Filter by Listing Categories
EAT
Coffee Shops
High Tea
New Category
Pet friendly (eat)
Restaurants
Wheelchair friendly (eat)
EXPERIENCE
Activities
Cycling
Golf
Hiking
Ocean Adventures
Photography
Train Rides
Adrenaline
Animal Encounters
Archaeology
Art & Galleries
Beaches
Bird Watching
Cigar Tasting
Conferences Venues
Family Fun & Entertainment
Game Farms
Gin Tastings
Guided Tours
Horse riding
Law firms
Local Businesses
Museums
Other
Pet friendly (experience)
Rainy Days
Real Estate Agents
Shopping
Spa & Beauty
Tour Guides
Tour Operators
Transport
Weddings Venues
Wheelchair friendly (experience)
Wine tastings
STAY
Bed & Breakfast
Boutique Hotel
Camping
Game Farms (Stay)
Guesthouses
Hotels & Resorts
Pet friendly (stay)
Self-Catering
Wheelchair friendly (stay)

Cookie policy

1. Every website in South Africa that uses any cookies needs a cookie notice and policy, because a cookie can contain personal information and if personal information (including by using cookies) is collected it should be processed in accordance with the conditions for lawful processing of personal information required by the POPI Act, and there must be a lawful basis for the processing of the personal information.

2. That means –

a) the data subject to be notified that personal information about him/ her or it is being collected and where the information is not collected directly from the data subject, the source from which it is collected [section 18(1)(a)];
b) the data subject must consent to the processing – lawful basis for processing [section 5(a)].

3. Consent in terms of the POPI Act means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

4. The steps referred to in paragraph 2 must be taken –

a) if the personal information is collected directly from the data subject, before the information is collected (the reason for a cookie notification) unless the data subject is already aware of the information referred to in that subsection; or
b) in any other case, before the information is collected or as soon as reasonably practicable after it has been collected [section (18(2)] 3.3

5. The expectation is that the Information Regulator may pass regulations to specifically regulate the use of cookies in South Africa, but the regulator has not indicated that this will happen. Considering the Information Regulator will probably follow international guidelines [like the recent European Data Protection Board (EDPB) guidelines adopted on the 4th of May 2020] on cookies, reasonably practicable steps probably include a cookie notice and policy.

6. Why a separate Cookie Notification / Policy and Privacy Policy?

a) Companies sometimes refer to the use of cookies in their privacy policy.
b) Privacy Policy and a Cookie Policy are two different subjects that should be dealt with separately. The Cookie Policy deals specifically with the use of cookies on your site, whereas the Privacy Policy is a general document regarding all of the personal information processes on a website, including contact forms, mailing lists, etc.
c) Cookies are a potential privacy risk, because they are able to track, store and share user behaviour.
d) Whereas most of the remaining Privacy Policy may be static, the cookies used on a website are dynamic and might change often.
e) The majority of the cookies in operation on a website are usually set by third parties, i.e. have another provenance than the website itself.
f) A cookie notification and policy are also the international standard as most websites already have cookie notices and policies. The risk of not having one may mean that visitors to your website will think that you are immature from a compliance perspective. They may also get the impression that you simply don’t take privacy seriously. This may have a serious impact on your reputation.

7. Who is responsible for the cookie notification and policy?

a) In terms of the POPI Act the responsible party may only be processed personal information if there are a lawful basis for the processing. One of the lawful basis’s is if the data subject or a competent person where the data subject is a child consents to the processing.

8. Requirements to be POPI compliant:

a) Know of all cookies and trackers in operation on your website, so that you can inform users of their why you use cookies, type, purpose and the option to withdraw consent – informed consent.
b) Block all cookies (apart from necessary cookies) until the users have given their voluntary, specific and informed consent to which they will allow activated. This means –
i. No pre-ticked checkboxes on your cookie notification.
ii. Scrolling and continued browsing is not valid consent – must be specific.
iii. Cookie walls are non-compliant for obtaining consent – must be voluntarily.
c) Offer users the possibility of selecting the activation of some cookies and not others.
d) Implied consent is also no-go. Statements such as ‘by continuing to use this website you are agreeing to cookies’ should not be used as they do not meet the requirements for valid consent required by the POPI Act.
e) Make it as easy for the data subject to withdraw their consent as it was for them to give it in the first place – the data subject or competent person may withdraw his, her or its consent at any time.

Share This