Consenti

POPIA Compliance Guide

ℹ️Compliance group: opt-in — same opt-in model as GDPR. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.

South Africa's Protection of Personal Information Act (POPIA) — Act 4 of 2013 — came into full force on 1 July 2021. It is enforced by the Information Regulator of South Africa and establishes eight conditions for lawful processing of personal information. POPIA is structurally similar to the EU GDPR and Consenti supports it via regulation: 'popia'.

Official references

The eight processing conditions

ConditionSummary
1. AccountabilityResponsible party must ensure POPIA compliance
2. Processing limitationLawful, minimal, and with consent or another ground
3. Purpose specificationSpecific, explicitly defined purpose required
4. Further processing limitationFurther use must be compatible with original purpose
5. Information qualityData must be complete, accurate, not misleading
6. OpennessData subject must be informed of processing
7. Security safeguardsReasonable technical and organisational measures required
8. Data subject participationRights of access, correction, and deletion

Key requirements for consent

RequirementDetail
Consent modelOpt-in — voluntary, specific, informed, unambiguous
Special informationExplicit consent required (health, religious belief, racial origin, sex life, criminal history, biometrics)
ChildrenUnder-18 requires parental/guardian consent (Section 35)
WithdrawalMust be possible at any time; processing must cease on withdrawal
Information OfficerMust designate an Information Officer registered with the Regulator
EnforcerInformation Regulator of South Africa

POPIA vs. GDPR

GDPRPOPIA
Opt-in requiredYesYes
Lawful bases68 Conditions (broader framing)
Minor threshold16 (Member States may lower)18
DPO equivalentData Protection OfficerInformation Officer (must register)
EnforcerNational DPAs / EDPBInformation Regulator
GPCOptionalNot recognised

Enabling POPIA mode

Frontend widget

ts
new ConsentiSetup({
  core: {
    regulation: 'popia',
  },
})

Profile configuration (dashboard)

json
{
  "regulation": "popia",
  "popia": {
    "informationOfficerEmail": "[email protected]",
    "purposeDescription": "To operate the website and send service emails."
  }
}
ℹ️POPIA Section 18 requires you to notify data subjects of who your Information Officer is. Setting popia.informationOfficerEmail renders this contact in the modal notice footer automatically.

Erasure and access (Section 24)

http
GET    /consenti/api/v1/consent/:visitorId
DELETE /consenti/api/v1/consent/:visitorId