Yes. The use of cookies and/ or processing personal information by means of cookies is not currently regulated in terms of South Africa’s data protection legislation, the Protection of Personal Information Act 4 of 2013 (“POPIA”), or otherwise.
As such, the general principles for lawfully processing personal information under POPIA will apply where the use of any cookies on a particular website contains personal information/ data which can be used to identify the end-user. This includes, amongst other things, the need to process personal information using cookies on a lawful basis (i.e. consent, contract, legal obligation, or legitimate interest).
Consent is only one of the lawful bases on which data controllers can process personal information in the context of cookies, but it is not the gold standard or silver bullet and it is possible to rely on any of the other lawful bases outlined above.
Yes. Although there are no specific rules, laws or regulations regarding the use of cookies in South Africa, the general principles for processing personal information lawfully in South Africa are generally adhered to in practice. This is because: (i) POPIA is a new piece of legislation which relatively recently became enforceable (on 1 July 2021); and (ii) there has been a fair degree of misunderstanding and fear around compliance rules and possible consequences under POPIA.
N/A
Yes, provided that a data controller takes reasonably practicable steps to ensure that data subjects are made aware of the automatic enablement of these categories of cookies; the information that may be stored/ otherwise processed using these cookies; and the purpose for which these cookies are used. This is typically done in the form of a privacy notice/ privacy policy, but also in the form of website pop-up notifications.
That said, to the extent that a data controller relies on consent as the lawful basis on which to process personal information using cookies, it must be possible for a data subject to refuse to give his or her consent in this regard without any negative consequences arising from such refusal (e.g. the data subject should not be barred from using the website/ services if he or she refuses his or her consent). An example of the ability to refuse certain categories of cookies is where a website pop-up notification allows a user to select only strictly necessary cookies and opt-out of any other types of cookies.
No. Under POPIA, consent is required to be a voluntary, specific and informed expression of will given by the data subject. Although the South African data protection regulator, the Information Regulator, has not published any guidance on consent, the guidance applicable in the EU is useful given that (i) the GDPR is international best practice; and (ii) POPIA is very similar to the old EU Data Protection Directive 95/46/EC which was repealed and replaced by the GDPR. In other words, consent (i) must be express, not implied; (ii) must be voluntary, (iii) is a real choice by the data subject, and (iv) is not the gold standard or “silver bullet” to be relied on when processing personal information and data controllers must respect if a data subject refuses his or her consent.
Yes. There is no requirement under POPIA, or otherwise, which requires a data controller to have a cookies notice in place (particularly given that cookies are not expressly regulated under POPIA). It will be sufficient if a data controller’s data processing activities in respect of cookies is covered in its general privacy notice/ policy. That said, it is good practice to have a standalone cookie notice.
Yes. Given that cookies are not expressly regulated under POPIA or otherwise, there are no restrictions in this regard, although it is good practice to set cookies using a cookie banner/ management tool for the reasons set out previously.
No. Although cookies are not expressly regulated under POPIA, based on the general principles under POPIA, cookie walls would not be true consent because it does not give the user a real choice i.e. the ability to consent to certain types of cookies or refuse to consent to certain types of cookies.
No. Given that POPIA does not expressly regulate cookies, the Information Regulator has not taken any enforcement action in the context of cookies specifically.
None that we are aware of.
None that we are aware of.
