Customer Privacy Policy

Customer Privacy Policy 2017-12-07T07:00:56+00:00

You need a privacy policy for customers or customer privacy policy if you collect personal information from your customers. The requirement to have a privacy policy broadly covers the personal information you collect about natural or juristic persons (or any identifiable individual), and even applies to personal information you collect from your employees. If you want an expert to review your existing privacy policy click here.

Broadly speaking, there are two types of privacy policies:

  1. A Customer Privacy Policy (external) which deals with how you process customer personal information; and
  2. An Employee Privacy Policy (internal) which deals with how you process employee personal information.

This article deals with a Customer Privacy Policy. It does not deal with Employee Privacy Policies or any of the other  issues that form part of employee privacy, such as geolocation, nor does it deal with personal information policies, procedures and practices.

If you collect personal information (PI) about your customers (or any identifiable individual) through your website or offline, you need to have a privacy policy.  A privacy policy should appear on all websites that collect personal information about visitors to the website. However, it should not be limited to your online visitors. If you collect, maintain and use consumer PI in other ways, then the policy should cover that as well.

Factors to consider whilst drafting a Customer Privacy Policy

Whilst you have most certainly encountered a maze of privacy policies whilst surfing the Internet, it is very tempting to simply copy one and cut and paste from it to suit your own needs. Think before you do so as the maze of privacy policies you encounter are a direct result of legislation and court judgements in other countries that serve to protect personal information. In many instances, that legislation and those poor judgements are of no relevance in South Africa.

Your privacy policy must keep three goals in mind:

  1. The policy must satisfy the legal requirements required by law (such as the Protection of Personal Information Act, the Consumer Protection Act and the National Credit Act) and industry requirements (which will be spelt out in various Industry Codes, which POPI makes provision for). For organisations doing business on a global basis, they must consider a multitude of international privacy laws as well.
  2. The policy must satisfy your business objectives.
  3. The policy must reassure data subjects (privacy is an emotional issue for most consumers. Many people feel as though there is a full frontal assault on their personal information. They believe they have little or no control over the collection and use of their PI. As a result, a privacy policy must be designed to allay consumers concerns and make them feel comfortable doing business with your organisation).

Our privacy policy template has been drafted taking points 1 and 3 into account. We can draft a privacy policy specifically for you using our template.

Your privacy policy provides high-level statements of your positions on particular issues whereas procedures bring those positions down to earth by laying out specific actions and responsibilities.

Please remember the following important pointer: Many organisations assume that once they privacy policy is in place, the job is completed. This is a mistake. Every time content or services are added, or website functionalities change, there is a risk of exposing users to privacy breaches. It is critical to every online business that as the business changes, the policy is reviewed to see if changes to meet the new challenges are necessary.

What are the benefits of having a privacy policy for customers?

  1. It may reduce the risk of your company being sued for infringing a customer’s right to privacy.
  2. The policy should also ensure that you comply with the law and therefore avoid sanctions for non-compliance.
  3. It will help you gain consumer confidence.
  4. Hopefully bad publicity which can have serious economic consequences can be avoided.
  5. Your potential customers will not feel the need to seek out your competitors with better data privacy practices.
  6. A privacy policy should demonstrate good practice and therefore help to attract new customers or to keep existing customers.
  7. A well drafted privacy policy should also enable you to deal with the personal information of customers in a manner which is beneficial to you.
  8. The personal information relating to your customers is a valuable business asset which should be protected and possibly even developed.

A South African Privacy Policy for Your Use

We have developed a template of a privacy policy specifically for South Africa.  Comments for the customisation and implementation of the privacy policy are included as footnotes.   The privacy policy is designed to satisfy your requirements regards the personal information of others and their privacy.  Please contact us for further information or if you require a template privacy policy.

Do you collect personal information?

Personal information can be collected by various means and you should carefully analyse the functioning of your business or website to establish if and to what extent you gather personal information. You might even collect personal information without knowing it!  Ways in which personal information is collected include:

  • visitors subscribing to a newsletter,
  • a user registering on a blog or forum,
  • users submitting their details via a form,
  • in the process of contracting online,
  • taking orders,
  • through the personalisation of a website by a user,
  • through the use of cookies,
  • monitoring user access and habits,
  • sending or receiving e-mails,
  • SMS’s or other similar messages.

Data Privacy in South Africa

Under South African law, an individual’s right to privacy is enshrined in the Constitution of the Republic of South Africa. The Constitution provides that everyone has the right to privacy. However, section 36 limits certain privacy rights where “reasonable and justifiable”. No specific standalone legislation dealing with privacy currently exists in South Africa. Specific legislation dealing with privacy and data protection is expected in the future.

The Promotion of Access to Information Act (PAIA) is to an extent relevant to privacy and online privacy policies. The essence of PAIA is that private bodies are required to allow access to their records under certain circumstances. PAIA mandates that “the head of a private body must refuse a request for access to a record of the body if its disclosure would involve the unreasonable disclosure of personal information about a third party” and the privacy of end users or customers is therefore indirectly protected. In addition, the section of PAIA that deals with the correction of personal information is very relevant to privacy policies.

Until such time as privacy legislation is enacted, we recommend that all companies that collect personal information should have a privacy policy that complies with international best practice and which will most likely comply with future South African privacy legislation. The privacy policy should also comply with the provisions of PAIA and other relevant legislation to the extent that they are relevant.

Some General Comments

A privacy policy is a dynamic document and should be amended as the law relating to privacy and your business develops and changes. Your privacy policy should therefore be reviewed on a regular basis.

It is suggested that you alert users to the fact that their personal information will be dealt with under a privacy policy by way of a clear and prominently displayed notice at the bottom of each webpage of your website.