POPIA-compliant marketing websites: what you actually need

A practical guide to what South African marketing websites need to do under POPIA – without the legal jargon, and without overengineering. Aimed at business owners who want to do this once and do it right.

POPIA – the Protection of Personal Information Act – has been in force in South Africa since 2021, and yet a startling number of marketing websites we audit either ignore it entirely or have copy-pasted a Privacy Policy from a US template that doesn’t actually comply. This piece is the short, practical version of what your website needs to do under POPIA, written for business owners, not lawyers.

Disclaimer: we are a creative studio, not a law firm. For anything material, you should run your final policy and consent flows past someone qualified. That said, the basics below cover what we implement on every site we build, and what the Information Regulator actually expects.

What POPIA is really about

POPIA is essentially the South African analogue of GDPR – the European data privacy law that came into force in 2018. The principles are similar: you can only collect personal information for a specific purpose, with the person’s knowledge and consent; you have to keep it secure; you have to let them ask what you have on them and request deletion; and there are real penalties for getting it wrong.

For most marketing websites, the practical questions are:

  1. What personal information are we collecting?
  2. Why are we collecting it?
  3. Have we told the visitor we are collecting it?
  4. Did they consent?
  5. Are we keeping it secure?
  6. Can we hand it over or delete it on request?

If you can answer all six clearly, you are most of the way there.

The four things every site should have

1. A real Privacy Policy

Not a copy-paste from another business, and not a US template. Your Privacy Policy should specifically describe what your business collects, why, what you do with it, who you share it with, how long you keep it, and how someone can ask to see or delete what you have.

It should be linked from the footer of every page, not buried. It should be in plain language – the regulation doesn’t require legalese and the regulator increasingly prefers plain English. It should name the responsible person at your business who handles data queries (POPIA calls this the Information Officer; by default it is the CEO or equivalent unless you delegate).

If you do not have one and need a starting point, our own Privacy Policy is a reasonable template – it is structured around the POPIA requirements rather than borrowed from elsewhere.

Every form on the site that collects personal information – contact forms, newsletter signups, downloads, anything – should have an explicit consent mechanism. Not a pre-ticked box. Not “by submitting this form you agree to…”. An actively checked box that says, in plain language, what the person is consenting to.

For example, our own contact form has a required checkbox that reads: “I consent to Creature of Habit processing the information above to respond to my enquiry, as set out in the Privacy Policy.” The visitor cannot submit the form without ticking it. The consent is logged with the submission so there is a record.

This is not legal pedantry. The regulation requires consent to be specific, informed and freely given. A pre-ticked box is none of those things. A hidden line in the terms of service is none of those things. An actual checkbox with plain-language wording is.

3. A cookie/tracking notice (when you use cookies)

If your site uses analytics (Google Analytics, Plausible, Fathom), advertising tracking (Meta Pixel, LinkedIn Insight Tag), or any other cookies beyond functional ones, you need to tell visitors and give them a way to either accept or be informed of the practice.

The right shape of the notice depends on what you are doing. If you only use privacy-respecting analytics that don’t track individuals (Plausible, Fathom, Cabin), a single notice is often enough. If you are using Google Analytics with default settings, Meta Pixel, or any advertising tracking, you probably need a more elaborate consent banner that lets users opt out of categories.

We use a minimal notice on this site because we only collect form submissions and don’t run third-party trackers. If we added Google Analytics tomorrow, the consent banner would need to expand to give users meaningful choice.

4. A way for people to ask what you have on them, and to delete it

POPIA gives every data subject (the person whose information you have) the right to ask:

  • What personal information you hold on them
  • What you are using it for
  • Who you have shared it with
  • To correct anything that is wrong
  • To delete it

This doesn’t need a fancy portal. A clearly published email address (e.g. [email protected]) that you commit to responding to within a reasonable window (usually 30 days for POPIA requests) is enough. The mistake is not having any visible mechanism – or having one and ignoring the emails that come in.

The four things almost no SME needs to worry about

1. Registering an Information Officer

Many SME owners think they need to formally register an Information Officer with the regulator. Strictly speaking, every business has an Information Officer by default (the CEO or equivalent). Formal registration was meant to be required and was deferred indefinitely. Today, just naming the person in your Privacy Policy and being prepared to handle requests is enough.

2. Hiring a Data Protection Officer

The DPO concept is largely a GDPR construct that has no direct equivalent in POPIA. Unless you are a large organisation handling sensitive data at scale, you don’t need a dedicated person.

The big-vendor consent platforms (OneTrust, Cookiebot, TrustArc) are built for enterprise sites with dozens of trackers and global compliance requirements. For an SME marketing website with one or two analytics tools, they are overkill and often introduce more legal risk (by being misconfigured) than they solve.

A clean, simple cookie notice that genuinely reflects what your site does is better than a complex banner that nobody understands.

There is no official POPIA compliance badge. Any badge you see on the internet is either decorative or sold by a private compliance company. Putting one on your site doesn’t help your compliance and might confuse visitors. Skip it.

The most common mistakes we see

Across the dozens of South African marketing sites we audit each year, the consistent problems are:

  • No Privacy Policy at all. Surprisingly common. Including on sites belonging to professional services firms that should know better.
  • A Privacy Policy that mentions GDPR but not POPIA. Suggests the policy was copy-pasted from a US or EU template without adaptation. POPIA references are usually missing.
  • Forms with no consent checkbox. Or worse, a pre-ticked one.
  • Cookie banners that do nothing. A banner that says “we use cookies, click to accept” but loads all tracking before you’ve clicked. Functionally non-compliant.
  • No visible contact for data requests. No email, no name, no mechanism for a data subject to exercise their rights.
  • Newsletter signups that immediately send marketing without confirmation. Double opt-in (where the user confirms via email before being added) is best practice and recommended for POPIA.

None of these are hard to fix. Most of them take a few hours of work. The longer they sit unfixed, the bigger the exposure – not because the regulator is hunting SMEs (they aren’t), but because the first time someone reports your site, you will be on the back foot.

How we build this on every site

For sites we build, the POPIA baseline is non-negotiable. We include:

  • A custom-written Privacy Policy reflecting what the specific site collects and does
  • Explicit consent checkboxes on every form, with logging
  • A minimal, accurate cookie/privacy notice
  • An email or form for data subject requests
  • A documented data retention policy (how long form submissions are kept, when they are deleted)

It adds about half a day to a website project. It is the cheapest insurance you can buy against ending up in a compliance investigation.

What about cookies from embedded services?

If your site embeds YouTube videos, social media feeds, Calendly forms, Intercom chat, or anything else from a third party, those embeds usually set their own cookies. You are responsible for disclosing them and, for tracking ones, getting consent.

Two practical approaches:

  • Privacy-preserving embed alternatives. YouTube has a “privacy-enhanced mode” (youtube-nocookie.com) that doesn’t set tracking cookies until the user plays the video. Most major platforms have similar options. Use them by default.
  • Click-to-load. Instead of embedding the live widget, show a placeholder and only load the third-party content when the user clicks it. Requires more work but eliminates the consent question for visitors who never click.

For most SME sites, switching YouTube embeds to nocookie mode and not embedding aggressive trackers (Facebook pixel, Hotjar, full Google Analytics) handles the bulk of the issue without needing a complex consent platform.

A 30-minute audit you can do yourself

Spend half an hour on your own site:

  1. Open the footer. Is there a Privacy Policy link?
  2. Open the Privacy Policy. Does it mention POPIA specifically? Is it about your business?
  3. Open every form on the site. Is there a consent checkbox? Is it required, unchecked by default, and in plain language?
  4. Open the site in an incognito window with browser developer tools. Look at the Network tab. What third-party scripts load before you’ve consented to anything? Is that defensible?
  5. Try to find an email address or contact mechanism for data requests. Can you?

If any of these are missing or broken, you have a fix list. None of the fixes are big projects – an afternoon of focused work clears most of them.

If you want a quick POPIA audit of your existing site, send the URL through. We do short audits as part of any new website conversation, and we have done standalone ones for clients we never ended up building for.