Olivia Smith & John Giles
What is the cookie law in South Africa? Many people ask because the law relating to cookies is such a big issue in many other countries. Do you need to get a user’s (aka data subject’s) consent before using cookies? Are there any specific regulations?
What are cookies and why are they used?
Cookies make your life as a website user much easier because you do not have to log in every time you visit the same page. Your online experiences will be personalized to your preferences.
Types of cookies
There are different types of cookies saving different information and for different periods of time. Period cookies are deleted at the end of a web sessions, while persistent cookies have a pre-determined expiry date and will appear until the expiry date is reached.
Does POPI apply?
POPI does not explicitly mention cookies, but POPI applies because:
- a cookie can contain personal information,
- the definition of personal information includes an online identifier, or
- one of the duties of the Information Regulator is to monitor the use of unique identifiers (which includes cookies).
What about my personal information?
Cookies store certain personal information you provide on a website. This personal information can be processed if done so in accordance with the conditions of POPI.
Cookies do not generally store credit card information and account numbers but if they do the information must be protected securely.
Cookies only store information from your browser, they cannot access data on your hard drive. Cookies are text files that cannot transfer viruses to your computer or mobile device.
EU ePrivacy Directive
The EU ePrivacy Directive (as amended by Directive 2009/136/EC) requires a data subject to give prior informed consent.
EU ePrivacy Directive Article 5(3) says, “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information.”
However, you do not need to get consent for cookies that are “strictly necessary for the delivery of a service requested by the user”.
This is contrary to the current South African position where consent is not needed.
South African cookie law position?
What you can do as an owner of a website?
- If your cookies are storing account numbers you must implement security measures to protect the information. Under POPI, the protection of account numbers is very important.
- If you are using cookies, ensure that you have pop ups alerting visitors to your website that cookies are being used.