South Africa's Protection of Personal Information Act (POPIA) Explained

Data privacy laws exist worldwide, affecting businesses that collect and process the personal information of their website’s visitors.

In South Africa, individuals are protected by the Protection of Personal Information Act, also called POPIA or the POPI Act.

In this guide, learn about who POPIA applies to, what it requires from businesses, the penalties for violating the law, and how to simplify POPIA compliance.

Table of Contents

What Is South Africa’s Protection of Personal Information Act (POPIA)?
POPIA Key Terms and Definitions
What Does the Protection of Personal Information Act Cover?
Requirements of the Protection of Personal Information Act
POPIA vs. Global Data Privacy Laws: Similarities and Differences
How Does the POPIA Impact Consumers?
How Does the POPIA Impact Businesses?
Who Must Comply With the POPIA?
How Can Businesses Prepare for the POPIA?
How Is the POPIA Enforced?
Fines and Penalties Under the Protection of Personal Information Act
How Does Termly Help With POPIA Compliance?
Are There Other Privacy Related Laws in South Africa?
Summary

What Is South Africa’s Protection of Personal Information Act (POPIA)?

The Protection of Personal Information Act, sometimes called POPIA or POPI Act, is South Africa’s leading consumer data privacy law.

It’s a comprehensive piece of legislation that safeguards the personal data of individuals in South Africa by outlining requirements and obligations for entities that collect, process, and use that information.

It shares many similarities with Europe’s General Data Protection Regulation (GDPR) but differs in notable ways — for example, penalties for violating POPIA could lead to possible jail time.

When Did POPIA Take Effect?

Parliament passed POPIA in November 2013, but it didn’t take effect until July 1, 2020.

It originally had a one-year grace period for businesses to ready themselves for compliance, so the bulk of the law became enforceable on July 1, 2021.

However, the Section 58 requirement to notify the Information Regulator if data processing is subject to prior authorization entered into action on February 1, 2022.

Today, the law is fully in effect.

POPIA Key Terms and Definitions

To fully understand how to comply with POPIA, it’s important to familiarize yourself with how the law defines certain terms, which are included below:

Consent: Any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
Data subject: Person to whom personal information relates.
Person: A natural person or a juristic person.
Personal information: Information relating to an individual, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and the birth of the person;
- (b) information relating to the education or the medical, financial, criminal, or employment history of the person;
- (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
- (d) the biometric information of the person;
- (e) the personal opinions, views, or preferences of the person;
- (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- (g) the views or opinions of another individual about the person; and
- (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Processing: Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
- (a) the collections, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
- (b) dissemination by means of transmission, distribution, or making available in any other form; or
- (c) merging, linking, as well as restricting, degrading, erasing, or destroying of information.
Responsible party: A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

Instead of sensitive personal information, POPIA describes a category of special personal information in Section 26 of the law as:

Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information;
Criminal behavior of the data subject, to the extent that it relates to
the data subject’s alleged commission of any offense or participation in any
proceedings regarding any offense allegedly committed

What Does the Protection of Personal Information Act Cover?

POPIA covers the personal information of individuals in South Africa and describes conditions for the lawful processing of that data.

It also regulates the flow of personal information outside of South African borders.

Requirements of the Protection of Personal Information Act

POPIA outlines several legal requirements for collecting and processing personal information.

Reasons for Processing Personal Information

Under POPIA, you can only process personal information for the following reasons, as outlined in Chapter 2, Section 11 of the law:

The data subject consents to the processing.
Processing is necessary to carry out actions for the performance of a contract.
Processing complies with an obligation outlined by a law on the responsible party.
Processing protects the legitimate interest of the data subject.
Processing is necessary for pursuing the legitimate interests of the responsible party.

When necessary, businesses under POPIA are responsible for proving they’ve obtained adequate consent from data subjects.

However, data subjects can object to data processing at any time for any of the reasons listed above unless legally required, and responsible parties must comply with the requests.

Consent

Consent under POPIA has a specific opt-in definition that closely aligns with how the GDPR defines the term.

Users must actively volunteer using an “informed expression of will,” and the agreement must be for a specific purpose regarding processing their personal information.

Conditions for Lawful Processing

There are eight conditions for lawful processing outlined by POPIA, which include the following:

Accountability: The covered entity is responsible for ensuring compliance with all aspects of POPIA.
Processing limitation: Processing personal data must be reasonable, lawful, and processed for the purpose provided to the user, among other requirements.
Purpose specification: Responsible parties can only collect data for a lawful, specifically defined purpose, cannot retain it for longer than necessary, and must take steps to ensure data subjects are aware of the data collection.
Further processing limitations: Any additional collection and further processing of data must be for the purposes provided to the consumer unless the responsible party obtains consent or the data comes from public sources.
Information quality: The responsible party must make reasonable efforts to ensure the personal data collected is accurate, not misleading, and updated.
Openness: Responsible parties must document all processing activities and make reasonable efforts to inform data subjects about the collection and use of their personal data.
Security safeguards: Responsible parties must make reasonable efforts to protect the collected data and are required to notify data subjects if an unauthorized breach occurs.
Data subject participation: Data subjects that provide proof of identity have the right to access the data collected about them.

Responsible parties must follow all eight of the above conditions for processing when collecting and using personal information from South African data subjects.

Notification of Security Breaches

One of the conditions of lawful processing under POPIA requires responsible parties to inform data subjects and the Information Regulator if an unauthorized party ever accesses information.

As explained in Chapter 3, Section 22 of the law, this notification must happen as soon as reasonably possible, with few exceptions.

The notification must be in writing and communicated in one of the following ways:

Mailed to the last known address of the data subject
Sent via email
Placed in a prominent position on the responsible party’s website
Published in the news
Another method as directed by the Information Regulator

In addition, the notification must include:

A description of the consequences of the security breach
The measures the business will take to address the compromise
How the responsible party plans to mitigate such an offense from occurring again
The identity of the unauthorized party, if known

International Data Transfers

POPIA describes requirements for international data transfers in Chapter 9, Section 72, which states that responsible parties cannot transfer personal data to a foreign country unless:

The third-party recipient is subject to a law, binding corporate rule, or other agreement upholding the principles of POPIA.
The data subject consents to the data transfer.
Transferring the data is necessary for the performance or conclusion of a contract.
The data transfer benefits the data subject, and it’s not practicable to obtain consent from the subject, or if it were, they would likely give consent.

POPIA vs. Global Data Privacy Laws: Similarities and Differences

South Africa is one of several countries and regions that has a comprehensive consumer data privacy law, and it shares some similarities with the following pieces of legislation:

The California Consumer Privacy Act (CCPA)
Europe’s General Data Protection Regulation (GDPR)
Brazil’s General Data Protection Law (LGPD)
Argentina’s Personal Data Protection Act (Argentina PDPA)
Thailand’s Personal Data Protection Act (Thailand PDPA)
Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
Australia’s Privacy Act 1988 (the Privacy Act)
New Zealand’s Privacy Act 2020

You can compare POPIA to other global privacy laws in the table below.

Data Privacy Law	Requires opt-in consent*	Mandates publishing a privacy policy	Outlines contractual obligations with third parties	Holds businesses accountable for data security	Has specific requirements for international data transfers	Requires additional guidelines for categories of sensitive (special) information
POPIA	✓	✓	✓	✓	✓	✓
CCPA		✓	✓	✓		✓
GDPR	✓	✓	✓	✓	✓	✓
LGPD	✓	✓	✓	✓		✓
Argentina PDPA	✓	✓	✓	✓	✓	✓
Thailand PDPA	✓	✓	✓	✓		✓
PIPEDA		✓	✓	✓
Privacy Act 1988		✓		✓	✓	✓
Privacy Act 2020		✓	✓	✓	✓	✓

*With some exceptions for some laws.

How Does the POPIA Impact Consumers?

POPIA impacts consumers by granting them various rights and control over how covered entities collect and use their personal information.

According to Chapter 2, Section 5 of the law, data subjects have the right to:

Be notified that their personal information is being collected.
Be notified if an unauthorized person accesses their information.
Access their personal information.
Request to correct, destroy, or delete their information.
Object to the processing of their personal information on reasonable grounds.
Object to the processing of personal information for the purpose of direct marketing.
Not be subject to decision-making based on the automated processing of their data.

Additionally, data subjects have the right to submit a complaint to the Information Regulator if they feel a covered entity violates their rights and can pursue civil proceedings.

Who Does the POPIA Apply To?

According to the definition of person in Section 1 of the Protection of Personal Information Act, the Act applies to both natural and juristic persons in South Africa.

In other words, it protects the personal information of individuals and organizations capable of suing or being sued in a court of law.

How Does the POPIA Impact Businesses?

Along with the contractual obligations, international data transfers, and legal basis for processing data mentioned above, the Protection of Personal Information Act impacts a business’s privacy policy and cookie policy.

How Does the POPIA Affect My Privacy Policy?

Under Section 18 of the POPIA, responsible parties must take “reasonably practical steps” to ensure their consumers are aware of their data processing activities.

The easiest way to meet these standards is to provide data subjects with a POPIA-compliant privacy policy informing them of all of the following:

The information collected and what source information comes from, if not from the subjects themselves.
The responsible party’s name and address.
The purpose of collecting the information.
Whether providing personal information is voluntary or not for the data subject.
Any laws authorizing or requiring the collection of the information.
If the responsible party intends to transfer the information internationally.

Additionally, you must list the recipients or category of recipients of the data, the nature of the category of the information, and the existence of all rights of the data subjects.

How Does the POPIA Affect My Cookie Policy?

POPIA significantly effects cookie policies and the general use of internet cookies.

Because data subjects have a right to know if their data is collected, and cookies can collect personal information, websites must present users with a clear, accurate cookie policy.

South Africa’s data privacy law also requires website owners to get permission from users to place cookies on their browsers, so businesses must use a consent banner or other mechanism to obtain an opt-in agreement.

Who Must Comply With the POPIA?

Your business must comply with POPIA if you process personal information and are located in South Africa or if you’re located elsewhere but make use of automated or non-automated means in the country, as outlined in Chapter 2, Section 3.

Unlike some other privacy laws, POPIA does apply to non-profit entities.

Who Is Exempt From the POPIA?

Data collected and processed for personal or household activities is exempt from POPIA, as are certain public bodies related to national security.

How Can Businesses Prepare for the POPIA?

To prepare for complying with the Protection of Personal Information Act, businesses should update their privacy policy to meet all notification requirements outlined by the law.

It’s also necessary to post an accurate cookie policy and use a cookie banner to allow your South African users to act on their rights to object to processing.

You can also link a Data Subject Access Request (DSAR) form to your website to help people easily follow through on their rights.

How Is the POPIA Enforced?

The Information Regulator enforces all aspects of POPIA and performs investigations when a business allegedly violates the law.

Fines and Penalties Under the Protection of Personal Information Act

Depending on the severity of the infraction, violating POPIA can lead to a fine of up to R10 million ($536,000), up to 10 years in jail, or both.

Minor offenses lead to smaller fines of up to R1 million ($53,000) or one year of imprisonment.

How Does Termly Help With POPIA Compliance?

Termly can help simplify your POPIA compliance because our Privacy Policy Generator includes the necessary clauses to satisfy the notification requirements outlined by the law.

Vetted by our legal team and data privacy experts, it asks basic questions about your business and its data processing activities.

It makes a unique policy based on your answers that you can embed on your website or app and update anytime directly in your Termly dashboard.

We also provide a Consent Management Platform (CMP) configurable to meet the POPIA opt-out requirements regarding targeted advertising.

A few other privacy-related laws exist in South Africa besides POPIA, including the following:

Financial Intelligence Centre Act (FICA): Requires financial institutions to retain financial records and transactions with their clients for up to five years to combat money laundering.
National Strategic Intelligence Act (NSIA): Regulates what agencies can participate in covert intelligence gathering and outlines guidelines for their functionality.

In addition, other industry and sector-specific laws complement POPIA, like the Consumer Protection Act (CPA) and the National Health Act (NHA).

Summary

If your business falls under the scope of South Africa’s Protection of Personal Information Act, make sure you take the steps to meet all obligations outlined by the law, including:

Posting a compliant privacy policy to meet all notification requirements.
Using a cookie consent banner and updating your cookie policy.
Following all contractual obligations if you work with any third-party processors.
Implementing adequate security measures to keep personal information safe.

Simplify your POPIA compliance using Termly’s Privacy Policy Generator and Consent Management Platform.

More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites

Privacy Policy for Gym Websites

Privacy Policy for Real Estate Websites