8 min read..... or a 10 min video....
The POPI act comes into full force for South Africans on the 1 July 2021. If you are an online seller and have an ecommerce website you risk hefty fines if you are not POPI compliant. The good news is that it is not that hard to be compliant.
Quick disclaimer. We are not lawyers and the content in this blog is for information purposes only. We have discussed this topic with our lawyers and done a deep dive into the what's available on the web in order to bring you this over view of POPI and how to comply. Please always check with your lawyer to be sure you are POPI compliant.
How online sellers can be POPI compliant
What is POPI?
POPI is a piece of legislation aimed at governing how our personal information is collected, stored and used by others. It's is there to protect our privacy and give us a course of action if we feel our privacy is being violated. In real terms it means we can do something about receiving spam emails or that annoying call selling you life insurance as you are about to sit down for dinner!
How does this affect me as an online seller?
If you sell goods and services online, you need to collect personal information from your customers in order to be able to deliver the product or provide the service. Even if you are not selling something, but only asking someone to subscribe to your email list, you are still collecting personal information. The moment you do so, you need to be compliant with the POPI act. If you don't, you could be on the wrong side of some very heavy fines.
What is considered personal information?
Its critical to understand what is considered personal information. What falls under the POPI act and what does not?
Quick side note: POPI and personal information applies to real, living, breathing people as well as juristic people. That's just a fancy way of saying that companies, CC's, trusts, partnerships and the like are also considered people as far as the act is concerned.
Back to the question... Personal information is any information that can be used to identify a person and that gives deeper insight into their private lives. For example, if you sell T shirts, you will need a name, address and contact information so you can deliver. It's pretty obvious that that would be considered personal information, but you would also need their T shirt size which would also be considered personal information.
Other examples are
- First Name
- Surname
- Contact numbers
- Email addresses
- Age
- Gender
- Addresses
- Company name and address
- Company registration details
- Financial information
- Medical information
Applying a little bit of common sense makes it pretty obvious what is considered personal information.
Am I not allowed to collect personal information anymore?
Not at all. It is still completely legal to collect personal information. As online sellers we need to be able to collect personal information so we can provide goods and services. The critical aspect of POPI compliance is around how we tell our prospects and customers what we information we need and why, and then how we use and safeguard their information.
What do I need to do to comply with POPI as an online business?
1. Communicate
Whenever you collect personal information from someone you need to tell them
- What information you are collecting
- Why you need the information
- How the information will be used
- Who is taking responsibility for their information
- How they can confirm their data accuracy
- How they can edit their data
- How they can request their personal information be deleted
- Who will have access to their information (couriers, mailchimp etc)
- How to complain if their personal information is misused.
2. Use your website privacy policy wisely...
The trick here is you need to share all this information with them and get their consent before you can collect any personal information.
That is pretty easy to do. All you need is the correctly worded privacy policy published on your site. Then a check box of every form that you use to collect data that they can check to say they are aware and agree to your privacy policy. The privacy policy does all the heavy lifting for you.
Need a Personalised POPI Compliant Privacy Policy?
You will want to include wording alongside the check box that explains the ramifications if they do not give you consent to collect their personal information. For example, if they won't give you consent to ask and store their T shirt size then you can't send them the T shirt they want to purchase.
3. Have offsite agreements for customers and service provider partners
Not everyone your business will deal with will come via your website. This means not everyone will have the opportunity to read your privacy policy and provide their consent. So have means to share your privacy policy and get consent outside of your website.
You will also need agreements in place with any of your service providers that will need access to your customer's personal information. For example, you could be held liable if you share personal information with a courier and then that courier sends marketing information to your customer. These agreements should be inline with your privacy policy. Consider companies like Mailchimp and Payfast as well. Your email provider, your web host, your payment processor all have access to the personal information in your care.
4. Have Internal Policies with staff and consultants
It's important that internally your team is acting in accordance with your privacy policy. It's not much good having the best privacy policy around but then carrying on as if it did not exist. You need to ensure your staff are aware and have agreed to the terms laid out in your privacy policy. This would apply equally to anyone else who may have access to customer personal information. A common situation maybe 3rd part consultants or agencies.
5. Register a company information officer
POPI says that someone at your company needs to take on the role of the company information officer and register with the information regulator here. This person assumes responsibility for the companies compliance with POPI and for the correct management of personal information. By default, the regulator will consider the owner of the business to be the information officer unless you go through the process of registering someone else.
POPI Compliance Checklist
If you would like a PDF copy of the checklist to print out and work through then leave your email address below and I will happily email you a copy.
