Digital Marketing

POPI Act: How to Implement for Digital Marketers and Website Owners

Luke Marthinusen | October 12 2022

Why did I write this post? 

One of my senior strategists asked me if we could get a legal mind to advise on how we consistently implement POPI Act (also called POPIA) for our clients. We build websites for large firms, implement CRM systems, and run campaigns. It’s an entirely logical and prudent request from a very thoughtful team member.

His face screwed up when I gave my answer. My guess - is he didn't agree.

My answer was simple, and here it is:

“South African legal firms and privacy practitioners understand the POPI Act, but when it comes to how to apply it in the digital space - where the Act meets websites and code - they seem to struggle”

So I set out to break it down for our strategy team. I created a set of basic rules they can work with. Like most things, there's more than one way to skin a cat. This way, however, is the easiest and most robust way to make sure you're compliant. 

A Caveat

The legal world is a complex one. Two parties with different views on an event can set their legal teams on one another and spend hours or even years making their view more ‘legally’ correct.  In the end, a judge can have difficulty deciding the case. 

I’m not a lawyer. I'm sure a lawyer could pick holes in this article if they wanted to - but that's not the objective of this piece. My aim is to provide digital marketers, marketing managers, marketing directors, and business owners with a clear set of steps to quickly ensure their website and marketing/sales efforts are POPI Act compliant. 

Most of us lead busy lives and don't have the time to get through the entire 76-page Protection of Personal Information Act, let alone apply this legal document in the real world. 

Here are a few basic steps and key sections of POPIA that if followed and understood will ensure you are compliant and protected against falling foul of the POPI Act. 

Five critical digital properties and concepts

You'll need to take a closer look at these digital properties and activities to make them POPI Act compliant. 

  1. Website cookies
  2. Website forms
  3. Email subscriptions

 

Then you'll need to understand these definitions to help you make the right call with personal data.

  1. Legitimate interest
  2. Explicit consent

 

But first, let's cover some essential definitions to understand the POPI Act. These will help you understand what the POPI Act aims to accomplish and who the role players are. 

If you don’t care for these definitions, you can jump to the practical part below starting with 1. Website Cookies. 

Important definitions from the Protection of Personal Infomation Act (POPI Act or POPIA)

If you’ve ever signed a legal contract, you might have noticed they often start by clearly defining the most important terms. The POPI Act is no different. Below I have pulled out the key definitions you need to understand to have a firm practical grip on the POPI Act.

In privacy law, we are primarily concerned with the personal information of a person (also called a data subject) being processed by an operator.

Person & Data Subject

‘‘person’’ means a natural person or a juristic person;
‘‘data subject’’ means the person to whom personal information relates;

Eg: You, your potential client, your work colleague, your website visitor, or even your friend. 



Personal Information

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) … read the act for more details on this definition. 

Eg. Email address, cell phone number, name, address, race, etc. 

‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

Eg: A person voluntarily clicks a button to subscribe to a newsletter.


Processing

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

Eg:  Capturing and storing information on a website contact form. Saving email addresses in your CRM system. 

Operator

‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

Eg:  A marketing manager, reviews website contact form submissions and forwards them to the relevant people in a business.  

Ok, let’s get practical. We’ll start with cookies, the much misunderstood, almost always incorrectly implemented, but most common privacy and consent element we all deal with daily. 

 

1. Website Cookies

The image below shows us a typical cookie policy (consent) popup. We’ve all seen these, but what 99% of people don’t know is that they don’t do what they say they do. The example below is taken from a legal firm in South Africa that consults on the POPI Act.

Cookie consentWhat you don't realise is that if you click ‘No’ - nothing happens. Cookies will still track your behaviour. Clicking ‘No’ does not stop cookies from tracking you on this website.  

This is consistent with just about every website that has one of these popup policies. Denying consent has no effect.  

In 99% of cases tracking codes from Google Analytics, Google Adwords, Facebook Ads, LinkedIn Ads, etc are not removed by clicking ‘No’.

These codes are generally hard-coded into your website. Clicking an unconnected cookie/consent popup does not remove or disable the code.

A Google Analytics code that looks like this, and is placed in the header of the website. The header is on every single website page. 

google analytics

Note the last block of text says: The Global Site Tag provides streamlined tagging across Google’s site measurement, conversion tracking, and remarketing products.

Your behaviour is tracked and stored if a website uses this code (and they all do in some form). How personalised the information is, is another discussion entirely. But in a nutshell, the website owner gets anonymous information at a user level. Google, however, knows exactly who you are, where you are, and what your online behaviour is.

What they do with this information is outside of the scope of this article. But for now, you need to know that all websites use cookies and you can not turn all of them off. These tracking codes track your behaviour and send it to third parties (Google in this case) to enable advertising and highly detailed consumer profiling. 

Even if the cookie/content popup works as intended - after clicking ‘No’ - not all the cookies are disabled. A cookie to store your ‘No’ preference needs to remain. If it didn’t, on the next page load - all the cookies would be active again. 

So, to be transparent and accurate with your website users, your cookie popup notifications should be explicit. Explicit consent is an essential part of staying POPI Act compliant. The popups below acquires explicit consent and are what your cookie popups should look like. The top one is from our own website. We clearly state that if you want to use our website - we use cookies. 

mo cookie consent

Another similar cookie/consent popup that gains explicit consent. POPIA cookie consent

 

If you feel the need to get granular, there are very good solutions to manage the cookies on your website. The top one in my opinion is CookieYes. Just understand it needs to be appropriately configured. If you, your marketing agency or your marketing department/manager is not technical, I recommend following my more basic suggestion above. It's foolproof. Don't try to get fancy. 

Examples of CookieYes implemented correctly and incorrectly

Below on CookieYes's own website, the software is correctly configured. You can turn Google Analytics off.

correct cookie policy

 

Below on the Infomation Regulator of South Africa's website, they have CookieYes incorrectly configured. 

SA cookie policy

Here is the code on their website. Google Analytics tracks your every move even though I set it to 'Disabled'.

google analytics code

 

And here is one of South Africa's most prominent law firms. They must have a very large Data Privacy team in Africa. They know the POPI Act inside out, and could run circles around my knowledge on the POPI Act, but it's wrong on their own website.  

My point is, that for most websites, just go with a blanket statement that you're using cookies. Unless you are technically very competent - this is tricky to configure correctly.bowmans cookie policy 2

Despite my disabling analytics, here is the website's Google Tag Manager code tracking my activity:

bowmans - code 2

Here is the Google Analytics code working as it should. bowmans - tag manager 2

 

Obviously, the two examples above represent valid attempts at protecting their website users. However, the facts are unwittingly being conveyed incorrectly to website users. 

I highly recommend a cookie notice with a blanket statement that you are using cookies and a button to hide the notice that indicates explicit consent when clicked.

2. Website Forms

The purpose of a website form is to gather personal information. That information is then processed and stored by an operator (website owner).

Although the POPI Act does not reference the term ‘explicit consent’ specifically, I have, for some time, directed our clients and our strategy and technical teams to use this definition. The definition drives one to apply POPIA to your website forms in a very pragmatic and practical way. Just ask yourself, does your form ask for explicit consent to process their personal data?

If you remember, "consent" defined in POPIA means - any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

The POPI Act regularly references the term ‘legitimate interest’ as cited in a June 2022 article from legal firm Cliff Dekker Hofmeyr, POPI and the defense of legitimate interest. The article is long and complex and states that the POPI Act potentially favours the data processor (website owner) in regards to the legitimate interest, but that the Information Regulator of South Africa would probably find favour in the person/data subject.

As such website owners need to be very clear with their users. 

Quoting directly from the article:

“Section 11 of the POPI Act does not require consent to process personal information, provided that such processing either protects a legitimate interest of the data subject, or is “necessary for pursuing the legitimate interest of the responsible party or of a third party to whom it is supplied”. However, this defense against a lack of consent is obviated by the caveat in section 11(3), which allows a data subject to explicitly object to such processing.”

Practical interpretation:

  1. You don’t have to ask for consent on your website contact form because the user is expressing legitimate interest in products/services from your company.
  2. But, a user may object, at any time, to the processing of their personal information. So you must include a way to explicitly object immediately after form submission. 

 

Taking this into account, the easiest way to be compliant on a website form is to provide a website form user with a means to confirm explicit consent for your company to process their personal data by informing them that you will process their personal information when they click submit. In addition, provide a link to your Privacy Policy where they can find a means to update, remove or entirely stop the processing of their personal data.

The way we do it on our MO website is by adding the following statements to every form on our website. 

By clicking submit, you understand that MO Agency will process your info to respond to you in accordance with our Privacy Policy.

 

This statement is low effort for our users to understand. The user provides explicit consent because they voluntarily click the button in a specific and informed manner. In addition, the user has an easy to access method to object to the processing of their personal information. 

mo contact form

To exercise their rights to object, the section in our privacy policy called ‘Your Access to and Control Over Infomation’ is very clear in its purpose and provides a form, an email and a telephone number to manage this process.

mo privacy
3. Email Subscriptions

On any marketing or sales outreach communication, be it on email, SMS, WhatsApp or any other channel it is a legal requirement to have a working opt-out mechanism

Below you will find one of our email marketing efforts to our clients. At the bottom, there is a clear opt-out mechanism. 

email with opt out

 

Clicking Unsubscribe automatically unsubscribes you from all our subscriptions. It looks like this:

Unsubscribe
Clicking Manage preferences allows a subscriber to customise the communications they receive or unsubscribe from everything.  email communication preferences

You must have either Manage preferences or Unsubscribe or both in all your marketing communications.

Essential considerations for subscription preferences

Carefully maintain your unsubscribe list

If you are migrating or moving contacts between ERPs, CRMs and email software platforms (eg. MailChimp, HubSpot, Everlytic, etc.) take special care to migrate the communication preferences as well. This is very often neglected. I can think of countless companies that continue to send me direct marketing email communications and I have to periodically unsubscribe. The unsubscribe preference is remembered for a few months until I receive it again.

To maintain a list of unsubscribed users, the person's email address must be retained

If the user's personal email address is deleted entirely, the communications preferences can not be stored.

Provide an easy means for a person to review or remove their personal data

Maintain an email for privacy requests. I recommend privacy@yourdomain.com. Place your information officers (medium and large businesses) or business owners (small) on the distribution list. Be clear that if all data is removed, the unsubscribe preference can not be saved. 

Not all communications can be unsubscribed

If you are a client of a company that needs to keep you updated with service updates they may subscribe you to their content without your consent. An example of this might be when a company and a person enter into a credit agreement for an asset. Payment status or debt default necessitates the need for electronic communications that can not be unsubscribed.

 

Final Thoughts

A long and at times complicated piece, but I hope I've managed to distil the POPI Act into a set of principles and actions that will empower marketing professionals, website owners, business owners and anyone else who is has a hand in managing personal data in South Africa.

I'm not a legal professional, so please consult a legal professional if you are unsure about anything detailed above. If you are a legal professional and feel my interpretation is incorrect, please reach out to me via the contact form on our contact page. 

hubspot guide

Connect with Luke Marthinusen:

Recent posts like this

HubSpot Diamond Partner badge

MO Agency supports visionary leaders to succeed with HubSpot