If your website has a contact form, collects email addresses, or uses any analytics or tracking tools, POPIA (the Protection of Personal Information Act) applies to you, regardless of how small your business is. Most South African small business websites are quietly non-compliant, not out of negligence, but because nobody told them what was actually required. Here's a plain-language breakdown.
What POPIA actually requires, in plain terms
POPIA governs how businesses collect, store, and use anyone's personal information, names, email addresses, phone numbers, even IP addresses captured through analytics. If your website touches any of this, and almost every business website does, you have obligations under the law.
The core requirements that apply to most small business websites:
Step 1: check if you have a Privacy Policy
Visit your own website and look in the footer. If there's no Privacy Policy, this is the most basic and most commonly missing requirement. A Privacy Policy should plainly state what data you collect (name, email, phone, anything from a contact form), why you collect it, how long you keep it, and who to contact with questions or requests.
This doesn't need to be a complicated legal document. Clear, honest language explaining your actual practices is both compliant and more trustworthy to visitors than dense legal jargon nobody reads.
Step 2: check what cookies your site is setting without consent
Open your site in Chrome, right-click, choose Inspect, then go to the Application tab and look at Cookies. If you see cookies from Google Analytics, Google Ads, Meta Pixel, or similar tools being set the moment the page loads, before any visitor has agreed to anything, that's a compliance gap.
The fix is a cookie consent mechanism, a banner that lets visitors accept or decline non-essential cookies before tracking scripts load. Non-essential means anything beyond what's strictly needed to make the site function, analytics, ad tracking, and marketing pixels all fall into this category.
Step 3: review your contact and audit forms
Any form collecting personal information should include a brief note about what happens to that information, even something as simple as: "By submitting this form, you agree to our Privacy Policy. We'll only use your details to respond to your enquiry."
Also check: are you collecting more than you actually need? A contact form asking for name, email, and message is reasonable. One asking for ID numbers, physical addresses, or other sensitive details without a clear reason increases your compliance risk unnecessarily.
Step 4: know what to do if someone asks about their data
POPIA gives individuals the right to ask what data you hold about them, and to request corrections or deletion. For most small businesses this is rare, but you should have a simple process ready: a dedicated email address (like privacy@yourbusiness.co.za) where such requests can be sent, and a basic understanding of where your customer data actually lives so you can respond.
Step 5: check your email marketing practices
If you send marketing emails, newsletters, promotions, updates, POPIA requires that recipients opted in, and that every email includes an easy way to unsubscribe. Buying or scraping email lists is not compliant, regardless of how tempting it is for a quick campaign. See our guide on email marketing for new customers for how to build a list properly from the start.
What happens if you're not compliant
POPIA is enforced by the Information Regulator, and while small businesses are rarely the first target of enforcement action, non-compliance carries real risk, from complaints being escalated to reputational damage if a data handling issue becomes public. Beyond the legal risk, a visible Privacy Policy and proper cookie consent also signal to visitors that you take their information seriously, which measurably affects trust and conversion, particularly for South African consumers who are often cautious about unfamiliar businesses online.
A quick checklist
Run through this on your own site today:
The bottom line
POPIA compliance for a small business website isn't complicated, it's a handful of specific, checkable items, a real Privacy Policy, proper cookie consent, honest forms, and a clean email list. Most of the risk comes from these basics simply never being set up, not from anything more complex. An afternoon spent addressing the checklist above puts most small business websites in a genuinely compliant position.
Want us to do this for your business?
Get a free audit. We'll show you exactly where your site stands.