What is the cookie law in South Africa? Many people ask us because the law relating to cookies is such a big issue in many other countries. Do you need to get a user’s (aka data subject’s) consent before using cookies? Are there any specific regulations? Does South African law require websites to have a cookie notice and policy? Some people call it a cookie banner or a cookie pop-up. The short answer is yes – every website in South Africa that uses any cookies needs a cookie notice and policy – but let us explore the topic in detail.

What are cookies and why are they used?

Cookies are text files transferred from your browser to your computer’s hard drive. They store information about your activity on a browser. Companies worldwide use cookies to monitor user behaviour and to improve website interactivity. Cookies store certain personal information you provide on a website. This personal information should be processed in accordance with the conditions for lawful processing of personal information required by POPIA. Personal information collected using cookies must be safeguarded and if this includes credit card information an appropriate level of security must be implemented. Cookies only store information from your browser, they cannot access data on your hard drive. Cookies are text files that cannot transfer viruses to your computer or mobile device.

You will notice when you search for a specific product, ads relating to that product appear on other sites you visit.  When you log onto a website that uses cookies and later re-visit it, the cookies allow the website to ‘remember’ you. It will for instance remember items in your shopping cart or that your language preference is English.

Cookies make your life as a website user much easier because you do not have to log in every time you visit the same page. Your online experiences can be personalised to your preferences.

Types of cookies

There are different types of cookies saving different information and for different periods of time. Period cookies are deleted at the end of web sessions, while persistent cookies have a pre-determined expiry date and will appear until the expiry date is reached.

South African cookie law position?

The personal information that is processed using cookies is protected by POPIA.

The regulator may pass regulations to specifically regulate the use of cookies in South Africa but the regulator has not indicated that this will happen. The regulator will probably follow international guidelines on cookies (like the recent EDPB guidelines who ruled that a user merely scrolling on the website does not amount to informed consent).

Cookies are not often used “for a purpose other than the one for which the identifier was specifically intended at collection” and therefore, a responsible party does not need to get prior authorisation to use cookies.

If a responsible party uses cookies for the purpose of direct marketing and the data subject is not a customer of the responsible party, the responsible party must get the data subject’s consent. It will be very hard for any website owner to know who a visitor to its website is and this practically means that the POPI Act requires a cookie notice and policy. I know everyone hates them, but under current law in South Africa, they are required. Especially in the context of direct marketing, you will need to granular with your consent wording.

What if the purpose if not direct marketing? Do you still need a cookie notice and policy? We think the answer is yes because a cookie collects personal information and therefore a responsible party must take reasonably practicable steps to ensure that the data subject is aware of the collection. Considering the regulator will probably follow international guidelines on cookies, reasonably practicable steps probably includes a cookie notice and policy. Is a cookie banner reasonably practicable? I know many of you will loudly shout no. But until the global picture changes, I don’t think the position will change in South Africa either. However, even if the EU changes its laws to scrap cookie pop-ups, in South Africa they will still be required for direct marketing (unless Parliament changes POPIA itself). Only cookies which are strictly necessary (essential) for the operation of your website can be pre-checked and do not need the user’s explicit consent.

Pop-up cookie notices do not need to be annoying and detract from your user experience though. We recommend the notice appears every few months at what you would deem user-friendly intervals. If your purpose for using the cookies changes or you introduce new types of cookies, then you would need to get the users consent again. Another recommended route would be to add to your footer “Cookie Preferences” where users can easily update their cookie preferences after they have accepted or declined their use initially.

POPIA requires a cookie notice and policy

Does POPIA apply to cookies in South Africa?

Yes. POPIA does not explicitly mention cookies, but POPIA does apply.

  • A cookie can contain personal information
  • The definition of electronic communication means “any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” (which can include cookies).
  • The definition of personal information includes an online identifier (which can include cookie identifiers).
  • The definition of a unique identifier “means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party” (which can include cookie identifiers).
  • If personal information (including by using cookies) is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of many things (section 18).
  • One of the duties of the Information Regulator is to monitor the use of unique identifiers and make recommendations to Parliament on the need to take legislative, administrative, or other action (section 40(1)(b)(vii)).
  • The regulator must consider any developing general international guidelines relevant to the better protection of individual privacy (section 44(1)(d)).
  • The “responsible party must obtain prior authorisation from the Regulator … prior to any processing if that responsible party plans to process any unique identifiers of data subjects:
    • for a purpose other than the one for which the identifier was specifically intended at collection; and
    • with the aim of linking the information together with information processed by other responsible parties” (section 57).
  • Direct marketing by means of unsolicited electronic communications to prospects requires consent (section 69).

The current EU ePrivacy Directive

cookie lawThe EU ePrivacy Directive (as amended by Directive 2009/136/EC) requires a data subject to give prior informed consent. EU ePrivacy Directive Article 5(3) says, “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information”

The Directive is not a law but failure to follow the directive will lead to action taken against the Member state. Member states must implement the directive into local laws.

Even if a business is not in the EU their customers might be. They must get their client’s consent to use cookies. The EU requires data subjects to opt-in to the use of cookies. However, you do not need to get consent for cookies that are “strictly necessary for the delivery of a service requested by the user”.

South African is therefore very much in line with the current EU position. The new ePrivacy Regulation might change the position and it will then be interesting to see if South Africa also changes to stay in line with the EU.

Privacy policy or cookie policy

Have you read the privacy policy of the websites you visit? Do they mention the use of cookies? Find out if they use cookies and what they use the cookies for. Companies sometimes refer to the use of cookies in their privacy policy and these privacy policies should be readily available to users. If you are the owner of a website that uses cookies and collects personal information about the data subjects, you really need a privacy policy and a cookie policy. They are two different subjects that should be dealt with separately. Your cookie notice should also provide a link to your cookie policy.

Personal information is important to people and users will feel safe knowing you are protecting their information. A cookie policy can help you achieve this trust. You should also inform your users of how you secure information they have entrusted to you.

What you can do as an owner of a website?

  • Comply with the law by having an up-to-date cookie notice and policy by joining the Michalsons data protection programme and be empowered to do it yourself or by asking Michalsons to draft them for you.
  • Get consent from visitors through pop-ups by asking for our advice.
  • Read up more on the latest EDPB guidelines (EU).
  • Use software to manage your cookies by asking us to recommend software for you.
  • Cookie law in South Africa will develop in the future. To be alerted to updates subscribe to our newsletter.