In July 2023 South Africa's Information Regulator issued its first administrative fine under POPIA, R5 million against the Department of Justice and Constitutional Development, after a 2021 security breach exposed roughly 1,200 files of personal information. The Regulator has since said openly that more fines are coming. For anyone running a website that serves South African visitors, that changes the maths on cookie consent.
This guide covers how the Protection of Personal Information Act (POPIA) applies to cookies and tracking, what section 69 requires for marketing, the changes in the 2025 amended Regulations, and what non-compliance costs.
What POPIA is, and who enforces it
POPIA is the Protection of Personal Information Act 4 of 2013. Its operative provisions took effect on 1 July 2020 with a one-year grace period, so full compliance has been mandatory since 1 July 2021. The law is enforced by the Information Regulator, an independent body established under section 39 of the Act. The Regulator also administers the Promotion of Access to Information Act (PAIA), so the same office handles both privacy and access-to-information complaints.
POPIA applies to any "responsible party" that processes personal information in South Africa, including foreign companies that process data using means inside the country. If your site drops cookies on visitors browsing from South Africa, you're inside its scope.
Are cookies personal information under POPIA?
POPIA defines personal information broadly. It covers any information relating to an identifiable person, and its definition explicitly includes online identifiers. A cookie that assigns a persistent ID, an advertising pixel, or a fingerprinting script that singles out a device is processing personal information the moment it can tie activity back to a person. Strictly necessary cookies that only keep a session alive or remember a language choice sit on much safer ground, because they don't build a profile.
POPIA sets eight conditions for lawful processing. Two matter most for cookies. Consent under POPIA has to be a voluntary, specific and informed expression of will (section 1). And processing has to be minimal and purpose-specific, so you can't collect tracking data "just in case". A pre-ticked box or a banner that only offers "OK" fails the voluntary and specific test.
Continuing to Browse Is Not Consent
POPIA requires a voluntary, specific and informed expression of will. A visitor scrolling past a notice, or a banner that says "by using this site you agree", does not meet that standard for non-essential cookies. If your only options are "Accept" or closing the tab, you haven't collected valid consent. Give a genuine reject control at the same level as accept.
Section 69: the direct marketing rule that catches trackers
Section 69 is where cookie-based advertising gets specific. It prohibits direct marketing by unsolicited electronic communication unless the person has given prior consent, with a narrow exception for existing customers being marketed similar products. In December 2024 the Information Regulator published a Guidance Note on direct marketing to clarify its position after a wave of complaints, and the 2025 amended Regulations reinforced it.
The key point from the 2025 Regulations (published 17 April 2025): an opt-out mechanism does not count as valid consent. Offering people a way to unsubscribe later doesn't retroactively make the initial processing lawful. For advertising and remarketing cookies that feed electronic marketing, that means opt-in first, then activate the tags.
What a POPIA-ready cookie banner looks like
The Act doesn't prescribe a banner design, so you work from the consent definition and the Regulator's guidance. In practice that means:
- Block non-essential cookies until consent. Analytics, advertising and social cookies should not fire before the visitor agrees.
- Offer a real choice. Accept and reject controls with equal prominence, plus granular category controls so people can accept analytics but decline advertising.
- Explain before you set. Say what each category does and who receives the data, and link to a cookie or privacy notice.
- Make withdrawal easy. POPIA gives data subjects the right to withdraw consent, so a persistent way to reopen preferences is expected.
- Keep records. You should be able to show, per visitor, what they agreed to and when.
Penalties and enforcement
POPIA's most serious offences carry a fine of up to R10 million, imprisonment of up to 10 years, or both. The Information Regulator can also issue enforcement notices, and failure to comply with an enforcement notice is itself an offence. The 2025 amended Regulations added a practical wrinkle: organisations can now apply to pay administrative fines in installments where their financial circumstances justify it, which signals the Regulator expects to be issuing more of them.
The R5 million fine against the Department of Justice was about security, not cookies. But it established that the Regulator will act, and its 2024 to 2025 focus on direct marketing complaints puts tracking-based advertising squarely in view.
Where CookieBeam Fits
CookieBeam's regional rules let you set a distinct banner, text and behaviour for visitors browsing from South Africa, so an opt-in flow can apply there while other regions use their own model. Per-purpose consent logging records exactly which categories each visitor accepted or declined, with a timestamp, which is the kind of evidence the Information Regulator's consent standard expects. You configure the region and the categories; the banner blocks non-essential tags until the visitor chooses.
Related guides
POPIA sits in a wider group of opt-in regimes outside the EU. If you serve visitors across several of them, see cookie consent laws around the world for the full map, and running one banner across a global audience for the mechanics. For neighbouring frameworks, compare Brazil's LGPD and Nigeria's NDPA.
Primary sources: Information Regulator (South Africa), inforegulator.org.za; Protection of Personal Information Act 4 of 2013, sections 1 and 69; Information Regulator Guidance Note on Direct Marketing (December 2024) and the amended Regulations (April 2025).