With our recent launch in South Africa, Termageddon customers can now select to activate South Africa’s Protection of Personal Information Act (POPIA) in the Privacy Law Identifier, to help generate a Privacy Policy that contains the disclosures required by this privacy law. POPIA is a comprehensive privacy law that provides privacy rights to residents of South Africa, and requires certain websites to have a Privacy Policy that makes specific disclosures. In this Compliance Guide, we will discuss the following aspects of POPIA:
- Who needs to comply with POPIA;
- How POPIA defines “personal information”;
- The privacy rights provided to residents of South Africa;
- POPIA’s Privacy Policy requirements; and
- Penalties for noncompliance.
Table of Contents
Who needs to comply with POPIA
POPIA applies when:
- A business is domiciled in South Africa;
- A business that is not domiciled in South Africa but is processing personal information in South Africa.
As stated above, POPIA can apply to your business even if your business is not located in South Africa. Processing means any operation or set of operations concerning personal information, including collecting, receiving, recording, storing, modifying, or disseminating the personal information. So, if your website is collecting personal information of residents of South Africa (e.g. they can submit your contact form, subscribe to your email list, sign up for an account, or have their information collected through tools such as Meta Pixel or Google Analytics), it’s pretty safe to say that you would be meeting the requirements of needing to comply with POPIA.
How POPIA defines “personal information”
Since POPIA applies to businesses that process personal information in South Africa, it is important to determine how this privacy law defines “personal information”. POPIA defines “personal information” as information relating to an identifiable, living, and natural person. POPIA states that this definition also includes any identifying number, e-mail address, telephone number, location information, and online identifier of a person. This means that personal information commonly collected through websites such as names, emails, phone numbers, physical addresses, and IP addresses would all qualify as “personal information” under POPIA.
Privacy rights provided to residents of South Africa
POPIA provides the following privacy rights to residents of South Africa:
- The right to confirm whether their personal information is being processed;
- The right to access the personal information a business holds about them;
- The right to request the amendment or correction of their personal information;
- The right to withdraw consent to the processing of their personal information;
- The right to request that the business restrict the processing of their personal information;
- The right to request the deletion of their personal information;
- The right to lodge a complaint about the processing of their personal information with the South Africa Information Regulator;
- The right to opt out of direct marketing; and
- The right to opt out of automated decision making.
POPIA’s Privacy Policy requirements
If your business needs to comply with POPIA, then you will need to have a comprehensive, accurate, and up to date Privacy Policy that includes the following disclosures:
- What personal information your website or application collects;
- Where you obtain this information from (e.g. submitted directly by the consumer);
- How you use this information;
- The consequences of not providing this information;
- Whether or not you are required by a law to collect this information. If you are required to collect this information by a law, then you will be required to disclose the name of that law;
- The categories of personal information that you share with third parties, if any;
- The categories of third parties with whom you share this personal information, if any;
- The list of privacy rights provided to residents of South Africa;
- How individuals can exercise those privacy rights;
- Whether you will transfer personal information outside of South Africa. If you do transfer personal information outside of South Africa, you will also be required to disclose:
- The country or countries to which personal information is transferred;
- The protection measures applied to transfers of personal information;
- How individuals can contact you if they have any questions about your privacy practices.
Penalties for noncompliance with POPIA
POPIA is enforced by the South Africa Information Regulator, who can impose fines of up to R10 million (approximately $609,000). In addition, serious offenses can lead to imprisonment of up to 10 years plus the fine. For less serious offenses, a fine can be charged, as well as imprisonment up to 12 months.
Since the fines for violations of POPIA can be very high and because violating the law has the potential of imprisonment, you will want to make sure that you comply with this law if you process personal information in South Africa. If you are a customer of Termageddon, you can select to activate POPIA by going into the Privacy Law Identifier in your account and selecting “yes” to the question “Do you process personal information in South Africa?”. The generator will then ask you the questions needed to create the disclosures for this privacy law and will update your Privacy Policy accordingly once you answer those questions.
