POPIA Compliance Guide
ℹ️Compliance group:
opt-in — same opt-in model as GDPR. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.South Africa's Protection of Personal Information Act (POPIA) — Act 4 of 2013 — came into full force on 1 July 2021. It is enforced by the Information Regulator of South Africa and establishes eight conditions for lawful processing of personal information. POPIA is structurally similar to the EU GDPR and Consenti supports it via regulation: 'popia'.
Official references
The eight processing conditions
| Condition | Summary |
|---|---|
| 1. Accountability | Responsible party must ensure POPIA compliance |
| 2. Processing limitation | Lawful, minimal, and with consent or another ground |
| 3. Purpose specification | Specific, explicitly defined purpose required |
| 4. Further processing limitation | Further use must be compatible with original purpose |
| 5. Information quality | Data must be complete, accurate, not misleading |
| 6. Openness | Data subject must be informed of processing |
| 7. Security safeguards | Reasonable technical and organisational measures required |
| 8. Data subject participation | Rights of access, correction, and deletion |
Key requirements for consent
| Requirement | Detail |
|---|---|
| Consent model | Opt-in — voluntary, specific, informed, unambiguous |
| Special information | Explicit consent required (health, religious belief, racial origin, sex life, criminal history, biometrics) |
| Children | Under-18 requires parental/guardian consent (Section 35) |
| Withdrawal | Must be possible at any time; processing must cease on withdrawal |
| Information Officer | Must designate an Information Officer registered with the Regulator |
| Enforcer | Information Regulator of South Africa |
POPIA vs. GDPR
| GDPR | POPIA | |
|---|---|---|
| Opt-in required | Yes | Yes |
| Lawful bases | 6 | 8 Conditions (broader framing) |
| Minor threshold | 16 (Member States may lower) | 18 |
| DPO equivalent | Data Protection Officer | Information Officer (must register) |
| Enforcer | National DPAs / EDPB | Information Regulator |
| GPC | Optional | Not recognised |
Enabling POPIA mode
Frontend widget
ts
new ConsentiSetup({
core: {
regulation: 'popia',
},
})Profile configuration (dashboard)
json
{
"regulation": "popia",
"popia": {
"informationOfficerEmail": "[email protected]",
"purposeDescription": "To operate the website and send service emails."
}
}ℹ️POPIA Section 18 requires you to notify data subjects of who your Information Officer is. Setting
popia.informationOfficerEmail renders this contact in the modal notice footer automatically.Erasure and access (Section 24)
http
GET /consenti/api/v1/consent/:visitorId
DELETE /consenti/api/v1/consent/:visitorId