What is POPI and what does it mean for me and my business?

Photo by KT

South Africa’s Protection of Personal Information Act, otherwise known as the POPI Act or POPIA, became enforceable on July 1st, 2021, much to many people’s alarm. We are by no means experts on the topic, but, in wrapping our heads around it and understanding how it intersects with our work, we came across some useful resources which we thought we’d share with you to help you get a sense of what it means for you and your business.

What is POPI and what does it mean for me and my businessThe greatest misconception around POPI is that it only relates to your website and online communications when, in fact, it is a company-wide policy and involves all members of your organisation. Its purpose is to protect people from harm by protecting their personal information. Information that could see their money and/or identity stolen. Protecting this information is also vital to upholding everyone’s fundamental human right to privacy. As Blake Mudehwe eloquently summarises: “It governs when and how organisations collect, use, store, delete and otherwise handle personal information.”

The best place to start is to read POPIA itself. The team at Michalsons have summarised it in the form of an easy-to-use website. They’ve also produced a really useful slideshow, which you can access for free here.

In terms of how it directly affects our work with clients, there are two key areas: websites and mailers.

For your website, you must make your privacy policy and cookie policy clearly visible. If you haven’t already drafted these policies, or if they haven’t been updated in a while, there are some great resources that can help you. pop.law, have created a great POPI checklist and offer several POPI consult packages, which all include a bespoke privacy policy. Michalsons’ website is also full of useful guidance.

Your cookie policy works alongside your privacy policy. Its purpose is to describe what cookies are, what your websites uses them for, and how users can manage them during their use of your site. Once you have these policies finalised, be sure to add them to your website and make them clearly visible on every page, either in your header, footer or a popup.

Mailers, and similar communication forms, are perhaps the most affected by POPI. Section 69(3) says you may only communicate via electronic means (call, fax, SMS or email) with individuals if you:

  • obtain their details in the context of a sale of products or services; and
  • market your own similar goods or services.

In addition to this, you can only market to such individuals if you allow them to object:

  • when you collect their personal information; and
  • on each communication that you contact them (for example the option to unsubscribe on mailers).

It’s also advisable to remove any and all contacts who you have no clear record of opting in, as this would be required if someone chooses to report your communications and take you to court.

In theory, POPI is a great, overdue law in South Africa. For context, according to Truecaller, South Africans experience some of the highest levels of spam calls in the world. We’ve already noticed in our team a drastic decrease in the number of unsolicited calls and messages since July 1st. However it’s not strictly limited to those pesky insurance companies any more – you and your business have to adhere to the rules too. Fortunately this shouldn’t feel too hard to do now.

If you’d like help putting the policies on your website once they’re drafted, we’re only a call or email away.