POPIA Compliance for E-Commerce and Online Stores in South Africa

Online Stores Collect More Data Than You Think

If you run an e-commerce website in South Africa, you are almost certainly collecting a large volume of personal information. Every order involves names, email addresses, phone numbers, physical delivery addresses, and payment details. POPIA classifies all of this as personal information, and it places significant obligations on how you handle it.

The Legal Documents Every Online Store Needs

Under POPIA and the Electronic Communications and Transactions Act (ECTA), a South African e-commerce website needs several essential legal pages:

• Privacy Policy: Explains what data you collect and why. This is your most critical POPIA document. See our guide on how to write a privacy policy.
• Terms and Conditions: Covers your rules of sale, liability limitations, and dispute resolution process.
• Refund Policy: Required under the Consumer Protection Act (CPA). Customers have a 7-day cooling-off period for online purchases.
• Cookie Policy: Required if you use any analytics or marketing tracking. Learn more in our cookie policy guide.

Checkout Page Compliance

Your checkout page is the most data-intensive part of your site. To be compliant:

• Only collect information that is strictly necessary for completing the order.
• Include a mandatory checkbox linking to your Privacy Policy and Terms.
• If you have a "subscribe to newsletter" checkbox, it must be unticked by default.
• Display your SSL security status prominently to build trust.

Payment Data: You Are Probably Not Storing It

Most South African online stores use payment gateways like PayFast, Yoco, or Peach Payments. These gateways process credit card details on their own PCI-compliant servers, meaning the card data never touches your website. However, you must still disclose in your Privacy Policy that you use a third-party payment processor and name them.

Shipping and Delivery Data

When you share a customer's name and delivery address with a courier company, you are transferring personal information to a third party. You must disclose this in your Privacy Policy and ideally have a data processing agreement with your courier partner.

Data Retention for E-Commerce

You cannot keep customer order data forever. POPIA's Storage Limitation principle requires you to delete data once it is no longer needed. However, SARS requires you to keep financial records for 5 years, and the Consumer Protection Act requires you to keep records of transactions for 3 years. Read our full data retention guide for more.

Get All Your E-Commerce Legal Pages in One Click

Use POPIA Ready to generate a complete set of legal documents tailored to your online store, including a Privacy Policy, Terms and Conditions, Refund Policy, and Cookie Policy.