POPIA in Plain English: What Your Business Website Must Have in 2026

Why this matters now more than ever

The Protection of Personal Information Act has been enforceable since July 2021. For the first few years, enforcement was relatively light and many small businesses took a "wait and see" approach. That window is closing. The Information Regulator has made POPIA enforcement a stated priority for 2025 and 2026, the April 2025 amendments tightened several requirements, and compliance violations are now publicly visible through the CIPC BizPortal.

The penalties are not symbolic. Fines reach R10 million, and serious offences carry the possibility of imprisonment. More practically, a data breach at a small business that cannot demonstrate it took reasonable steps to protect customer information creates significant legal and reputational exposure.

This article is not legal advice. It is a plain-English explanation of what most small business websites need to have in place. If your business handles sensitive information — medical records, financial data, children's information — you should speak to a lawyer who specialises in this area.

What POPIA actually requires

At its core, POPIA requires that any business collecting personal information — names, email addresses, phone numbers, ID numbers, payment details — does so lawfully, transparently, and with appropriate security measures in place. It also requires that you only collect what you actually need, that you keep it only as long as necessary, and that you have a clear process for handling breaches if they occur.

"Personal information" is broader than most people assume. An email address is personal information. A phone number is personal information. A name combined with a company name can be personal information. If your website has a contact form, you are collecting personal information, and POPIA applies.

What your website needs

A privacy policy. This is the foundational requirement. Your privacy policy needs to explain: what personal information you collect, why you collect it, how you use it, who you share it with, how long you keep it, and how visitors can request that their information be removed or corrected. It needs to be written in plain language, not copy-pasted legal boilerplate that nobody reads. It needs to be accessible — typically linked in your website footer on every page.

Cookie consent. If your website uses cookies — and virtually all websites do, including through Google Analytics, Facebook Pixel, and any embedded third-party tools — you need to inform visitors of this and, for non-essential cookies, obtain their consent before placing them. A cookie notice that just says "this site uses cookies" and links to your policy is the minimum. A proper cookie consent banner that allows visitors to accept or decline non-essential categories is the more compliant approach and aligns with where enforcement is heading.

Secure contact forms. Any form on your website that collects personal information needs to be submitted over HTTPS (the padlock in the browser address bar). Form data should not be stored indefinitely in a database without purpose. If you use a third-party form tool, check where the data goes and whether that provider is POPIA-compliant.

An information officer. Every South African business must appoint an Information Officer — typically the owner or a senior person in the business — and register them with the Information Regulator. This is a regulatory requirement, not optional. The registration is free and is done online through the Information Regulator's portal.

A process for data requests. If a customer asks you to tell them what information you hold about them, correct it, or delete it, you are legally required to respond. You do not need a sophisticated technical system to handle this — but you need to know where your customer data lives, who has access to it, and how you would respond to such a request in a reasonable timeframe.

What is commonly missing on SA small business websites

Based on what I see when reviewing small business websites across South Africa, the most common gaps are: no privacy policy at all, a privacy policy that was copied from a foreign template and references GDPR rather than POPIA, no cookie consent mechanism despite running Google Analytics, and contact forms that store submissions in an unsecured database with no data retention policy.

None of these are difficult to fix. A proper privacy policy can be written in a few hours with the right guidance. A cookie consent tool can be added to most websites in under an hour. Registering your information officer takes fifteen minutes.

A simple compliance checklist

Run through these for your own website: Is there a privacy policy linked in the footer? Does it mention POPIA specifically and explain what you do with customer data? Is your website served over HTTPS? Do you have a cookie consent notice? Have you registered your Information Officer with the Information Regulator? Do you know where all your customer data is stored and who can access it? Do you have a basic process for responding if a customer asks you to delete their information?

If you answered no to more than two of these, your website is not POPIA-compliant and that is worth addressing sooner rather than later. The cost of getting it right is minimal. The cost of a formal complaint or enforcement action is not.

If you would like help auditing your website for POPIA compliance and putting the right pieces in place, it is something I can help with as part of a broader website review.