Last year, in July 2020 South Africa announced that the POPIA law is finally coming into effect. It had been talked about for years and we always knew that we could delay because our government is quite slow on some things, but moreover because once they announce it, they will give South African businesses one year to comply. That one year mark is coming soon, in a few months, on the 1st of July 2021, firms must be compliant.

Here are some handy things I’ve researched to make life easier for you, if you are hoping to do the right thing. Just a huge caveat: do your own homework and don’t expect me to be 100% correct on the below as I’ve only so much time to learn what I can. Plus, things often change and I don’t have time to keep updating this article.

South Africa: POPIA (Protection of Personal Information Act)

  • The client needs to expressly OPT-IN (so no pre-selected check boxes with “I want your newsletter” etc.)
  • As per this link, non-compliance laws are quite strict: A fine (R1 million to R10 million) or imprisonment (1 to 10 years) as well as paying money to data subjects to compensate them for the damage they may have suffered. Other penalties include reputation damage, losing customers, etc.
  • Anticipated to be in effect from July 2021 (with compliance needed from this date), most companies have been building campaigns to ensure that they are compliant for many years already though.
  • POPIA recommends use of “Form 4” for consent, you don’t have to use this exact format but do need to ensure that it is substantially the same as form 4. Form 4 is outlined if you visit this link and scroll down.
  • Recipients must have the option to unsubscribe from a database.
  • In South Africa it is advisable for clients to have an in-house information officer for compliance purposes.

Globally: Privacy rules and laws

  • This link outlines the various data protection laws by region globally.
  • There are two key global laws: CASL (Canada) and GDPR (Europe). For global campaigns you it is likely that you will be covered across all regions if you follow these two policies as a guide as they are the most thorough globally, however, if you want to be 100% certain you will need to request legal advice with a trained professional in each region region.


  • At one point, the CASL was known as the strictest set of rules, though that is likely to change each year. I know the Californian version also was strict when it came out (after the CASL) and who knows, perhaps Australia’s is the stricest now, post the huge fight with Google and Facebook and the media empire.
  • Mailchimp has a great summary of requirements for CASL here.
  • Why do I link to CASL? Because, as argued earlier, if you comply with CASL you are likely to comply with all countries privacy laws.



Well, there are two tools I recommend. This sponsored link to Iubenda, which I personally use, and suggest clients do, too. Their free option is great and their ~$50/year option ideal for SME’s. Plus, that link also entitles you to 30% off if you sign up via that link.

If you are a bit bigger and more worried, the South African experts seem to be Michalson’s in Muizenberg, Cape Town. I actually had a very pleasant 30min call with their MD about the whole thing, and as you can see from earlier in the article, have linked out to them often.

They were the ones who told me about a solution for very small businesses, and suggested I put them (as in my clients) with this course by Peter.