Is Your Website POPIA Compliant? A Practical Guide for South African Businesses

Table of Contents

If your website has a contact form, an email signup, a checkout page, or even a cookie, you’re collecting personal information – and POPIA applies to you in full. Most South African business owners know the Act exists. Far fewer have actually checked whether their website meets it.

That gap is getting riskier. The Information Regulator’s 2025/26 Annual Performance Plan, presented to Parliament’s Portfolio Committee on Justice and Constitutional Development on 5 May 2026, signals a firmer enforcement posture: more proactive audits, tighter direct marketing rules following the April 2025 POPIA Regulations amendments, and mandatory use of the Regulator’s e-portal for breach notifications – which saw a 40% jump in monthly submissions in early 2025/26. Fines are already being issued, and SMEs are not exempt.

POPIA applies to every website, no exceptions

POPIA applies to any person or organisation, public or private, that processes personal information in South Africa. It has been enforceable since 1 July 2021.

There’s no SME carve-out and no revenue threshold. A one-person business with a two-page site is held to the same standard as a listed company with a national customer database. If your website collects information about a person, the Act applies to you.

Why this is worth getting right, not just avoiding a fine

It’s easy to file POPIA under “compliance admin.” That undersells it. People are more aware of online privacy than ever, and a website that visibly respects their data builds trust before a single email is exchanged. Compliance is a credibility signal, one your less careful competitors aren’t sending.

Four things your website needs

You don’t need a full rebuild. For most small and medium businesses, these four items cover the core requirements.

1. A clear privacy policy

A dedicated page answering four questions in plain language:

  • What data do you collect? (names, emails, IP addresses)
  • Why are you collecting it? (to send quotes, deliver products)
  • How do you use it? (processing orders, sending updates)
  • Who do you share it with? (courier companies, email platforms)
 

2. A simple cookie notice

Cookies track behaviour, from cart contents to login sessions to analytics, so POPIA requires you to disclose their use. A banner on first visit is the standard, low-friction fix.

3. Clear contact form consent

If someone submits a form for a quote, you can’t start emailing them a weekly newsletter without separate, explicit permission. Add a short statement or checkbox above the submit button:

  • “By submitting this form, you agree that we can use your details to contact you about your quote request.”
  • “[ ] Tick this box if you’d like our monthly newsletter with industry tips and discounts.” (Leave unticked by default, this isn’t optional.)
 

4. A data retention statement

You can’t hold personal data indefinitely just because it’s convenient. Keep it only as long as needed for its original purpose, or as long as South African tax law requires for financial records, and state that timeframe in your privacy policy.

What happens if you don't fix this

Fines are real, and enforcement is trending up. But the bigger risk for most small businesses is reputational: a breach that goes public, or a spam complaint from someone who never opted in, costs you customers who won’t come back, and hurts every lead you try to generate afterward. Getting the four essentials right does the opposite: it signals a professional, trustworthy business people are comfortable handing their information to.

Next steps

Start with your privacy policy, it’s the foundation the other three items reference. Then add the cookie banner, tighten your form consent language, and set a retention period you can actually defend if asked.

Let's Connect

Ready to chat? Catch us live during business hours (8am-5pm on weekdays).

Leave your details and we’ll get in touch