POPIA and Cookie Consent: What South African Website Owners Need to Know

POPIA and Cookie Consent: What South African Website Owners Need to Know

If you run a website that targets or serves South African users, the Protection of Personal Information Act (POPIA) has implications for how you collect and use cookie data. This article walks through what the Act says about cookies, what the Information Regulator's guidance covers, and what a reasonable compliance approach looks like in practice.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Are Cookies, and Why Does POPIA Care?

Cookies are small text files placed on a visitor's device when they browse your website. Depending on their purpose, cookies can collect personal information — IP addresses, browsing behaviour, device identifiers, and more. Under POPIA, "personal information" is defined broadly enough to include any information that can identify a natural person, directly or indirectly. That means many common cookie uses fall squarely within POPIA's scope.

When your website places a cookie that collects or processes personal information, you become a "responsible party" under POPIA, and the person visiting your site is a "data subject." This relationship triggers a range of obligations.

---

The Core POPIA Principles That Apply to Cookies

Lawful basis for processing (POPIA section 11)

POPIA section 11 sets out the grounds on which personal information may be processed. For most cookie-based data collection, the relevant grounds are:

• Consent — the data subject has agreed to the processing for a specific purpose.
• Legitimate interest — processing is necessary for a legitimate interest of the responsible party or a third party, provided it does not unduly infringe the data subject's rights.

For analytics, advertising, or tracking cookies, consent is generally the most straightforward basis to rely on, because it is the clearest to demonstrate and the easiest to document. POPIA section 11 also gives data subjects the right to object to processing under section 11(3), which your cookie implementation should accommodate.

Collection for a specific, defined purpose (POPIA section 13)

POPIA section 13 requires that personal information be collected for a specific, explicitly defined, and lawful purpose. Vague cookie notices that say only "we use cookies to improve your experience" are unlikely to satisfy this requirement. Each category of cookie — analytics, functional, advertising — should be described with its actual purpose.

Retention limits (POPIA section 14)

POPIA section 14 addresses how long personal information may be retained. Cookie lifespans should align with the purpose for which the data was collected. A session cookie that expires at the end of a browser session is easy to justify; a tracking cookie with a two-year lifespan requires a clearer case for why that duration is necessary.

Notifying users when you collect their data (POPIA section 18)

POPIA section 18 requires responsible parties to notify data subjects at or before the time of collection about, among other things, who is collecting their data, the purpose of collection, whether the information will be passed to third parties, and data subjects' rights. A cookie notice or privacy policy is the typical mechanism for meeting this obligation — but the information must be genuinely informative, not boilerplate.

Security safeguards (POPIA section 19)

POPIA section 19 requires reasonable security measures to protect personal information against loss, damage, or unauthorised access. This applies to cookie data too. If your website uses third-party analytics or advertising platforms, you should assess how those platforms store and protect the data collected.

Transfers outside South Africa (POPIA section 72)

Many popular analytics and advertising tools — including those from US-headquartered providers — transfer data outside South Africa. POPIA section 72 imposes conditions on such transfers. Before cookie data leaves South Africa, the recipient country or organisation should offer an adequate level of protection, or other conditions set out in section 72 should be met. This is a commonly overlooked requirement when embedding third-party scripts.

---

What a Reasonable Cookie Consent Implementation Looks Like

Based on the principles above and the Information Regulator's published guidance at inforegulator.org.za, a reasonable approach to POPIA-aligned cookie consent typically includes the following elements:

1. A clear, prominent cookie notice presented before non-essential cookies are placed — not buried in a footer or triggered only after the user has already browsed several pages.
2. Granular consent options that let users accept or decline cookies by category (for example: strictly necessary, analytics, marketing). Bundling consent for all cookies into a single "accept all" is problematic where different cookies have different purposes.
3. An equally easy way to decline as to accept. Pre-ticked boxes or accept-only banners are inconsistent with genuine consent under POPIA section 11.
4. Documentation of consent so that if the Information Regulator or a data subject asks whether consent was given, you have a record. POPIA section 17 addresses the documentation of processing activities more broadly.
5. A link to your privacy policy from the cookie notice, setting out the full section 18 notification information.
6. A mechanism for users to withdraw consent at any time — typically a cookie settings panel accessible from the footer.
7. Review of third-party scripts to identify which ones transfer data outside South Africa, so that section 72 conditions can be addressed.

---

Strictly Necessary Cookies: A Different Position

Not all cookies require prior consent. Cookies that are strictly necessary for the website to function — for example, session cookies that keep a user logged in, or a cookie that remembers items in a shopping cart — are generally considered to fall under a functional or legitimate interest basis rather than requiring active opt-in consent. However, users should still be informed about them in your privacy policy and cookie notice.

---

The Information Officer's Role

Under POPIA section 55, every responsible party must have a registered Information Officer who is accountable for POPIA compliance across the organisation. Cookie consent policy is part of that accountability. If your website is operated by a business, the Information Officer should review and sign off on your cookie implementation, not just the development team.

---

Practical Next Steps

• Review every script and plugin on your website and categorise the cookies it sets.
• Check whether each cookie category needs consent and whether your current notice provides it clearly.
• Confirm whether any third-party tools transfer data outside South Africa and review the conditions under POPIA section 72.
• Update your privacy policy to include the section 18 notification information specific to cookies.
• If in doubt about your obligations, consult a qualified attorney with POPIA experience.

The Information Regulator publishes guidance, codes of conduct, and enforcement notices at inforegulator.org.za — this is the primary reference point for understanding how the Regulator interprets POPIA requirements.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including your specific cookie implementation, third-party vendors, and cross-border data flows — consult a qualified attorney.