South Africa

Can you place cookies without consent?

Yes. The use of cookies and/ or processing personal information by means of cookies is not currently regulated in terms of South Africa’s data protection legislation, the Protection of Personal Information Act 4 of 2013 (“POPIA”), or otherwise.

As such, the general principles for lawfully processing personal information under POPIA will apply where the use of any cookies on a particular website contains personal information/ data which can be used to identify the end-user. This includes, amongst other things, the need to process personal information using cookies on a lawful basis (i.e. consent, contract, legal obligation, or legitimate interest).

Consent is only one of the lawful bases on which data controllers can process personal information in the context of cookies, but it is not the gold standard or silver bullet and it is possible to rely on any of the other lawful bases outlined above.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes. Although there are no specific rules, laws or regulations regarding the use of cookies in South Africa, the general principles for processing personal information lawfully in South Africa are generally adhered to in practice. This is because: (i) POPIA is a new piece of legislation which relatively recently became enforceable (on 1 July 2021); and (ii) there has been a fair degree of misunderstanding and fear around compliance rules and possible consequences under POPIA.

Are there any exemptions if consent is required?

N/A

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Yes, provided that a data controller takes reasonably practicable steps to ensure that data subjects are made aware of the automatic enablement of these categories of cookies; the information that may be stored/ otherwise processed using these cookies; and the purpose for which these cookies are used. This is typically done in the form of a privacy notice/ privacy policy, but also in the form of website pop-up notifications.

That said, to the extent that a data controller relies on consent as the lawful basis on which to process personal information using cookies, it must be possible for a data subject to refuse to give his or her consent in this regard without any negative consequences arising from such refusal (e.g. the data subject should not be barred from using the website/ services if he or she refuses his or her consent). An example of the ability to refuse certain categories of cookies is where a website pop-up notification allows a user to select only strictly necessary cookies and opt-out of any other types of cookies.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No. Under POPIA, consent is required to be a voluntary, specific and informed expression of will given by the data subject. Although the South African data protection regulator, the Information Regulator, has not published any guidance on consent, the guidance applicable in the EU is useful given that (i) the GDPR is international best practice; and (ii) POPIA is very similar to the old EU Data Protection Directive 95/46/EC which was repealed and replaced by the GDPR. In other words, consent (i) must be express, not implied; (ii) must be voluntary, (iii) is a real choice by the data subject, and (iv) is not the gold standard or “silver bullet” to be relied on when processing personal information and data controllers must respect if a data subject refuses his or her consent.

Can you set cookies without a cookie notice? 

Yes. There is no requirement under POPIA, or otherwise, which requires a data controller to have a cookies notice in place (particularly given that cookies are not expressly regulated under POPIA). It will be sufficient if a data controller’s data processing activities in respect of cookies is covered in its general privacy notice/ policy. That said, it is good practice to have a standalone cookie notice.

Can you set cookies without a cookie banner/ management tool?

Yes. Given that cookies are not expressly regulated under POPIA or otherwise, there are no restrictions in this regard, although it is good practice to set cookies using a cookie banner/ management tool for the reasons set out previously.

Are you able to use cookie walls? 

No. Although cookies are not expressly regulated under POPIA, based on the general principles under POPIA, cookie walls would not be true consent because it does not give the user a real choice i.e. the ability to consent to certain types of cookies or refuse to consent to certain types of cookies.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

No. Given that POPIA does not expressly regulate cookies, the Information Regulator has not taken any enforcement action in the context of cookies specifically.

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

None that we are aware of.