If your website, company or organisation is located in South Africa and you process personal information, you are legally obliged to comply with the regulations contained in the act.
Moreover, if your website is not located in South Africa but processes personal information on South African citizens within SA borders, you have to comply with the act.
The act took effect on 1 July 2020 and enforcement is scheduled to begin on 1 July 2020.
The new laws replace the provisions in the Electronic Communications and Transactions Act (ECTA) from 2002. This act regulated the collection of personal information but compliance was voluntary for companies and organisations.
With the deadline for compliance fast approaching, you need to take the necessary steps to protect the personal information you collect and use – if you haven’t already.
Wait . . . what’s a cookie again?
Cookies are small text files stored in your visitor’s browser by your website. These files typically contain information about your visitor’s preferred language settings or location. They can also store a wide range of information including personal identifiable information.
Cookies basically perform two actions:
• they improve your visitor’s experience of your website
• they track your user’s behaviour on your site
What exactly is personal information?
The POPI Act defines personal information as: “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.”
In other words, this information is the data that can be used to identify a person.
It may include:
• names, addresses, telephone numbers and email addresses
• information about age, race, gender, appearance, characteristics, sexual orientation, political persuasion, religious beliefs and language
• health data such as mental wellbeing and disabilities
• online identifiers such as email addresses, IP addresses, cookies, unique identifiers, search and browser history and location data
The introduction of the POPI Act means that South African citizens have the right to protect their data and privacy, gain insight into what data is collected about them and request that it be corrected or deleted.
In terms of the act, personal information is only allowed to be processed if the end-user consents to it being processed. This includes the specific purposes for which the personal information is being collected.
In terms of the new laws, there are eight conditions that must be satisfied when processing personal information. Read more about them here.
What does the POPI Act have to do with my website?
Most websites collect some form of customer or user data. Data collection from a website can come from:
• Email newsletters
• Contact forms
According to Kyle Torrington of Hello Contract, one of the biggest mistakes website owners can make is to bury their head in the sand when it comes to compliance.
If your business is online, you should be asking:
• Do I collect user data?
• How do I become compliant and stay compliant?
He adds that becoming “superficially compliant” – becoming compliant for the sake of it – should also be avoided.
Presenting an “incorrect document to your users means that you are knowingly not complying with the POPI Act and can potentially damage both your business’s image as well as your bank balance,” he writes.
Failure to comply with the new regulations by the deadline on 1 July 2020 could result in a maximum of 10 years in prison or being charged with a R10 million fine by the Information Regulator.
There are two reasons for this.
- Google specifies this requirement in its Terms of Service
- In terms of the POPI Act, privacy policies are a legal requirement when a company stores, transfers, or handles someone’s personal information.
In its POPI roundup, law firm CliffDekkerHofmeyr notes it’s vital for companies (and, by default, website owners) not to take any shortcuts with regards to direct marketing.
Direct marketing is a great way for companies to quickly grow a customer base. But as the POPI Act is enforced, these companies will have to review their marketing channels to ensure they are compliant.
5 tips to help you stay on the right side of the law
1. Obtain consent: direct marketing using any form of electronic communication (SMS, email, automated calls), will no longer be allowed unless the person has consented to receive this communication or is an existing customer.
2. Unsubscribe option: All electronic communications must contain an unsubscribe option and companies need to be vigilant when a consumer requests that they no longer want to receive marketing messages.
3. Include sender details: All direct marketing communications must contain the sender’s contact details so that a recipient can request that these communications are no longer sent.
4. Stick to permitted times: Specific days and times of days have been prescribed for direct marketing and marketers must be aware of these constraints.
5. Cooling-off period: Under the Consumer Protection Act, a customer is entitled to cancel a transaction resulting from any direct marketing without reason or penalty within 5 days.
Privacy is a big issue. And when correctly implemented, privacy policies benefit website owners and their users.
A win for businesses that need to understand consumer behaviour to improve their marketing. And a win for consumers who have the right to have their privacy respected.