A practical POPIA checklist for your website
Work through eight things and your website covers the basics of POPIA: a plain-English privacy notice, real consent, a cookie banner that respects a no, careful forms, privacy-friendly analytics, data minimisation, retention, and a security plan. Below is each one in plain language for a South African small business.
The website side of POPIA comes down to being honest about what you collect, asking before you track, gathering only what you need, and keeping it safe. Set up a clear privacy notice, a consent banner that respects a no, lean forms, privacy-friendly analytics, sensible retention, and a basic security and breach plan. That covers the site; remember your business handles personal information off the website too.
The Protection of Personal Information Act sets the rules for how South African businesses handle personal information. It sounds heavy, but for a small business website most of it is common sense written down. This checklist walks through the parts that touch your site, in the order we set them up. Treat it as general guidance to get you oriented, then have your final wording reviewed by someone qualified.
1. A plain-English privacy notice
Every site needs a privacy notice that a normal person can read. It should say what personal information you collect (name, email, phone, whatever your forms ask for), why you collect it, who you share it with, how long you keep it, and how someone can ask to see or delete their data. Skip the dense legal block copied from somewhere else. Plain language is both friendlier and more honest. You can see the shape of a POPIA-aligned one on our own privacy page.
2. Consent and a cookie banner that respects a no
If your site loads analytics, embedded maps, video, or anything that tracks visitors, you need to ask first. A good banner explains what runs, lets the visitor accept or decline, and remembers the choice. The important part is that a no actually means no: the site should work fully whether or not someone opts in. A banner that nags, or that loads the trackers anyway, defeats the point and undermines the consent you claim to have.
3. Careful forms
Forms are where most small sites collect personal information, so they deserve a second look. Ask for only what you genuinely need to do the job. A quote request rarely needs an ID number or a physical address. Add a short line at the point of submission saying what the information is for, and keep a record of consent where it matters, for example on a newsletter sign-up. Fewer fields also means higher completion rates, so this is rare ground where privacy and conversion pull the same way.
4. Privacy-friendly analytics
You can still understand your traffic without hoovering up personal data. Privacy-friendly analytics tools count visits and show which pages perform, without building a profile of each person or following them around the web. Choosing one of these keeps your consent banner simpler and your privacy notice shorter, because there is less to disclose and less to defend. It is the calmer choice for a small business that just wants to know what is working.
5. Data minimisation
Minimisation is the habit behind most of this list: collect the least you can, store it in the fewest places, and avoid hanging on to data you have no use for. Every extra field, every extra integration, and every extra copy of a spreadsheet is something you now have to protect and account for. When you are tempted to add a tool or a field, ask what it is for and whether the site already has what it needs. Usually it does.
6. Retention: decide how long, then stick to it
POPIA expects you to keep personal information only while you have a real reason to. So set a retention period for each kind of data and write it into your privacy notice. A simple decision list helps:
- Contact form messages: clear them a set number of months after the enquiry is dealt with.
- Newsletter subscribers: keep while subscribed, remove promptly on unsubscribe.
- Booking or order records: keep as long as tax and accounting rules require, then remove.
- Analytics: keep aggregated trends only, and clear identifiable individual logs after a short window.
The exact periods are a business decision, but having them written down is the POPIA-friendly move.
7. Third-party operators
Almost no website runs alone. Hosting, email delivery, analytics, a booking tool: under POPIA these are operators, and they should process personal information only on your instructions, with proper safeguards. Keep that list short, choose reputable providers, and note in your privacy notice where data may be processed outside South Africa so the document is honest. A shorter operator list is easier to keep track of and easier to explain to a customer who asks. Hosting your site in a Johannesburg data centre also keeps the core of your site close to home.
8. A high-level security and breach plan
Security compromises happen, so the goal is to be ready rather than to promise they never will. On the technical side that means hosting on monitored infrastructure, keeping software patched, using SSL, and keeping daily backups so an incident can be contained and recovered. On the process side, decide in advance who is told, who acts, and how you would notify affected people and the regulator if a breach involving personal information occurred. Your privacy notice should name a contact for privacy questions and set out, at a high level, the steps you would take.
Putting it together
None of these eight is hard on its own. The work is doing them all and keeping them in step as your site changes. Because we both build and look after the sites we make, the privacy side stays current as your forms, tools, and content evolve, staying accurate long after the site goes live. That is the idea behind POPIA-ready websites: get it right at the start and keep it right month to month.
One last reminder: this is general guidance on the website side; for legal advice, consult someone qualified, and remember POPIA reaches well beyond your website into how your whole business handles personal information. Use this checklist to get the site in good shape, then have your final privacy wording and wider obligations reviewed by someone qualified.
Quick answers
01 Does ticking this checklist make my business POPIA-compliant?
02 Do I legally need a cookie banner in South Africa?
03 How long can I keep customer information?
04 Is this guide legal advice?
Want this handled for you?
Every Cinacode site ships POPIA-ready, with the privacy notice, consent, and forms set up for you. Book a short call to talk it through.
Book a call →Or See the plans.