How to avoid the 5 most common POPI Act mistakes made by online South African businesses

Making sure your business has an online presence and connecting with virtual customers is more important than ever. At the very least, make sure that you don't make these common mistakes when attempting to be compliant with the POPI (Protection of Personal Information) Act.

Kyle photo 1 e1582657171533



Share on facebook
Share on twitter
Share on linkedin
How to avoid the 5 most common POPI Act mistakes

We are yet to see any convictions for failing to comply with POPI in South Africa, but if POPI’s European counterpart, GDPR is anything to go by, being caught unaware is no joke. A few memorable fines thus far include Google’s €50 million mistake for running  a single personalised advert without prior consent from its users and Facebook’s £500,000 fine for the misuse of your data in 2016. 

This is a blog that refers to the 5 most common mistakes made by South African online businesses. To create your own customisable Privacy Policy feel free to visit our shop


With parts of POPI only becoming operative in 2020, it is equally fitting as it may be problematic for South African businesses. Never before has it been this important for all South African business to have an online presence and protect your data but, never before has it been this treacherous. Running an online business almost always collects some form of customer or user data. Whether it be for a simple newsletter, a competition form or saving customers login data, you now have a serious legal responsibility to make sure that all of your users are aware of what you are doing, why you are doing it and that you are taking the correct measures to protect their data.

Failure to do so and not complying with the POPI Act will now result in exorbitant fines and jail time for some. And something you won’t read online and what I am here to tell you is that pleading naivety if you are found to be compliant, will not help you in any way. So here are the 5 most common mistakes we frequently witness South African businesses making and how to learn from them;

Quick links:

1. Making no effort to be compliant 2. Becoming superficially compliant 3. Becoming compliant once and once only 4. Being compliant but not making your documents readable 5. Believing that becoming fully POPI compliant is difficult

1. Making no effort to be compliant

It seems obvious, but something we see far too regularly is South African companies and freelancers which make zero effort to comply with the POPI Act when operating their businesses online. It is glaringly obvious to anyone familiar with the online world (let alone authorities) when websites have no links on their website to a Privacy Policy yet, require your information to operate their business. An online business rarely collects no user data at all. Cookies, comments, email newsletters and “contact us” forms are all points of data collection that you should be aware of. If your business is online, you should be asking yourself two vital questions; “do I collect any fraction of user data?” and “how do I become compliant and maintain my compliance if I do?”.

2. Becoming superficially compliant

The POPI Act is South Africa’s current data privacy law and it stands for the Protection of Personal Information Act. You may also see it referred to as POPIA. Although they both govern how businesses collect, use, store and manage personal information, POPI should not be confused with the European GDPR as they are not the same.    

The next step often taken by online South African ventures, is to become compliant for the sake of being compliant- with the minimal amount of effort required. It makes sense that, particularly when starting a business, you focus on the core aspects required to make money and often require a quick-fix for decidedly less important services. A website Privacy Policy seems like something far too many businesses deem to be unnecessary or just a box which requires ticking. What your privacy policy covers should be as unique as the products you sell. Generic privacy policy templates may offer a quick solution to appear to comply with POPI but, if you read the document and there are any clauses which do not cover your online business completely, it is your responsibility to redraft the document.  Not doing so and presenting an incorrect document to your users means that you are knowingly not complying with the POPI Act and can potentially damage both your business’s image as well as your bank balance.

Copy of How to avoid the 5 most common POPI Act mistakes in


3. Becoming compliant once and once only

Drafting a comprehensive Privacy Policy and ensuring that you have taken all the correct steps to comply with POPI is sometimes a massive undertaking and the very first thing businesses do when setting up their online presence. It is correct to be legally compliant before going online but, a lot of South African businesses that were in their ‘start-up’ phase have since taken on a whole new life of their own.  A small online website can quickly grow to become a webshop, blog and support page with four different domains and entirely different uses of data collection. What we witness is, businesses remembering the effort required to draft their legal documents and believing that for the investment, the documents should be comprehensive enough to cover almost anything for their business. And that is the issue. A well written Privacy Policy, for example, will cover almost anything but as soon as a business gears up and diversifies, making small edits to a legal document and recycling it time and time again increases the likelihood of the document being error-prone and your business becoming non-compliant.  What South African online businesses should be aiming to achieve is being legally proactive and remaining compliant as their business ventures change- not recycling unrelated documents.

4. Being compliant but not making your documents readable

Having a professionally-drafted comprehensive privacy policy in place should be one of the very first steps every business should take when operating online. It should contain an up-to-date list of all your practices with regards to any personal user data– collection, processing and storage, as well as provide a transparent overview of what you intend to do with the data.

You have 12 months from when POPI was officially enacted on the 1st of July 2020 to become compliant. Failure to do so by the deadline could result in a maximum of 10 years in prison or being charged with a R10 million fine by South Africa’s Information Regulator.   

An unfortunate mistake we commonly see, however, is websites which make the document difficult to find, present the document in using jargon that makes it difficult to understand and have an English-only version on websites with different available language options.  All your website’s legal documents need to be easily accessible (not just a single link on your homepage), and available in all languages your website is available in. They should be presented in easily understandable text, as the end goal is to provide all the relevant information required to be POPI complaint, in a simple and accessible way.  

5. Believing that becoming fully POPI compliant is difficult

 There is currently a notion amongst South African businesses that acquiring comprehensive online legal documents may take days to complete and involves inevitable legal fees. So, many fall into the trap of using non-compliant generic templates or re-using older versions of legally drafted versions. This notion is entirely incorrect and there is a wealth of information and various services available to support South African online businesses who are ready to become POPI compliant. By simply joining a quality business platform such as, asking advice and reading up on the POPI requirements here, one can learn to understand how their business operates online and how to draft an appropriate Privacy Policy- for free. Copy of How to avoid the 5 most common POPI Act mistakes in text 1 We understand though, that this learning curve requires some time. Something South African business owners and freelancers do not have a lot of. So, to make your life somewhat easier and to ensure that you can remain both GDPR and POPI Act compliant, we have created an automated, customisable Privacy Policy You can make use of our leading contract automation engine to enter your website’s information and customise a professionally drafted Privacy Policy. The process takes a few minutes and along with an available working guide, you can quickly create and re-create your website’s legal documents- keeping you and your users’ informed about what exactly you do with their data at all times.

Read more

E-Commerce Websites – The Legal Document Essentials

Before starting an e-commerce website, there are a few vital aspects you need to understand in order to successfully (and legally) sell any products and/or services online. Let us walk you through the legal document necessities required for your e-commerce website.

Kyle photo 1 e1582657171533


15 APRIL 2020 • 10 MIN READ

The future of legal contracts

Automated legal contracts custom suited to you & your business


Every business needs professional legal contracts. But, most businesses are forced to go without. Hello Contract aims to change this and make high-quality legal documents accessible to all South Africans. 

Contact us

Your DIY guide to drafting a Service Level Agreement

We won't email you anything unrelated to our guides, we don't like spam either

Your free Trademark Search

Please complete the following questions

Rest assured. All of your data and trademarks will and forever be confidential.