Skip to content

SA’s Protection of Personal Information Act (POPIA) is implemented.

President Cyril Ramaphosa has announced the commencement dates for the final parts of the Protection of Personal Information Act (POPIA). Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) commenced on 1 July 2020.

These sections regulate:

  • The conditions for the lawful processing of personal information;
  • The regulation of the processing of special personal information;
  • Codes of Conduct issued by the Information Regulator;
  • Procedures for dealing with complaints;
  • Provisions regulating direct marketing by means of unsolicited electronic communication,
  • and general enforcement of the Act.

Entities (both public bodies and private companies) using personal data have until 30 June 202 to bring their practices into line with the Act when the last 2 sections of the law (110 & the rest of 114) will be applied.

POPIA has therefore continued to be something of a dog’s dinner, with some parts (on storage of data, keeping data up to date and data breaches) already in force for some time, while the rest is applied but with the full “grandfather” clause allowing a year’s grace for data processors to get their processes into line. It is worth remembering that this law has some pretty hefty fines (up to R10 million) and also criminal offences for some sections (eg the processing of sensitive data), and the Information Regulator is rearing to go after three years of sitting on its hands.

As far as ecommerce is concerned, please note that you may process, store and use customers’ data collected “in the context of a sale” (even if the customer doesn’t go through with the purchase). This leaves a number of issues unclear – such as how long you can keep data, and can you use that data to market unconnected products (ie if you collect the data during the sale of some clothes, can you then market electronic goods to that customer?). We believe these unclarities will be sorted out over the coming year.

However, be aware that you should NEVER share, or sell, your data with 3rd party marketers unless you have specifically had the customers’ opt-in. Traditional direct marketers are much more strictly regulated to prevent email spam and the other socially unacceptable practices that direct marketers get up to.

Ecommerce companies must also always offer customers the option to opt-out. Practising common sense when marketing to consumers is advised.

Please also note that POPIA treats personal and company data equally, therefore the law applies equally to B2C and B2B online sales.

Posted in

Alastair Tempest

Leave a Comment

Become a member

Join the Ecommerce Forum South Africa and benefit from industry insights in South Africa and Africa.

Sign up to newsletter

Sign up to our newsletter and stay informed of the progress we are making at the Ecommerce Forum South Africa with government during Coronavirus.