope of personal information. This means your website needs to have an adequate cookie consent mechanism in place.

If you are looking for the right tool to help your WordPress site in complying with POPIA, the GDPR Cookie Consent plugin by WebToffee is one of the best options.

You can generate a compliant cookie banner for your website, so you get prior user consent. You can fully customize the content, layout, colors, behavior, and display cookie banners in different languages.

If you are interested in learning more about compliance for major privacy laws like GDPR and CCPA, refer to the following article.

WordPress and GDPR: a Helpful Guide, California Consumer Protection Act (CCPA) and Cookies: What you need to know.

GDPR for Marketing: All You Need to Know

The EU’s General Data Protection Regulation (GDPR) has been in effect for some time now, and it ha...

Sep 20, 2021|by Thejus Zachariah

How to Display Recently Viewed Products in Shopify?

In this blog post, we will show you how to create Amazon-like recently viewed product recommendation...

Sep 20, 2021|by Thejus Zachariah

How to Make Google Analytics CCPA/CPRA Compliant? Updated for 2024

This blog post outlines how to use Google Analytics while complying with CPRA regulations for busine...

Sep 20, 2021|by Thejus Zachariah

Cookie	Description
__cfruid	Cloudflare sets this cookie to identify trusted web traffic.
__stripe_mid	Stripe sets this cookie cookie to process payments.
__stripe_sid	Stripe sets this cookie cookie to process payments.
cookielawinfo-checkbox-advertisement	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-preferences	This cookie is set by the GDPR Cookie Consent plugin to check if the user has given consent to use cookies under the "Preferences" category.
CookieLawInfoConsent	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user sessions on the website. The cookie is a session cookie and is deleted when all the browser windows are closed.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not a user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors.
_ga_BQH8MSKD4M	This cookie is installed by Google Analytics.
_gat_gtag	Identification code of website for tracking visits.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information on how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_hjAbsoluteSessionInProgress	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSample	This cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate heatmaps, funnels, recordings, etc.
_hjIncludedInSessionSample	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
CONSENT	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
has_recent_activity	This cookie is used to signal to the code repository website if the user has browsed other website resources during the current session.
tk_ai	Gathers information for our own first-party analytics tool about how our services are used. A collection of internal metrics for user activity and is used to improve user experience.
tk_lr	This cookie is set by the JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack.
tk_or	This cookie is set by the JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack.
tk_qs	Gathers information for our own first-party analytics tool about how our services are used. A collection of internal metrics for user activity and is used to improve user experience.
tk_r3d	The cookie is installed by JetPack. Used for the internal metrics for user activities to improve user experience.

Cookie	Description
_fbp	This cookie is set by Facebook to deliver advertisements when they are on Facebook or on a digital platform powered by Facebook advertising after visiting this website.
fr	The cookie is set by Facebook to show relevant advertisements to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook Pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_hjSession_1376571	30 minutes	No description
_hjSessionUser_1376571	1 year	No description
_octo	1 year	No description available.
_zendesk_authenticated	past	No description
_zendesk_session	session	No description available.
_zendesk_shared_session	session	No description available.
edd_wp_session	12 hours	No description available.
logged_in	1 year	No description available.
m	2 years	No description available.

All You Need to Know about Compliance with POPIA

Table of Contents

Who Does POPIA Apply to?

What’s the Purpose of POPIA?