POPIA and Your Website: What South African Business Owners Need to Know

POPIA affects ordinary business websites when they collect names, phone numbers, email addresses or enquiry details. Compliance starts with clear notices, limited collection and secure handling.

POPIA is not only a concern for banks, insurers and large corporates. If your website collects personal information from South African customers, POPIA matters. A simple contact form can collect a name, phone number, email address, company name and message. A quote form may collect addresses, project details or budget information. A booking form may collect health, education or other sensitive context depending on the industry. That information has to be handled responsibly.

The Protection of Personal Information Act regulates how personal information is processed. Processing is a broad idea. It includes collecting, storing, using, sharing, updating and deleting information. For a website owner, the practical question is not whether you have a complex database. The question is whether personal information enters your business through the site and what happens after that.

Start with a clear privacy policy or privacy notice. It should explain who is collecting the information, what is collected, why it is collected, how it is used, who it may be shared with, how long it is kept, and how a person can ask for access, correction or deletion. It should be written in plain language. A copied overseas GDPR policy that does not match your actual tools, forms or South African context is not enough.

Collect only what you need. Many contact forms ask too much. If you only need to call the person back, do not ask for unnecessary personal details. If the form is for a quote, explain why certain fields are needed. Shorter forms are also better for conversion, especially on mobile. POPIA and good user experience point in the same direction: reduce unnecessary friction and unnecessary data.

Be careful with marketing consent. If someone sends an enquiry, that does not automatically mean they agreed to receive unrelated marketing forever. Direct marketing by electronic communication has specific POPIA requirements, especially for people who are not existing customers. Keep consent clear, specific and recorded where needed. Always provide a simple way to opt out. Do not add every website enquiry to a bulk mailing list without thinking through the legal basis.

Secure the information you collect. Use HTTPS. Keep website software updated. Restrict admin access. Use strong passwords and multi-factor authentication where possible. Make sure form submissions are not sent to random personal inboxes with no control. If you use third-party tools such as form processors, email marketing platforms, booking systems, analytics tools or CRMs, understand where the data goes and whether the supplier is appropriate for your business risk.

Have a process for security incidents. The Information Regulator requires security compromise notifications through its eServices portal for reportable incidents. That means a business should know who checks the issue, what information may be affected, and who must be notified. Small businesses often ignore this until something goes wrong. A simple incident checklist is better than panic.

Cookies and analytics should be honest. If the site uses analytics, advertising pixels, embedded maps, chat widgets or tracking scripts, the privacy notice should reflect that. Avoid pretending the site does not track anything if it clearly loads third-party tools. Also avoid installing every marketing script available. More scripts can mean more data sharing, slower pages and more compliance questions.

POPIA compliance is not a badge you add to the footer. It is a set of habits: collect less, explain clearly, protect access, choose suppliers carefully, honour requests, and keep records where appropriate. For most South African SME websites, the first useful step is a form and privacy review. Check what data is collected, where it is sent, who can access it and whether the privacy page matches reality. That alone fixes many common problems.

Ready to get started?

Let us build this for your business.

From R6,500 once-off. Live in 14 days. Johannesburg based.