Web Hosting
Windows HostingBuilt for Windows apps and websites – stability, speed and flexibility
Reseller HostingLaunch a hosting business without technical skills or expensive infrastructure
Affiliate ProgramRefer customers and earn commissions from sales across our platform
Domain SearchFind and secure a domain name in seconds with our quick lookup tool
CO ZA Domains
All DomainsExplore domain names from over 324 TLDs globally – all in one place
Free Whois Lookup Tool South Africa
VPS
Website Builder
Online ShopSet up a sleek eCommerce store with zero coding knowledge
SSLs
SupportAccess help articles, how-tos, and everything about our services
Blog
Contact UsReach our team instantly via live chat or drop us an email
Your POPIA compliance did not start when you added a privacy policy. It started the moment you typed your home address into a domain registration form.
Right now, your registrar holds your name, phone number, and physical address in a public database. Nobody told you that was a POPIA problem. It is.
Run a South African website and collect a single email address. You are now a responsible party under POPIA, with legal obligations attached to that email.
The Information Regulator fined the Department of Justice R5 million in 2023. If a government department is not safe, your WordPress site is not either.
The regulations tightened again in April 2025. The Information Regulator lists enforcement as its top priority for 2025/2026.
This article covers every obligation you carry, from your registrar to your cookie banner, so you know exactly where your exposure sits and what to fix first.
Table of Contents
What POPIA Actually Regulates (and Why Website Owners Are Squarely in Scope)
POPIA stands for the Protection of Personal Information Act, Act No. 4 of 2013.
The law became fully enforceable on 1 July 2021. Before that date, businesses had a one-year grace period to prepare.
That grace period is long gone. The Information Regulator now actively investigates and fines non-compliant organizations.
The law governs how any organization collects, stores, uses, or shares personal information. Both automated and non-automated processing fall under it.
POPIA applies to all website owners in South Africa. It also applies to non-South African websites that process personal information on South African citizens within SA borders.
A business based in Germany with South African customers is also covered by this law. Territorial reach is broader than most people expect.
Website Owner Roles Under POPIA
As a website owner, you play two distinct roles. You are the “responsible party” when you decide why and how to collect user data.
You become an “operator” when you hand that data to a third-party tool. A payment gateway, email platform, or analytics script each receives your users’ data.
That split matters because your obligations differ slightly between the two roles. Getting clarity on both is where the compliance picture sharpens.
The table below maps each of POPIA’s eight conditions for lawful processing to a plain-language meaning and a real website example.
| Condition | Plain-Language Meaning | Website Example |
|---|---|---|
| Accountability | Prove your compliance at any time. | Keep a data-mapping register and written policies. |
| Processing Limitation | Collect only what you genuinely need. | Remove date-of-birth fields from contact forms. |
| Purpose Specification | Collect for a defined reason, then delete. | Delete support emails after the query closes. |
| Further Processing | Use data only for its original purpose. | Do not add support contacts to a newsletter list. |
| Information Quality | Keep records accurate and current. | Run periodic audits on customer records. |
| Openness | Disclose your data practices clearly. | Publish a detailed, accessible privacy policy. |
| Security Safeguards | Protect data from unauthorized access or loss. | Update plugins, renew SSL, patch your CMS. |
| Data Subject Participation | Let people access, correct, or delete their data. | Add a DSAR form linked from your privacy policy. |
The WHOIS Problem Nobody Talks About
The moment you register a domain, you create a personal information record. That record sits in a publicly searchable database by default.
This is where your POPIA obligations begin, not where most compliance checklists start.
Your Domain Registration Data Is Personal Information Under POPIA
When you register a domain, you hand over your name, email address, phone number, and physical address.
Every one of those details qualifies as personal information under POPIA. The law protects any information that identifies a living natural person.
The WHOIS database makes registrant data publicly searchable by default. This creates a data protection problem before a single visitor lands on the site.
Three parties are involved in this data relationship. There is you (the registrant), your registrar, and the registry (ZACR for .co.za or ICANN for gTLDs).
Your registrar processes your personal information on behalf of the registry. That role makes the registrar an “operator” under POPIA.
WHOIS privacy guard services replace your contact details with generic proxy data from the registrar. For sole proprietors and freelancers, this service meaningfully reduces exposure.
What Registrars Must Do With Your Data
As your operator, a registrar must process only the data needed to complete the registration contract.
They cannot repurpose your information for unrelated marketing or analytics. They must implement adequate security measures to protect your details from unauthorized access.
Things get more complex when your registrar operates outside South Africa. POPIA restricts the transfer of personal information to foreign countries.
The receiving country or organization must provide a level of data protection at least as strong as South Africa’s. Your registrar’s privacy policy needs to address this explicitly.
Mandatory Website Elements That Satisfy POPIA
Once your domain is registered and your site is live, three website elements become legally mandatory. Skipping any one of them creates a compliance gap that the regulator can act on.
1) Your Privacy Policy: What It Must Contain
A privacy policy under POPIA must do more than exist. It must make specific disclosures in accessible, plain language.
- Your policy must tell visitors what personal information you collect and where it comes from.
- It must state why you process that information and the legal basis for doing so.
- It must specify how long you retain each data category and which third parties receive it.
- It must explain how data subjects can exercise their rights under POPIA.
2) Cookie Consent and Your Legal Basis for Analytics
Cookies that track individual behavior qualify as processing of personal information.
Session IDs, analytics cookies, and advertising pixels all fall under this category.
A compliant cookie banner must do three things:
- It informs users which categories of cookies you use.
- It lets them accept or reject non-essential cookies before any tracking starts.
- It links to a cookie policy that explains each cookie’s purpose and retention period.
Google Analytics, Meta Pixel, and similar tools send data to servers outside South Africa. That transfer needs a documented legal basis.
You can rely on the data subject’s consent, which a properly configured cookie banner captures.
Alternatively, you can document a legitimate interest and demonstrate that it is proportionate.
3) Data Subject Access Request (DSAR) Form
POPIA gives every person the right to ask whether you hold their data. They can request a copy of that data and, in certain circumstances, deletion.
Your site needs a clear, easy-to-find intake point for those requests. A dedicated form linked from your privacy policy is the clearest approach.
Your DSAR process must verify the requester’s identity before releasing any information. Then you must respond within a reasonable timeframe.
The Information Officer: Who You Must Appoint and Register
Every responsible party under POPIA must appoint an Information Officer. This is a legal requirement, not a voluntary best practice.
For most small businesses, the Information Officer is the CEO or the person who manages the website. For sole traders, that person is you.
Registration happens through the Information Regulator’s e-Services Portal. The April 2025 amended Regulations updated the prescribed registration form, so use the current version.
The form asks for the officer’s full name, contact details, and the organization’s registration number. Complete it accurately; the Regulator cross-references these details during investigations.
The Information Officer carries out ongoing duties beyond the registration itself.
- They oversee the site’s compliance posture on a continuing basis.
- They handle DSAR requests received from users and manage breach notifications to the Regulator.
- They liaise directly with the Information Regulator if an investigation opens.
Direct Marketing From Your Website: The Opt-In Rule Has No Grey Area
In December 2024, the POPIA published a Guidance Note on Direct Marketing.
The note is clear: before you send any electronic marketing, you need the recipient’s informed, specific, and voluntary consent.
That rule covers email, SMS, and WhatsApp messages equally. The channel does not change the obligation.
If you want to contact someone who has not yet consented, you may send one unsolicited message to request their consent.
If they do not respond, the conversation ends there. You cannot follow up until they actively say yes.
Review your forms, automations, and email sequences before you read any further guidance. Adjusting them now costs far less than responding to an enforcement notice later.
Data Breach Obligations Under POPIA: What You Must Do and How Fast
In April 2025, the Information Regulator launched a mandatory e-Services Portal for data breach notifications.
This online system is now the only official channel for reporting security compromises. Email or phone notification to the Regulator no longer meets the standard.
A “security compromise” under POPIA covers any unauthorized access to, loss of, or damage to personal information.
Your site going offline after a brute-force attack counts. A plugin vulnerability that exposes stored contact form data counts too. Even accidental deletion of customer records can count.
Once you discover a breach, notify the Information Regulator as soon as reasonably possible through the e-Services Portal.
Then notify the affected data subjects in writing. Send that communication to their last known address, email address, or other preferred contact channel.
For website owners, the lesson is specific: expired SSL certificates, unpatched plugins, and outdated hosting plans can cross from negligence into a POPIA violation.
Penalties for POPIA Non-Compliance: The Numbers You Need to Know
POPIA’s penalty structure has three tiers. Understanding which tier applies to your situation changes how urgently you need to act.
| Offense Tier | Examples | Maximum Penalty |
|---|---|---|
| Serious | Breaching confidentiality, failing to notify data subjects, and making false statements. | R10 million fine and/or 10 years imprisonment. |
| Less Serious | Breaching confidentiality, failing to notify data subjects, making false statements. | Fine and/or 12 months imprisonment. |
| Minor | Hindering an official during a search and seizure warrant. | Obstructing the Regulator, ignoring enforcement notices, and unlawfully disclosing account numbers. |
Beyond these regulatory penalties, POPIA gives individual data subjects the right to sue you directly.
A single affected user can institute civil proceedings for damages arising from interference with their personal information.
That happens separately from any action the Information Regulator takes. One breach can therefore trigger both a regulatory fine and a civil claim simultaneously.
Your 90-Day POPIA Compliance Roadmap for Website Owners
Most compliance failures occur because website owners know what they should do, but never build a timeline to do it.
The roadmap below breaks the process into three clear phases. Each phase has a defined set of actions and a deliverable you can check off.
| Phase | Key Actions | Deliverable |
|---|---|---|
| Days 1-30Audit & Appoint | Submit a test DSAR. Run breach response drill. Set a calendar reminder for a six-month policy review. | Submit a test DSAR. Run breach response drill. Set a six-month policy review calendar reminder. |
| Days 31-60Document & Publish | Update privacy policy to 2025 Regulations. Install the cookie consent tool. Build a cross-border transfer register. | Live privacy policy. Compliant cookie banner. Internal transfer log. |
| Days 61-90Test & Maintain | Submit a test DSAR. Run breach response drill. Set a calendar reminder for a six-month policy review. | Map all data entry points. Review the registrar’s privacy policy. Appoint Information Officer. |
Start Where the Risk Actually Begins
POPIA compliance is not a single task. It is a set of obligations that runs from your domain registration record through to your cookie banner, your analytics tools, and your team.
Some of those obligations can be completed this week. Others take a month. None of them gets easier by waiting.
Start your audit today. Work through the 90-day roadmap in the order it appears here.
The exposure you find during the audit is far easier to fix than the fine you receive for not finding it. That part is entirely in your hands.
Truehost gives you South African servers, POPIA-aligned hosting, and a team that knows everything you need to stay compliant with the POPIA rules.
