5-star rated, award-winning search engine marketing agency in the UK and South Africa. Blog Reviews Free Resources
Launch Digital
Web Design

POPIA compliance for your website: what you need to know

If your website collects any personal info, POPIA applies. The five things a small business site needs to be compliant, in plain English.

chris schutte launch digital
Chris Schutte
Founder & MD · 4 min read · 23 June 2026
Illustration of website data privacy: a browser with a padlock and a security shield

If your website collects any personal information from South Africans, even just a name and email through a contact form, POPIA applies to you. The good news: for most small business websites, getting compliant is straightforward and quick. It’s mostly about being upfront and handling people’s data with care.

For a typical business website, POPIA compliance comes down to five things:

  1. Have a privacy policy that explains what you collect and why.
  2. Get consent before you collect personal information.
  3. Only collect what you actually need.
  4. Keep that information secure.
  5. Let people ask what you hold and have it deleted.

This guide explains each one in plain English. It’s general information, not legal advice, so check with a professional if you’re unsure.

What POPIA is, quickly

POPIA is the Protection of Personal Information Act. It’s South Africa’s data privacy law, and it sets the rules for how businesses collect, use and store people’s personal information. It’s been fully in force since 2021, and it applies to businesses of every size.

Personal information is anything that identifies a person: name, email, phone number, ID number, even an IP address in some cases. If your website touches any of that, POPIA is in play.

Does POPIA apply to my website?

Almost certainly yes, if your site does any of these:

  • Has a contact or enquiry form.
  • Collects email addresses for a newsletter.
  • Takes bookings, orders or payments.
  • Uses analytics or tracking that identifies visitors.

If the only thing your website does is sit there as a brochure with no forms and no tracking, your obligations are lighter. The moment you collect anything, the rules apply.

What your website needs to be compliant

A privacy policy

This is the big one, and the easiest to sort. A privacy policy is a page that tells visitors, in plain language:

  • What personal information you collect.
  • Why you collect it and what you do with it.
  • Who you share it with, if anyone.
  • How long you keep it, and how someone can ask you to delete it.

Link to it in your footer and next to every form. Most compliant websites have one. If yours doesn’t, that’s the first fix.

Consent on your forms

POPIA expects people to agree to their information being collected. On a website, that usually means a short, clear line on your forms.

  • A tick box or a line confirming they’re happy for you to contact them.
  • A link to your privacy policy right there.
  • No pre-ticked boxes or sneaky defaults.

Consent has to be a real choice, not something buried in the small print.

Only collect what you need

POPIA says collect the minimum. If your enquiry form asks for an ID number and a home address to answer a simple question, that’s a problem.

  • Ask for what you genuinely need to do the job.
  • Drop fields that are nice-to-have but not necessary.
  • Shorter forms are better for compliance and for conversions, so this one’s a win twice.

Keep the information secure

If you collect people’s data, you’re responsible for protecting it. For a website that means the basics done properly:

  • An SSL certificate, so the site runs on HTTPS and form data is encrypted.
  • A site that’s kept updated and secure, not running ancient software.
  • Sensible handling of where enquiries land, so they’re not left lying around unprotected.

A website care plan covers most of the security side without you thinking about it.

Let people exercise their rights

Under POPIA, people can ask what information you hold about them and ask you to correct or delete it. You need a way for them to do that, usually an email address in your privacy policy, and you need to actually act on the request.

What happens if you ignore it

POPIA isn’t just paperwork. The Information Regulator can investigate complaints, and penalties for serious breaches run to large fines. For most small businesses the bigger risk is reputational: a data slip-up that customers hear about does real damage to trust.

The reassuring part is that basic compliance is cheap and quick. It’s far easier to set up properly than to clean up after a problem.

Frequently asked questions

Does my small business website need to comply with POPIA?

If it collects any personal information, including through a contact form or newsletter signup, then yes. At a minimum you need a privacy policy and clear consent on your forms. A brochure site with no forms or tracking has lighter obligations.

Do I need a privacy policy on my website in South Africa?

Yes, if you collect personal information. A privacy policy explaining what you collect, why, and how someone can have it deleted is a baseline POPIA requirement and one of the simplest to put in place.

What personal information does POPIA cover?

Anything that can identify a person: name, email, phone number, ID number, address, and in some cases an IP address. If your website collects any of it, POPIA applies.

How do I make my website POPIA compliant?

Add a privacy policy, get clear consent on your forms, only collect what you need, secure the site with HTTPS and proper maintenance, and give people a way to access or delete their data. For most small business sites it’s a quick job.

Compliance sounds heavy, but for a normal business website it’s a short to-do list. If you’d like us to sort it as part of your site, get in touch. And remember this is general guidance, not legal advice.

chris schutte launch digital
Chris Schutte
Founder & MD · Launch Digital

Keep reading

Work with an award-winning agency that knows how to get results.

Free Strategy Call & Audit 010 012 6546
TechBehemoths award: SEO TechBehemoths award: WordPress TechBehemoths award: Pay Per Click