What does the POPI Act mean for your E-Commerce Business?

What is The POPI Act?

The POPI (Protection of Personal Information Act) Act of 2013 (AKA POPIA) is a legislation introduced to try and protect the constitutional right to privacy by enforcing rules created to protect private information.

According to Section 7(2) of the South African constitution:

“Everyone has the right to privacy, which includes the right not to have: (a) their person or home searched; (b) their property searched; (c) their possessions seized; (d) the privacy of their communications infringed.


So, what are the penalties for not complying to POPIA? 

In general,  the penalties will be charged on a case by case basis, and businesses will be required to pay compensation to Data Subjects for the damages they suffer due to the business’s failure to comply with the POPI Act.

For serious offences, the following penalties will apply:

A fine between R1 million and R10 million or imprisonment between one to ten years in jail.

How Do You Make Your E-commerce Business POPI Compliant?

  1. Assign an Information Officer

An information officer is a person in a company that is tasked with promoting compliance with the conditions of lawful data processing.

The information officer will have the following responsibilities:

  • Encourage adherence to data processing regulations in their company.
  • Address requests from data subjects made to the company.
  • Work with the governmental regulators.


  1. Draft a Privacy Policy.

A Privacy Policy is a document explicitly stating how a website or business collects, handles and processes data.

All websites should have a privacy policy available to users as part of POPI compliance.


  1. Raise awareness amongst all employees.

Ensure employees are aware of the new legislation.

Your organisation is liable for any damages their actions cause as a result of misusing consumer data. Therefore, it’s in your best interest to get all your employees on board with protecting your customers’ data.

  1. Amend contracts with operators.

Once again, your company is liable for any breaches in the POPI act that people, like your digital marketing agency, make on your behalf. Therefore, it is suggested that you amend your contracts operators to stipulate their adherence to the Act, so you’re not penalised for it later.

  1. Report data breaches to the regulator and data subjects.

If a data infringement does occur, the company needs to report it immediately to the people affected and the government regulator. Attempting to hide a breach may only bring greater legal issues later, where if it is addresses immediately, you may be able to come to an agreement.

You can’t be prosecuted for breaches if you’ve taken reasonable precautions

  1. Check that you can lawfully transfer personal information to other countries.

Data protection laws vary across countries, so this is a crucial consideration to have too since the South African laws are changing.

What’s legal in SA may not necessarily be legal in other countries or territories like Europe, so be sure to familiarise yourself with the laws of all the countries your company operates in.

  1. Only share personal information when you are lawfully able to.

Don’t share any data you collect with other companies unless you’re adhering to the proper guidelines. This can be just as bad as having a data breach that exposes your own customer data because you are indirectly liable for whatever they do with your information.