POPI: The Entrance Hallway to your Website
The Protection of Personal Information Act (aka the POPI Act) sets conditions for the lawful processing of personal information. Certain sections of the act came into effect on 1 July 2020, with other sections commencing on 30 June 2021 (you may read more about this – from a legal expert’s standpoint – here).
Your website can be likened to the front door of your business since it’s often the first stop users make to learn more about your product or service offering. Once they enter this ‘door’, and step into the entrance hallway, it is important that they are informed of your website’s compliance with a number of laws. From a South African perspective there are various laws governing all websites (not just eCommerce websites) including the:
- Electronic Communications and Transactions Act 25 of 2002 (ECT Act);
- Consumer Protection Act 2008 (CPA);
- Promotion of Access to Information Act 2013 (PAI);
- Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RIC Act);
- Companies Act 2008;
- Value Added Tax Act; and
- Protection of Personal Information Act of 2013
The above excludes industry specific legislation that may also be applicable to your business and website. Certain of these laws not only tell you what terms and conditions and other information need to be disclosed on your website, but also the manner in which reference to your website’s terms and conditions (T&Cs) must be presented and how it should be made available to the user.
According to this article by My Office Magazine: ‘‘Whilst many websites in South Africa have had privacy notices in the past, the need for these and what they say has become clearer with the POPI Act.’’
Company websites need a POPI Policy to:
- give effect to the constitutional right to privacy in terms of safeguarding personal information when processed (for example: when collecting user data on website forms);
- regulate in which manner personal information may be processed;
- comply with the requirements for the processing of personal information;
- provide the rights and remedies to persons in order to protect their personal information when processing personal information; and
- establish compulsory and voluntary measures as regulated by the Information Regulator.
What happens if your website is not compliant?
Not only does POPI have widespread implications for the content of most organisations’ websites, non-compliance can also see company websites facing fines of up to R10 million for each breach, whilst their executives could be jailed for ten years.
Less serious offences, such as hindering an official in the execution of a search and seizure warrant are penalised at the maximum of a fine or imprisonment for a period not exceeding 12 months or both.
At first glance, it appears that these penalties more directly affect the “persons” behind the website and business. However, the Information Regulator’s investigations into non-compliance could result in the total shut down of your business for a number of days if not weeks. Consequently, the R10 million fine levied against website owners, is not necessarily the only financial impact on a business – in fact it could only be the tip of the iceberg.
What are the benefits of being compliant?
The most significant benefit of being compliant is, apart from not being liable for penalties or possible prosecution, that it is the first step in building a trusted relationship with customers.
Apart from dodging penalties or possible prosecution, your customers will have increased satisfaction and will be more likely to engage with your business if they know their personal data will be kept safe and secure.
2. Improved quality of data
In an effort to achieve compliance, many organisations will need to analyse and review their databases, in order to ensure that no personal details are included on correspondence to unauthorised parties. These organisations can therefore also update databases to ensure that all consumer and stakeholder information is correct and relevant.
3. Competitive advantage
For technology-based companies such as cloud service providers, the ability to guarantee privacy and compliance for their customers can be leveraged as a differentiator and a driver of competitive advantage. Protection of personal information is highly valued by customers, and organisations that can assure customers that their information is secure will attract more customers.