South Africa’s Protection of Personal Information Act (POPIA) and Cookie Consent

The Protection of Personal Information Act – POPIA

Let’s start by reviewing the requirements under the Protection of Personal Information Act, or POPIA for short. The EU’s GDPR legislation paved the way for data privacy standards, and this new law aims to protect the citizens of South Africa in the same manner.

There are a few key differences, though. POPIA only applies to companies that process data within South Africa or are domiciled there – unlike GDPR that is extraterritorial. Another difference is that POPIA includes both individuals and companies as juristic persons!

Requirements under POPIA

The POPIA legislation gives the people – and organizations – in South Africa enforceable rights over their private information. It establishes eight basic requirements for processing data and creates a broad definition of what personal information means. POPIA also forms the Information Regulator, SAIR, which will supervise and enforce these rules.

Here are the eight principles under POPIA:

1. Accountability

 Organizations are responsible for developing a data protection policy to safeguard their customers’ information. They will be held accountable for ensuring that all data processing is compliant with POPIA.

2. Processing Limitation

All personal data that is processed must be done so lawfully and in a manner that does not infringe on the subject’s privacy. The key here is that the policies and procedures must be reasonable according to the law.

3. Purpose Specification

There must be a specific and lawful purpose for all data collection. Not only does the purpose need to be explicitly defined, but the reasoning must also be conveyed to the subjects. The only time you do not have to inform them of the purpose is when the data collection is imposed by law.

4. Further Processing Limitation

After a company collects personal data, it can only perform additional processing in specific circumstances. It may only be done if further processing aligns with the purpose that was previously defined.

5. Information Quality

Organizations must ensure that the data collected is accurate, complete, and not misleading. They are also responsible for updating the information when necessary.

6. Openness

The next principle is openness, which means the responsible parties must notify regulators when they are collecting or processing personal data. Additionally, they must provide the data subject with their name and address – as well as why the information is being collected.

7. Security Safeguards

Since the responsible party is collecting private data, they must implement appropriate security safeguards to protect its integrity.

8. Data Subject Participation

The last principle gives subjects the right to request information about whether an organization has their data and what it includes. There must be no charge incurred for requesting these details.

Penalties for Noncompliance

As with all new regulations, it is essential to understand the consequences of non-compliance.

POPIA establishes an Information Regulator, which is the independent body that will serve as the supervisor and enforcer of the new legislation. They can impose fines and penalties of up to 10 years in prison or 10 million Rand, depending on the severity of the offense.

All regulated parties must meet the minimum requirements for processing user data, including security, confidentiality, and documentation. The goal is to ensure that end-users have the right to access, delete, or update any data that an organization previously collected.

Your organization may also face class-action lawsuits if you fail to comply with POPIA. The Information Regulator will facilitate these class action lawsuits to ensure that data subjects can institute the appropriate civil action for damages caused by an organization.

You may be wondering, what happens if your company falls victim to a data breach? In this scenario, if you can prove that you took all the necessary steps under POPIA to protect your users, then you may still be considered compliant.

The legal ramifications of failing to comply with the requirements of POPIA are serious –  so you must implement the appropriate procedures by July 1, 2021.

How Does POPIA Affect Cookie Consent?

So, how does POPIA relate to cookie consent? How will it affect you as a website owner that relies on cookies and the online tracking of visitors?

The GDPR and CCPA regulations explicitly require you to obtain the consent of your users before collecting cookies. Although POPIA does not expressly regulate how your organization can use cookies, they do fall under the term ‘online identifier.’

The Protection of Personal Information Act requires that businesses take reasonable steps to ensure viewers are aware of all online identifiers they are collecting. Not only do they need to let them know that cookies are collected, but they must also explain where the data is coming from and the purpose of the data. Likewise, you must let the users know whether supplying the information is mandatory or voluntary – and what will happen if they choose not to provide the data.

In other words, if cookies are used to collect personal data, POPIA requires that you disclose that information and provide an appropriate opt-in or opt-out feature. Although it is still not clear exactly how the regulators will interpret consent under the new regulations, it can be implied that there will be a higher level of responsibility placed on organizations in terms of cookie consent.

The best way to ensure that you meet all the requirements per South Africa’s Protection of Personal Information Act is to take steps to enhance your cookie consent process!