POPI: The entrance hallway to your website
The Protection of Personal Information Act (aka the POPI Act) sets conditions for the lawful processing of personal information. Certain sections of the act came into effect on 1 July 2020, with other sections commencing on 30 June 2021 (you may read more about this – from a legal expert’s standpoint – here).
Your website can be likened to the front door of your business since it’s often the first stop users make to learn more about your product or service offering. Once they enter this ‘door’, and step into the entrance hallway, it is important that they are informed of your website’s compliance with a number of laws. From a South African perspective there are various laws governing all websites (not just eCommerce websites) including the:
- Electronic Communications and Transactions Act 25 of 2002 (ECT Act);
- Consumer Protection Act 2008 (CPA);
- Promotion of Access to Information Act 2013 (PAI);
- Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RIC Act);
- Companies Act 2008;
- Value Added Tax Act; and
- Protection of Personal Information Act of 2013
The above excludes industry-specific legislation that may also be applicable to your business and website. Certain of these laws not only outline which terms and conditions and other information need to be disclosed on your website, but also the manner in which reference to your website’s terms and conditions (Ts&Cs) must be presented and how it should be made available to the user.
According to this article by My Office Magazine: ‘‘Whilst many websites in South Africa have had privacy notices in the past, the need for these and what they say has become clearer with the POPI Act.’’
Company websites need a POPI Policy to:
- give effect to the constitutional right to privacy in terms of safeguarding personal information when processed (for example: when collecting user data on website forms);
- regulate in which manner personal information may be processed;
- comply with the requirements for the processing of personal information;
- provide the rights and remedies to persons in order to protect their personal information when processing personal information; and
- establish compulsory and voluntary measures as regulated by the Information Regulator.
- The client expressly needs to OPT-IN (i.e., no pre-selected check boxes with “I want your newsletter”, etc.).
- Recipients must have the option to unsubscribe from a database.
- In South Africa it is advisable for clients to have an in-house information officer for compliance purposes.
- POPIA recommends use of “Form 4” for consent. You don’t have to use this exact format but do need to ensure that it is substantially the same as Form 4. Essentially, you must:
> identify the data subject (the person or business’ information you are collecting data from);
> identify the responsible party (the person or business collecting or processing the data) and provide their contact details;
> identify the person designated to sign for the responsible party;
> enable the data subject to consent to receive direct marketing for specified goods or services by specified methods of electronic communication; and
> get both the person designated by the responsible party and the data subject to sign.
Global privacy rules and laws:
- This link outlines the various data protection laws by region globally.
- There are two key global laws: CASL (Canada) and GDPR (Europe). For global campaigns you it is likely that you will be covered across all regions if you follow these two policies as a guide as they are the most thorough globally, however, if you want to be 100% certain you will need to request legal advice with a trained professional in each region.
Watch this highly informative video by Legalese here:
What happens if your website is not compliant?
- Not only does POPI have widespread implications for the content of most organisations’ websites, non-compliance can also see company websites facing fines of up to R10 million for each breach, whilst their executives could be jailed for ten years.
- Less serious offences, such as hindering an official in the execution of a search and seizure warrant are penalised at the maximum of a fine or imprisonment for a period not exceeding 12 months or both.
- At first glance, it appears that these penalties more directly affect the “persons” behind the website and business. However, the Information Regulator’s investigations into non-compliance could result in the total shut down of your business for a number of days if not weeks. Consequently, the R10 million fine levied against website owners, is not necessarily the only financial impact on a business – in fact it could only be the tip of the iceberg.
What are the benefits of being compliant?
The most significant benefit of being compliant is, apart from not being liable for penalties or possible prosecution, that it is the first step in building a trusted relationship with customers.
Your customers will have increased satisfaction and will be more likely to engage with your business if they know their personal data will be kept safe and secure.
2. Improved quality of data
In an effort to achieve compliance, many organisations will need to analyse and review their databases, in order to ensure that no personal details are included on correspondence to unauthorised parties. These organisations can therefore also update databases to ensure that all consumer and stakeholder information is correct and relevant.
3. Competitive advantage
For technology-based companies such as cloud service providers, the ability to guarantee privacy and compliance for their customers can be leveraged as a differentiator and a driver of competitive advantage.
Protection of personal information is highly valued by customers, and organisations that can assure customers that their information is secure will attract more customers.
How do I ensure that my website is compliant?
It is very important to us that our clients are aware of the above implications of non-compliance, and to subsequently provide solutions for ensuring compliance with the POPI Act.
Going forward, we will offer website compliance solutions to all of our new clients, and ensure that our existing clients are made aware of the solutions on offer.