POPIA for E-Commerce: What South African Online Stores Need to Know

POPIA for E-Commerce: What South African Online Stores Need to Know

Running an online store in South Africa means handling a constant stream of personal information — names, email addresses, delivery addresses, payment details, and browsing behaviour. The Protection of Personal Information Act (POPIA) sets out how that information must be collected, stored, used, and protected. This post walks through the key areas SA online retailers should understand.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

POPIA and the ECT Act: Two Laws, One Online Store

Online retailers in South Africa operate under at least two overlapping frameworks. The Electronic Communications and Transactions Act (ECT Act) governs the mechanics of doing business online — consumer disclosures, website terms, and electronic contracts. POPIA governs what happens to the personal information collected during those transactions. The two acts complement each other: the ECT Act tells you how to conclude a valid online sale; POPIA tells you what you may do with the customer data that sale generates.

The Information Regulator is the authority responsible for enforcing POPIA. Their guidance and published resources are available at inforegulator.org.za.

---

The Eight Conditions for Lawful Processing

POPIA section 8 establishes eight conditions that apply to any processing of personal information. For an e-commerce context, these conditions translate into practical obligations across your entire customer journey — from the moment a visitor lands on your product page to the moment you delete their records.

The eight conditions cover: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Each one has day-to-day implications for how your store collects and handles data.

---

Collecting Customer Data: Have a Lawful Basis

POPIA section 11 requires that personal information is processed on a recognised lawful basis. For most e-commerce transactions, the lawful basis is either:

• Contract — processing is necessary to fulfil the order a customer has placed.
• Consent — the customer has freely and specifically agreed to a use of their data beyond what is strictly needed for the transaction (for example, subscribing to a newsletter).
• Legitimate interest — in some circumstances, a retailer may have a legitimate interest in processing, provided it does not override the customer's rights.

Section 11(3) gives customers the right to object to processing based on legitimate interest. Your privacy policy and preference centre should make it easy for customers to exercise that right.

POPIA section 13 requires that personal information is collected for a specific, explicitly defined, and lawful purpose. Collecting a delivery address to ship an order is a clear, defined purpose. Collecting that same address to sell to a third-party data broker is not compatible with why the customer provided it.

---

Tell Customers What You Are Collecting

POPIA section 18 requires that when you collect personal information, you notify the data subject. For an online store, this notification obligation is typically met through a clear, accessible privacy notice that explains:

• Who is collecting the information (your business details and your registered Information Officer).
• What information is being collected.
• Why it is being collected (the purpose).
• Whether providing the information is voluntary or mandatory.
• Whether the information will be shared with third parties (couriers, payment gateways, email platforms).
• The data subject's rights, including the right of access (section 23) and the right to request correction (section 24).

A dense, legalese-heavy privacy policy buried in the footer does not adequately fulfil this obligation. The Information Regulator's guidance emphasises that notices should be understandable.

---

Marketing Emails and Opt-In Requirements

If your store sends promotional emails, POPIA section 69 applies. Section 69 permits direct marketing by electronic communication (email, SMS) only where the recipient has opted in, or where there is an existing customer relationship and the marketing relates to similar products — and even then, an easy opt-out must be provided.

This means pre-ticked newsletter boxes, bought email lists, and automatically subscribing customers who make a purchase are all problematic under POPIA section 69. Your e-mail marketing platform should maintain a clear record of how and when each subscriber consented.

---

Securing Customer Data

POPIA section 19 requires that you take appropriate, reasonable technical and organisational measures to secure the personal information you hold. For online retailers, this typically means:

• Ensuring your website runs over HTTPS.
• Using a reputable, PCI-DSS-compliant payment gateway rather than storing card data yourself.
• Applying access controls so only staff who need customer data can reach it.
• Keeping software, plugins, and platforms patched and up to date.

If a security compromise does occur, POPIA section 22 requires that you notify both the Information Regulator and the affected data subjects as soon as reasonably possible. Breach notification is not optional — and delay can increase regulatory exposure.

---

How Long Can You Keep Customer Records?

POPIA section 14 addresses retention. Personal information may not be kept for longer than is necessary for the purpose for which it was collected, unless a law (such as a tax or accounting requirement) obliges you to retain it for a specified period, or the data subject has consented to a longer retention.

In practice, this means having a documented retention schedule. Order records may need to be kept for a number of years to satisfy SARS requirements (see sars.gov.za); marketing preference records should be reviewed and pruned regularly.

---

Sharing Data with Third Parties

Most online stores share customer data with third parties: courier companies receive delivery addresses, payment gateways receive transaction data, and email platforms hold subscriber lists. POPIA requires that these operators (processors) are contractually bound to handle the data only as instructed and to apply security safeguards equivalent to your own obligations.

If any of those third parties are located outside South Africa, POPIA section 72 requires that the cross-border transfer only takes place if the recipient country or recipient organisation provides an adequate level of protection — broadly comparable to POPIA's own standard.

---

Appoint an Information Officer

Every organisation that processes personal information under POPIA is required to have a registered Information Officer. POPIA section 55 sets out the duties of this role, which include ensuring compliance, dealing with data subject requests, and acting as the primary contact with the Information Regulator. For most SMEs, the Information Officer is the owner or a senior manager. Registration is done through the Information Regulator's online portal at inforegulator.org.za.

---

A Practical Starting Checklist

Based on the requirements described above, online retailers may find it useful to work through the following:

1. Privacy notice — Is it visible, plain-language, and complete per section 18?
2. Lawful basis — Is there a documented lawful basis for each type of data you collect?
3. Marketing opt-in — Are email and SMS subscribers genuinely opted in per section 69?
4. Security measures — Are your technical safeguards documented and regularly reviewed per section 19?
5. Breach response plan — Do you have a procedure for notifying the Regulator and customers per section 22?
6. Retention schedule — Do you know when customer records are deleted?
7. Operator agreements — Are your courier, payment, and marketing platform contracts POPIA-compliant?
8. Information Officer — Have you registered with the Information Regulator?

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including how POPIA interacts with the ECT Act for your particular store — consult a qualified attorney.

*Sources: Information Regulator (South Africa) · POPIA full text, Government Gazette · ECT Act, Government Gazette · SARS record-keeping guidance*