mobile-nav

POPI Act Compliance for Digital Marketers and Website Owners (2023)

Written by
Luke Marthinusen

We provide our personal information to organisations on a daily basis to enable them to provide us with the services we purchase. The Protection of Personal Information Act legally requires them to be a responsible party, and keep our personal data safe. 

Contents:

What is the POPI Act?
Why is the POPI Act important?
Why did I write this article?
Why do digital marketers and website owners need to be aware of the POPI Act?
Five critical digital properties and concepts
Important definitions from the POPI Act
How to be POPI Act compliant
- Website cookies
- Website forms
- Email subscriptions

Key takeaways

  • The Act protects personal information from being mishandled or misused by setting out rules by which organisations go about lawful processing personal information
  • You don't need to understand the entire Act to be POPI compliant. Just understand these five terms:
    • "Person"
    • "Data subject"
    • "Personal information"
    • "Processing"
    • "Operator".
  • It's easy to be POPI Act compliant if you make sure your website cookies, website forms and email subscriptions are set up correctly.

What is the POPI Act?

The Protection of Personal Information Act (POPI Act) is a law in South Africa that governs the processing of personal information by public and private bodies.

The Protection of Personal Information Act aims to protect the privacy rights of individuals by regulating the collection, storage, and use of personal information. The act also provides for the establishment of an Information Regulator to enforce POPI Act compliance with the law.

Why is the POPI Act important?

The Protection of Personal Information Act is important because it:

  • Protects the personal information of individuals from being mishandled or misused by organisations.
  • Sets out specific requirements for how organisations must handle personal information, including obtaining consent for its collection and use, and taking measures to secure and protect personal information.
  • It gives individuals the right to access and correct their personal information, and the right to take legal action if their personal information is mishandled.
  • Protects individuals from identity theft and other forms of fraud, which can have serious financial and emotional consequences.
  • Provides a framework for organisations to handle personal information in compliance with international standards.

Why did I write this article? 

One of my senior strategists asked me if we could get a legal mind to advise on how we should consistently implement POPI Act compliance for our clients. We build websites for large firms, implement CRM systems, and run campaigns. Our work handles a lot of personal information. It’s an entirely logical and prudent request from a very thoughtful and responsible party.

His face scrunched up when I gave my answer. My guess is he didn't agree.

My answer was simple, and here it is:

“South African legal firms and privacy practitioners understand the POPI Act, but when it comes to how to apply the protection of personal information act in the digital space - where the Act meets websites and code - they seem to struggle”

So I set out to break it down for our strategy team. I created a set of basic rules they can work with. Like most things, there's more than one way to skin a cat. This way, however, is the easiest and most robust way to make sure you're information act compliant.

Why must digital marketers and website owners be aware of the POPI Act?

Implemented on 1 July 2020 by the Information Regulator of South Africa, the Protection of Personal Information (POPI Act) provides a legal framework for the protection of any personal information you might capture on a website form, use to email a contact, or handle during your daily duties as a digital marketer.

Website owners and digital marketers need to be aware of the principles outlined in personal information act. They are personally responsible to protect personal information obtained through their website. Personal information processed, collected, used, stored and disposed of must be done in a POPI Act-compliant and lawful way. 

Caveat: I'm not a lawyer!

The legal world is a complex one. Two parties with different views on an event can set their legal teams on one another and spend hours or even years making their view more ‘legally’ correct.  In the end, a judge can have difficulty deciding the case. 

I’m not a lawyer. I'm sure a lawyer could pick holes in this article if they wanted to - but that's not the objective of this piece. I aim to provide digital marketers, marketing managers, marketing directors, and business owners with a clear set of steps to quickly ensure their website and marketing/sales efforts are POPI Act compliant. 

Most of us lead busy lives and don't have the time to get through the entire 76-page Protection of Personal Information Act, let alone apply this legal document in the real world. 

Here are a few basic steps and key sections of the Personal Information Act that, if followed and understood, will ensure you are compliant and protected against falling foul of the POPI Act. 

Five critical digital properties and concepts

You'll need to look closely at these digital properties and activities to make them POPI Act compliant. 

  1. Website cookies
  2. Website forms
  3. Email subscriptions

Then you'll need to understand these definitions to help you make the right call with personal data.

  1. Legitimate interest
  2. Explicit consent

Important definitions from the POPI Act

These are the most important definitions of the protection of Personal Information Act:

  1. Person means a natural person or a juristic person.
  2. Data subject means the person to whom the personal information relates.
  3. Personal information means information relating to a living, natural person, and where it is applicable, existing juristic person (A registered company).
  4. Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information.
  5. Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

Understanding them will help you to interpret what follows.

Read them in more depth in our article: Important definitions from the POPI Act

Ok, let’s get practical. We’ll start with cookies, the much misunderstood, almost always incorrectly implemented, but most common privacy and consent element we all deal with daily. 

How to be POPI Act compliant

1. Website Cookies

The image below shows us a typical cookie policy (consent) popup. We’ve all seen these, but what 99% of people don’t know is that they don’t do what they say they do. The example below is taken from a legal firm in South Africa that consults on the Personal Information Act (POPI Act).

Cookie consent

What you don't realise is that if you click ‘No’ - nothing happens. Cookies will still track your behaviour. Clicking ‘No’ does not stop cookies from tracking you on this website.  

This is consistent with just about every website that has one of these popup policies. Denying consent has no effect.  

In 99% of cases tracking codes from Google Analytics, Google Adwords, Facebook Ads, LinkedIn Ads, etc are not removed by clicking ‘No’.

These codes are generally hard-coded into your website. Clicking an unconnected cookie/consent popup does not remove or disable the code.

A Google Analytics code that looks like this, and is placed in the header of the website. The header is on every single website page. 

google analytics

Note, the last block of text says: The Global Site Tag provides streamlined tagging across Google’s site measurement, conversion tracking, and remarketing products.

Your behaviour is tracked and stored if a website uses this code (and they all do in some form). How personalised the information is, is another discussion entirely. But in a nutshell, the website owner gets anonymous information at a user level. Google, however, knows exactly who you are, where you are, and what your online behaviour is.

What they do with this information is outside of the scope of this article. But for now, you need to know that all websites use cookies, and you can not turn all of them off. These tracking codes track your behaviour and send it to third parties (Google in this case) to enable direct marketing and highly detailed consumer profiling including your personal information, and your personal or household activity.

Even if the cookie/content popup works as intended - after clicking ‘No’ - not all the cookies are disabled. A cookie to store your ‘No’ preference needs to remain. If it didn’t, on the next page load - all the cookies would be active again. 

So, to be transparent and accurate with your website users, your cookie popup notifications should be explicit. Explicit consent is an essential part of staying POPI Act compliant. The popups below acquires explicit consent and are what your cookie popups should look like. The top one is from our own website. We clearly state that if you want to use our website - we use cookies. 

mo cookie consent

Another similar cookie/consent popup that gains explicit consent. 

POPIA cookie consent

If you feel the need to get granular, there are very good solutions to manage the cookies on your website. The top one in my opinion is CookieYes. Just understand it needs to be appropriately configured. If you, your marketing agency or your marketing department/manager is not technical, I recommend following my more basic suggestion above. It's foolproof. Don't try to get fancy. 

Examples of CookieYes implemented correctly and incorrectly

Below on CookieYes's own website, the software is correctly configured. You can turn Google Analytics off.

correct cookie policy

Below on the Information Regulator of South Africa's website, they have CookieYes incorrectly configured. 

SA cookie policy

Here is the code on their website. Google Analytics tracks your every move even though I set it to 'Disabled'.

google analytics code

And here is one of South Africa's most prominent law firms. They must have a very large Data Privacy team in Africa. They know the POPI Act inside out and could run circles around my knowledge on the POPI Act, but it's wrong on their own website.  

My point is, that for most websites, just go with a blanket statement that you're using cookies. Unless you are technically very competent - this is tricky to configure correctly.

bowmans cookie policy 2

Despite disabling analytics, here is the website's Google Tag Manager code tracking my activity:

bowmans - code 2

Here is the Google Analytics code working as it should.

bowmans - tag manager 2

Obviously, the two examples above represent valid attempts at protecting their website users. However, the facts are unwittingly being conveyed incorrectly to website users. 

I highly recommend a cookie notice with a blanket statement that you are using cookies and a button to hide the notice that indicates explicit consent when clicked.

2. Website Forms

The purpose of a website form is to gather personal information. That information is then processed and stored by an operator (website owner).

Although the POPI Act does not reference the term ‘explicit consent’ specifically, I have, for some time, directed our clients and our strategy and technical teams to use this definition. The definition drives one to apply POPIA to your website forms in a very pragmatic and practical way. Just ask yourself, does your form ask for explicit consent to process their personal data?

If you remember, "consent" defined in POPIA means - any voluntary, specific and informed expression of will in terms of which permission is given for the lawful processing of personal information;

The POPI Act regularly references the term ‘legitimate interest’ as cited in a June 2022 article from legal firm Cliff Dekker Hofmeyr, POPI and the defense of legitimate interest. The article is long and complex and states that the POPI Act potentially favours the data processor (website owner) in regards to the legitimate interest, but that the Information Regulator of South Africa would probably find favour in the person/data subject.

As such website owners need to be very clear with their users. 

Quoting directly from the article:

“Section 11 of the POPI Act does not require consent to process personal information, provided that such processing either protects a legitimate interest of the data subject, or is “necessary for pursuing the legitimate interest of the responsible party or of a third party to whom it is supplied”. However, this defense against a lack of consent is obviated by the caveat in section 11(3), which allows a data subject to explicitly object to such processing.”

Practical interpretation:

  1. You don’t have to ask for consent on your website contact form because the user is expressing legitimate interest in products/services from your company.
  2. But, a user may object, at any time, to the processing of their personal information. So you must include a way to explicitly object immediately after form submission. 

Taking this into account, the easiest way to be compliant on a website form is to provide a website form user with a means to confirm explicit consent for your company to process their personal data by informing them that you will process their personal information when they click submit. In addition, provide a link to your Privacy Policy where they can find a means to update, remove or entirely stop the processing of their personal data.

The way we do it on our MO website is by adding the following statements to every form on our website. 

By clicking submit, you understand that MO Agency will process your info to respond to you in accordance with our Privacy Policy.

This statement is low effort for our users to understand. The user provides explicit consent because they voluntarily click the button in a specific and informed manner. In addition, the user has an easy to access method to object to the processing of their personal information. 

mo contact form

To exercise their rights to object, the section in our privacy policy called ‘Your Access to and Control Over Information’ is very clear in its purpose and provides a form, an email and a telephone number to manage this process.mo privacy
3. Email Subscriptions

On any marketing or sales outreach communication, be it on email, SMS, WhatsApp or any other channel it is a legal requirement to have a working opt-out mechanism

Below you will find one of our email marketing efforts to our clients. At the bottom, there is a clear opt-out mechanism. 

email with opt out

Clicking Unsubscribe automatically unsubscribes you from all our subscriptions. It looks like this:

Unsubscribe
Clicking Manage preferences allows a subscriber to customise the communications they receive or unsubscribe from everything. 

email communication preferences

You must have either Manage preferences or Unsubscribe or both in all your marketing communications.

Essential considerations for subscription preferences

Carefully maintain your unsubscribe list

If you are migrating or moving contacts between ERPs, CRMs and email software platforms (eg. MailChimp, HubSpot, Everlytic, etc.) take special care to migrate the communication preferences as well. This is very often neglected. I can think of countless companies that continue to send me direct marketing email communications and I have to periodically unsubscribe. The unsubscribe preference is remembered for a few months until I receive it again.

To maintain a list of unsubscribed users, the person's email address must be retained

If the user's personal email address is deleted entirely, the communications preferences can not be stored.

Provide an easy means for a person to review or remove their personal data

Maintain an email for privacy requests. I recommend privacy@yourdomain.com. Place your information officers (medium and large businesses) or business owners (small) on the distribution list. Be clear that if all data is removed, the unsubscribe preference can not be saved. 

Not all communications can be unsubscribed

If you are a client of a company that needs to keep you updated with service updates, they may subscribe you to their content without your consent. An example of this might be when a company and a person enter into a credit agreement for an asset. Payment status or debt default necessitates the need for electronic communications that can not be unsubscribed.

Final Thoughts

A long and, at times, complicated piece, but I hope I've managed to distil the POPI Act into a set of principles and actions that will empower marketing professionals, website owners, business owners and anyone else who is has a hand in managing personal data in South Africa.

I'm not a legal professional, so please consult a legal professional if you are unsure about anything detailed above. If you are a legal professional and feel my interpretation is incorrect, please reach out to me via the contact form on our contact page. 

 

Recent posts like this

HubSpot

HubSpot Pricing 2024: A Guide to the Latest Pricing

CRM

5 CRM Systems You Should Consider

HubSpot

HubSpot's AI Assistants for Content Generation and Optimisation

CRM

HubSpot CRM Implementation: Change Management for Sales Teams