POPI and your website
You will probably be familiar with the popups that have been appearing on websites over the past two or more years asking you to click OK to accept cookies. These were introduced in response to Europe’s GDPR, and now we need to do the same. POPIA doesn’t explicitly state that websites have to present cookie notices, but most interpretations of the law say that their use is implied. (PS – cookies are small bits of data generated by a website and kept in the visitor’s browser. This enables websites to remember information about the visitor, for example, the items they added to a shopping cart.) If your site is only using necessary cookies (those that enable the website to function) and is not doing Google or Facebook remarketing, then you can probably get away without having a cookie notice because you are not sharing personally identifiable information with anyone. That said, our advice at the time of writing this (July 2021) is that you should install a simple popup that also links to your privacy policy (discussed later in this article).
Before discussing which popup plugins to use, we need to say a few words about Google Analytics and your website statistics.
Google Analytics and POPI compliance
One of the main non-essential cookies affected by cookie consent popups is your Google Analytics tracking code. If a user selects to reject all non-essential cookies, your tracking code will not be loaded and their visit will not be registered in your website statistics. Clearly, this is something we want to avoid as accurate stats are essential to running a business. There are two ways to make Analytics GDPR/POPI compliant:
- Automatically anonymize or disable personal data tracking (and avoid the necessity of asking permission to track visits)
- Use a cookie notice to get explicit consent
A detailed explanation of the two methods is described in this article by Monster Insights. We’ll summarise the main points of it here, beginning with Option 1 – Automatically anonymize or disable personal data tracking. The basic Google Analytics installation is actually very close to being transparent in a GDPR and POPIA sense. Most of the data that is collected is already anonymised and cannot be used to identify any particular user. The one exception to this is that Analytics knows the general location of the visitor based on their computer IP address. So what you can do is tell Analytics to also anonymise IP addresses. You do this by inserting a function in your Analytics tracking code in your website. Read about how to anonymise IP address data.
The great advantage of doing this simple operation is that you can continue using Analytics WITHOUT having to ask users for permission to track them. In other words, you can either dispense with a cookie notice altogether (probably not recommended) or just have an OK/Accept option in your cookie notice without any option to reject cookies. This is the solution we are using for our own websites where we have a basic Analytics installation and are not using remarketing.
If you are using any kind of remarketing (i.e., you have a complex installation), you need to use option 2, which is a detailed cookie notice asking visitors to consent to being tracked. Carry on reading for advice on choosing a detailed cookie notice.
Choosing cookie notice plugins
Your main question here will be how much detail your cookie popup should present. For many small businesses, a simple strap along the top or bottom with buttons to accept or reject cookies and a link to the privacy policy will suffice. If you’ve anonymised IP addresses as described above, you can probably also dispense with the Reject cookies option. Just be open about what other cookies users will be accepting, e.g. social sharing cookies (put this in your privacy/cookie policy). However, if you are using remarketing on Google, Facebook or any other platform then you need to tell people you are doing so and give them the opportunity to opt out of the cookies (remarketing is where your adverts follow people around the web, e.g. someone visits your site and the next thing they are seeing your ads on Facebook). This is definitely something you want to give your visitors the opportunity of avoiding, so it can be a good idea to have a detailed popup rather than simple OK/Accept or No/Reject buttons.
Simple cookie consent
For a simple cookie popup for a WordPress website, you can try the very popular Cookie Notice & Compliance by hu-manity.
It’s free to use and is quite simple to install and set up. There are other similar plugins in the WordPress plugin repository that will also do a good job. Here’s an example of the cookie consent popup created using the Cookie Notice & Compliance plugin.
Detailed cookie consent
If you need a WordPress popup that offers cookie selection, you can try Cookiebot. We haven’t used it yet, but we like it already because it is free and because it incorporates POPI and not just GDPR. The premium version is 9 euros/month and allows you to customise the popup. You can also try the paid version of Cookie Notice & Compliance by hu-manity at around $14/month.
Cookiebot’s plugin for POPI compliance
Privacy policy and cookie policy
POPIA does not explicitly require privacy and cookie policies, but publishing them is an efficient way to comply with the requirements for openness and getting consent. Your privacy policy tells website visitors how the information they supply through contact forms, subscription forms and blog comments will be used. The cookie policy tells visitors what cookies your site uses.
For bigger sites, the cookie policy and privacy policy are sometimes different pages because they are very precise and have lots of detail, but for smaller sites like this one (webrabbit.co.za) you can combine privacy and cookies into one statement.
There is no set form for either the privacy policy or the cookie policy, so the first bit of advice we can give is simply to follow what sites in Europe have been doing for GDPR. You can Google GDPR privacy/cookie policy template and find examples. However, we have found that these tend to be a bit more verbose than we need for our very simple sites. All you really need is to tell visitors who you are, what information you collect, where you send it (if you send it anywhere) and how you keep your website secure. You also need to tell people how to contact you to request deletion of any data (more on this below). For a really simple privacy policy, you are welcome to use ours and adjust it where necessary. We can’t be absolutely certain it will satisfy the Regulator but until they come out with definite guidelines it should do the job OK.
Dealing with requests for data deletion
Your WordPress website provides an automated function to export or delete information relating to particular users. If someone contacts you to request details of their data or to ask for their data to be deleted, ask them for the email address they used when interacting with their site. Then log into your WordPress dashboard and go Tools > Export Personal Data or Tools > Erase Personal Data. You will then be asked to enter the email address of the user to locate the data and you can then export it or delete it.
Delete or export user data
Whatever you do … don’t panic!
We know all of this can seem quite overwhelming for business owners and you might be feeling some concern over the need to do POPI absolutely right to avoid trouble. However, from our research, we have found various POPI authorities admitting that the whole thing is a bit of a mystery and that everyone is proceeding by trial and error. So our position right now is not to panic but just to make sure we are applying the basic principles of transparency, honesty and care when dealing with client information and website visitors. If you don’t do anything to annoy people and you make an effort to be compliant, it is unlikely you will receive a call from the Regulator. Naturally, the bigger you are as a company and the more client information you process, the more stringent the requirements become and you are well advised to spend money on specialist advice. For the majority of our website clients and the thousands of small and micro enterprises in South Africa, the general advice in this series of articles should suffice to get you broadly compliant with POPI.
If you have a more complex business and you want to be sure of your POPI implementation, try the following:
- InfoSecEnforcer: https://infosecenforcer.com/
- Michalsons: https://www.michalsons.com/
Read Part 1 of this article: Introduction to POPIA