DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

πŸ‡ΏπŸ‡¦ Sub-Saharan Africa

Cookie consent in South Africa

Consent and privacy law in South Africa

In short
South Africa's POPIA became fully enforceable in July 2021 and is overseen by the Information Regulator. It is built around eight conditions for lawful processing and applies to both natural and, unusually, juristic persons, meaning companies as data subjects, which is broader than most regimes. Consent is one lawful basis among several, and direct marketing by electronic means generally requires opt-in consent. Penalties include administrative fines up to 10 million rand and possible imprisonment. Organisations must appoint an information officer and may need to register them. Notices are commonly in English. Cookies that identify users are personal information subject to POPIA.
Authority
Information Regulator
Status

Protection of Personal Information Act fully enforceable since July 2021

Primary law
POPIA
Languages

en

Who must comply

Any party (responsible party) processing personal information in South Africa.

Penalties

Administrative fines up to 10 million rand, plus possible imprisonment

Key obligations

  • Process only with a lawful basis
  • Obtain consent where required
  • Limit processing to the purpose
  • Honor data subject participation rights
  • Notify the regulator of breaches

Local guidance

  • Apply the eight POPIA conditions for lawful processing
  • Obtain opt-in consent for electronic direct marketing
  • Appoint and register an information officer
  • Remember POPIA covers companies as data subjects too

How ConsentX helps

  • Lawful-basis consent capture
  • Purpose-limited categories
  • Data subject request intake
  • Evidence and reporting
Get started free
yoursite.com
πŸ‡ΏπŸ‡¦ South Africa

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with South Africa using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under South Africa.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that South Africa requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a South Africa audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Does POPIA protect companies as well as people?+

Yes. Unusually, POPIA protects the personal information of both natural persons and juristic persons such as companies, which is broader than most data protection laws.

Is opt-in required for marketing in South Africa?+

Yes. Direct marketing by electronic means under POPIA generally requires the prior opt-in consent of the data subject, with limited exceptions for existing customers.

Governing law

πŸ‡ΏπŸ‡¦ POPIA

Other countries in Sub-Saharan Africa

πŸ‡³πŸ‡¬ NigeriaπŸ‡°πŸ‡ͺ KenyaπŸ‡¬πŸ‡­ Ghana