POPIA website checklist for South African businesses (2026)
Who POPIA actually applies to
POPIA (Protection of Personal Information Act) came into force on 1 July 2021 and the grace period ended 30 June 2022. If you collect personal information from South Africans — and if you have a website with a contact form, you do — POPIA applies to you. There is no small-business exemption.
"Personal information" under POPIA is broad: name, email, phone, ID number, IP address, location, device info, photos, voice recordings, even employment history. If your form captures any of these, you're in scope.
The full 23-item checklist
Privacy notice & disclosure
Accessible from every page via a footer link. Must cover: what data you collect, why, how long you keep it, who you share it with, and user rights. Generic templates get you 70% there — customise for your actual practice.
State your basis under POPIA §11: consent, contract performance, compliance with law, vital interest, public interest, or legitimate interest. Be specific per data category.
Name, email, phone, address, IP, payment info, cookies — itemise everything. Google Analytics, Facebook Pixel, WhatsApp widgets all count.
If you use Mailchimp, Google Analytics, PayFast, Stripe, Vercel, Cloudflare — list them by name with a link to their privacy policy. Cross-border transfer notice required for non-SA providers.
Consent management
No pre-ticked boxes. Every form must have a checkbox saying "I agree to [company] processing my information per the Privacy Notice". Newsletters need a separate marketing-consent checkbox.
Timestamp + IP address logged every time someone consents. Required proof if a customer later claims they never agreed.
Usually an unsubscribe link in marketing emails plus an "opt-out" option in the privacy notice. Withdrawal must be as easy as the original opt-in.
Cookies & tracking
Must explain cookie use, allow users to accept or decline non-essential cookies, not auto-set analytics/marketing cookies until consented.
Essential (always on), Analytics (Google Analytics), Marketing (Facebook Pixel, remarketing), Preferences. User should be able to opt in/out per category.
Best practice: if the browser sends DNT, skip analytics cookies by default.
Data subject rights
POPIA grants rights to access, correct, delete, and object to processing. Privacy notice must list these in plain English.
Dedicated email (e.g. privacy@yourdomain.co.za) or form. Must respond within 30 days. Simple template works.
Users can ask you to erase their data. You must comply unless legal retention requirements apply (e.g. SARS records).
Ability to export a user's personal data in a machine-readable format (CSV, JSON). Usually only relevant for complex SaaS.
Information Officer
Defaults to CEO/owner. No hire required.
Free. Done online at inforegulator.org.za. Takes ~15 minutes. Keep the confirmation email.
Name, email and phone in the privacy notice. Not a dedicated page required.
Security & storage
HTTPS (green padlock) on every page. Let's Encrypt is free — no excuses. Axious defaults to HTTPS.
Document how long you keep what: 5 years financial, 3 years marketing, 30 days cart abandonment, etc. Include in privacy notice.
Passwords hashed (bcrypt/argon2), sensitive fields encrypted at rest. Database backups also encrypted.
Staff only see data they need. Role-based permissions if you have team members. Audit logs of who accessed what.
Incident response
If a breach happens, notify the Information Regulator AND affected users "as soon as reasonably possible". Have a one-page incident response doc ready.
Schedule a yearly check: new processors added? retention periods still valid? IO details current? Document the review.
What Axious builds in by default
Every Axious website (Starter, Business, Premium) includes items 1-20 out the box:
- Full POPIA-compliant privacy notice customised for your business
- Cookie consent banner with granular category controls
- Consent checkboxes on every form with IP + timestamp logging
- Data subject rights section with SAR email set up
- Information Officer contact block in the privacy notice
- HTTPS by default, bcrypt password hashing, role-based access
- Retention policy documented per data category
Items 21-23 (access controls, breach plan, annual review) are operational — we provide a one-page template you can fill in and store off the website.
"We were quoted R18,000 by a legal firm just for a POPIA audit. Axious included the whole thing in a R4,499 website build." — SA coaching practice, Pretoria
FAQs
Does POPIA apply if I only sell to international customers?
If you operate from SA or process data in SA, POPIA applies regardless of customer location. If you also sell into the EU, GDPR applies too — the two overlap about 80%.
Can I just copy-paste a privacy notice from another site?
Technically yes, but risky — if it doesn't match your actual practice the Regulator will treat it as misrepresentation. Better to use a template and customise.
How often should I update my privacy notice?
Every time you add a new data-collecting feature (new form, new analytics tool) and at least annually. Keep a "last updated" date visible.
What if I host outside South Africa (e.g. Vercel)?
Allowed, but you must disclose the cross-border transfer in your privacy notice and ensure the host provides adequate protection (Vercel, AWS, Cloudflare all qualify).
Do I need explicit consent for my existing customer database?
For historic records legally collected, no — implied consent from the original transaction usually stands. For active marketing communications, re-consent is safer.
What's a data breach under POPIA?
Unauthorised access, loss, or disclosure of personal information. Examples: database hack, lost laptop with customer data, email sent to wrong recipient with PI attached, website database publicly exposed.
Need a POPIA-ready site?
If your current website is missing half of this list, we can retrofit it (R1,500 add-on) or rebuild it POPIA-ready from scratch for R2,499-R6,999.