South African businesses operating websites are subject to a set of legal obligations that are distinct from those in Europe (GDPR) or the US. Two pieces of legislation are most directly relevant: the Protection of Personal Information Act (POPIA) and the Electronic Communications and Transactions Act (ECT Act). Non-compliance carries real risk — POPIA violations can result in fines of up to R10 million or ten years' imprisonment for responsible parties.
POPIA: What It Requires From Your Website
POPIA became fully enforceable on 1 July 2021. It regulates how businesses collect, store, process, and share personal information about South African residents. For a website, this translates into several concrete requirements:
- Privacy Policy — Your website must have a clearly accessible privacy policy explaining what personal information you collect (names, email addresses, phone numbers, IP addresses), why you collect it, how it is stored, who it is shared with, and how users can request deletion or correction.
- Cookie Notice — If your site uses cookies that collect or track personal information, users must be informed and, for non-essential cookies, must provide consent before those cookies are activated.
- Lawful Processing Basis — You must have a valid legal reason for collecting personal information. For most SME websites, this is either consent (user fills in a contact form) or legitimate interest (analytics). The basis must be documented.
- Data Subject Rights — Users have the right to access, correct, or delete their personal information. Your site must provide a mechanism to make these requests, typically via email to a designated Information Officer.
- Cross-Border Data Transfers — If your website uses US-based services (such as Wix, Mailchimp, or Google Analytics), you are technically transferring personal data outside South Africa. POPIA requires that the receiving country have adequate data protection laws, or that a data processing agreement is in place.
ECT Act: Mandatory Website Disclosures
The Electronic Communications and Transactions Act requires that South African business websites — particularly those conducting e-commerce — display specific information:
- Full legal business name and registration number (from CIPC if incorporated)
- Physical address in South Africa (a PO Box is insufficient for ECT Act compliance)
- Contact details including email address and telephone number
- VAT registration number if the business is VAT-registered
- For e-commerce: full description of goods or services, prices in ZAR inclusive of VAT, delivery terms, return and refund policy, and the steps of the ordering process
Consumer Protection Act Considerations
The Consumer Protection Act (CPA) applies to transactions conducted online. Key website implications include clear, plain-language terms and conditions, no misleading pricing, an accessible refund and returns policy, and transparency about promotional conditions. If your website accepts bookings or orders, your terms must comply with CPA requirements on cancellation and cooling-off periods.
Building Compliance Into Your Website From Day One
Retrofitting legal compliance onto an existing website — especially one built on a US-hosted template platform — is significantly harder than building it in from the start. A custom-built website allows you to implement POPIA-aligned data collection forms, cookie consent mechanisms, and mandatory ECT Act disclosures as structural components of the site, not afterthoughts bolted on with plugins.
Is a privacy policy legally required for all South African websites?
Yes, if your website collects any personal information — including names, email addresses, or IP addresses through analytics. POPIA requires that you inform users about how their information is processed, and a privacy policy is the standard mechanism for doing so. Even a simple contact form triggers this obligation.
Does using Wix or WordPress create POPIA compliance issues for SA businesses?
Potentially yes. Both platforms store data on US-based servers. POPIA restricts cross-border transfers of personal information to countries or organisations that do not have equivalent data protection standards. Using US-hosted platforms requires either a data processing agreement with the platform provider or reliance on another POPIA-approved transfer mechanism. This is an area where purpose-built, locally-hosted or CDN-deployed custom websites have a structural advantage.
What is the penalty for POPIA non-compliance in South Africa?
The Information Regulator can impose administrative fines of up to R10 million for certain POPIA violations. More serious offences — such as knowingly processing personal information unlawfully — carry criminal penalties including imprisonment of up to ten years for responsible parties. Reputational damage and civil liability from affected individuals are additional risks beyond the statutory penalties.