Are cookies currently regulated in South Africa?

Olivia Smith & John Giles

What is the cookie law in South Africa? Many people ask because the law relating to cookies is such a big issue in many other countries. Do you need to get a user’s (aka data subject’s) consent before using cookies? Are there any specific regulations?

What are cookies and why are they used?

Cookies are text files transferred from your browser to your computer’s hard drive. They store information about your activity on a browser. Companies worldwide use cookies to monitor customer behavior and to improve interactivity with a website.

You will notice when you search for a specific product, ads relating to that product appear on other sites you visit.  When you log into a website that uses cookies and later re-visit it, the cookies allow the website to ‘remember’ you.

Cookies make your life as a website user much easier because you do not have to log in every time you visit the same page. Your online experiences will be personalized to your preferences.

Types of cookies

There are different types of cookies saving different information and for different periods of time. Period cookies are deleted at the end of a web sessions, while persistent cookies have a pre-determined expiry date and will appear until the expiry date is reached.

Does POPI apply?

POPI does not explicitly mention cookies, but POPI applies because:

• a cookie can contain personal information,
• the definition of personal information includes an online identifier, or
• one of the duties of the Information Regulator is to monitor the use of unique identifiers (which includes cookies).

The personal information that is processed using cookies will be protected by POPI. Once POPI commences, the Information Regulator may publish regulations to regulate the use of cookies in South Africa. Generally speaking, POPI is an opt out law, but South Africa will probably follow the EU ePrivacy Directive and require the user (or data subject) to consent to a website owner using cookies.

What about my personal information?

Cookies store certain personal information you provide on a website. This personal information can be processed if done so in accordance with the conditions of POPI.

Cookies do not generally store credit card information and account numbers but if they do the information must be protected securely.

Cookies only store information from your browser, they cannot access data on your hard drive. Cookies are text files that cannot transfer viruses to your computer or mobile device.

EU ePrivacy Directive

The EU ePrivacy Directive (as amended by Directive 2009/136/EC) requires a data subject to give prior informed consent.

EU ePrivacy Directive Article 5(3) says, “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information.”

The Directive is not a law but failure to follow the directive will lead to action taken against the Member state. Member states must implement the directive into local laws. Even if a business is not in the EU their customers might be. They must get their clients consent to use cookies. The EU requires data subjects to opt in to the use of cookies.

However, you do not need to get consent for cookies that are “strictly necessary for the delivery of a service requested by the user”.

This is contrary to the current South African position where consent is not needed.

South African cookie law position?

In South Africa, there is currently no law regulating the use of cookies. But section 51 of the Electronic Communications and Transactions Act (ECT Act) currently governs the protection of electronic personal information. This provision has similar requirements to what is required under POPI and POPI will repeal it.

Some websites have pop-ups informing you that they use cookies and state that if you do not want information saved, you should leave the website. Others require your specific consent before proceeding. You can also edit your browser settings to block the use of cookies.

Privacy Policy

Have you read the privacy policy of the websites you visit? Do they mention the use of cookies?

Find out if they use cookies and what they use the cookies for. Companies usually refer to the use of cookies in their privacy policy and these privacy policies should be readily available to users.

If you are a owner of a website that uses cookies and collects personal information about the data subjects, you need a privacy policy.

Personal information is important to people and clients will feel safe knowing you are protecting their information. A privacy policy can help you achieve this trust. You should inform your clients of how you secure information they have entrusted to you.

What you can do as an owner of a website?

• If you operate in South Africa and the EU, you might decide to get consent to use cookies even though this is currently not required in South Africa.
• If your cookies are storing account numbers you must implement security measures to protect the information. Under POPI, the protection of account numbers is very important.
• If you are using cookies, ensure that you have pop ups alerting visitors to your website that cookies are being used.