Is Your Cookie Banner POPIA Compliant? How to Check in 5 Minutes
Most South African cookie banners fail POPIA in the same three ways. Here is what the Act actually requires, and how to test any website yourself using nothing but your browser.
A reader asked a very good question
A reader wrote to us recently to make a point about a South African website's cookie banner. Users, he argued, were being given no genuine way to say no. They could accept, or they could accept. And "required" cookies, in his view, were not actually required at all.
It is a sharper question than it looks, because it goes to the heart of what POPIA means by consent. So we went and tested it. Then, because it would have been hypocritical not to, we ran the same test on our own website and found something we had to fix.
Here is what we learnt, and how you can check your own site in about five minutes.
First: are cookies even personal information?
This is where most arguments start, and POPIA settles it in the definitions. Section 1 defines personal information to include "any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person".
An analytics cookie exists precisely to assign a persistent identifier to a visitor so their behaviour can be recognised across pages and visits. That is an online identifier doing exactly what the definition describes. So yes: if your site sets analytics or advertising cookies, you are processing personal information, and POPIA applies.
We covered the broader question of whether you need a cookie policy separately. This article is about the banner itself.
What POPIA requires for valid consent
Section 1 defines consent as "any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information". Section 11(2)(b) adds a fourth requirement: the data subject "may withdraw his, her or its consent... at any time".
Those four words are the whole test:
- Voluntary: the person must have a real choice. If refusing is impossible, or so buried that nobody finds it, the consent is not voluntary.
- Specific: consent to analytics is not consent to advertising. Lumping everything behind one button weakens it.
- Informed: the person must know what they are agreeing to before they agree.
- Withdrawable: and this is the one almost everyone forgets. Consent that cannot be taken back is not consent, it is a trap. If your banner appears once and never returns, ask yourself how a visitor would change their mind next week.
One important nuance: consent is not the only lawful basis. Section 11 also allows processing that is necessary to perform a contract, to comply with a legal obligation, or for legitimate interests. This is why a session cookie that keeps someone logged in is genuinely different from a Google Analytics cookie. The first is necessary for the service the person asked for. The second is not, and that is the distinction our reader was reaching for. Labelling analytics as "required" does not make it so.
How to test any website in 5 minutes
You do not need a compliance consultant for this. You need a browser.
- Open a private or incognito window, so you arrive as a genuine first-time visitor with no history.
- Go to the website. Do not click anything. Not the banner, not "accept", not even "reject".
- Open developer tools (F12, or right-click and choose Inspect).
- Go to the Application tab (Chrome or Edge) or Storage (Firefox), then click Cookies.
Now look at what is already there. Anything starting with _ga is Google Analytics. _fbp is the Meta pixel. _gid, _gcl_au and similar are the same family of tracking identifiers.
If those cookies are present before you clicked anything, then tracking started before consent was given. Whatever the banner says, the processing already happened.
For the second test, find the site's cookie banner and try to say no. Is there a reject option at all? Is it as easy to find as the accept button? And for the third test, the one most sites fail: having made a choice, try to change it. Look for a "Cookie settings" or "Manage cookies" link, usually in the footer. If there is not one, that site has no withdrawal mechanism.
What we found on the Information Regulator's website
We ran exactly that test against inforegulator.org.za, the website of the body that enforces POPIA, on 17 July 2026. We are reporting what we observed on that date, and we would be glad to see it change.
As a first-time visitor, with nothing clicked:
- Google Analytics cookies (
_gaand_ga_8K6S5ENZ39) were set on page load, along with a WordPress.com statistics cookie (tk_ai). - A page view had already been transmitted to
google-analytics.com, carrying a persistent client identifier. - There was no cookie banner at all. Not a bad one. None. The page does not contain the word "cookie".
So our reader was right about the principle, though the reality turned out to be different from what he described: there is no consent mechanism to criticise, because there is no consent mechanism.
We want to be fair about how this happens, because it is not villainy. It is WordPress. A plugin gets installed to see visitor numbers, it adds Google Analytics automatically, and nobody revisits the question. That is the single most common way a South African website ends up tracking people without consent, and it is exactly why we are writing this as a how-to rather than a complaint. If it can happen to the Regulator, it can happen to you.
Then we tested ourselves, and failed
It would have been easy to publish the paragraph above and stop. So before we did, we ran the same test on POPIA Ready.
We passed the first two tests. Our banner offered a real "Essential Only" choice, and analytics only ran with consent. But we failed the third, and we failed it against our own advice. Our compliance guide tells readers, in as many words, to "allow users to withdraw consent at any time" and to "make it easy for people to withdraw consent".
Our banner did neither. You clicked once, your choice was saved, and the banner never came back. There was no cookie settings link anywhere on the site. A visitor who accepted on Monday and regretted it on Tuesday had no way to change their mind, which is precisely what section 11(2)(b) gives them the right to do.
We have since fixed it, and we went further than the minimum:
- There is now a Cookie settings link in our footer that reopens the banner and shows your current choice.
- Withdrawing consent does not merely record a preference. It deletes the analytics cookies already on your device. A withdrawal that leaves the tracking in place is a label, not a right.
- We no longer load Google Analytics at all until you accept. Previously we loaded it in a consent-aware mode that still contacted Google. Now, if you have not consented, your visit involves no request to Google whatsoever.
You can verify every one of those claims using the five-minute test above. We would rather you checked than took our word for it.
The checklist
Run this against your own site today:
- No non-essential cookies before consent. Test in incognito and click nothing. If
_gais there, your banner is decorative. - A real way to refuse. Rejecting should be as easy as accepting, and on the same screen. No dark patterns, no hunting.
- Do not call optional cookies "required". Strictly necessary means the site cannot function without it. Analytics is not that, however much you want the numbers.
- A withdrawal mechanism. A visible, permanent link that reopens the choice. This is the one most sites are missing.
- Withdrawal that actually revokes. Stop the tracking and delete the cookies already set.
- A cookie policy that matches reality. If it lists cookies you no longer use, or omits ones you do, it is not describing your site.
If the fourth and fifth points are new to you, you are in the majority, and you are in good company. That is the point of this article rather than a reason to feel bad.
Where to start
Cookie consent is one part of POPIA, and usually not the hardest. If you want the fuller picture, our guide to managing consent under POPIA covers the other lawful bases and when consent is not the right tool, and our free POPIA checklist will tell you in a few minutes which parts of the Act your website is currently missing.
When you are ready to get the paperwork right, POPIA Ready generates a cookie policy alongside six other documents customised to your business, including the services you actually use. The documents are the easy part though. The banner is where the compliance really lives, and no generator can click "Accept All" on your behalf.
Our thanks to the reader whose email prompted this article. He asked a question we could not answer without checking ourselves first, which is the best kind of question.
Get Compliant Today
Don't risk fines or reputational damage. Generate professional, POPIA compliant legal documents for your website in 60 seconds.
Generate Documents - Free to Preview