POPIA compliance

The legal requirements

POPIA requires responsible parties (data controllers) to process personal information lawfully, with a valid justification ground. Consent is one of several grounds — but where cookies collect personal information such as identifiers, behavioural data, or location, consent or another lawful basis must be established before processing.

Section 11 sets out conditions for lawful processing. Section 18 requires notification to data subjects about the purpose of collection, and Section 11(3)(d) gives data subjects the right to object to processing and withdraw previously given consent.

POPIA applies to any organisation that processes personal information of data subjects in South Africa, regardless of where the organisation is located.

How CookieBoss helps

• Consent collection

  Non-essential cookies are blocked until the visitor actively consents. Clear, affirmative action — no pre-ticked boxes or implied consent from continued browsing.

• Granular categories

  Visitors choose consent per purpose: necessary, analytics, marketing, and preferences. Each category maps to specific cookies and scripts, meeting POPIA's specificity requirement.

• Easy withdrawal

  A persistent settings link lets visitors change or withdraw consent at any time. POPIA Section 11(3)(d) requires that consent can be withdrawn, and CookieBoss makes this straightforward.

• Audit-ready logging

  Every consent decision is recorded with a timestamp, visitor ID, and the categories chosen. Exportable logs let you demonstrate compliance to the Information Regulator during audits or complaints.

• Geo-targeting for South African visitors

  Show POPIA-compliant consent experiences to visitors from South Africa while applying different rules for EU (GDPR), California (CCPA), or other jurisdictions — all from a single configuration.

• Transparency & notification

  The consent banner clearly communicates what data is collected, by whom, and for what purpose — helping you meet POPIA Section 18 notification obligations.

Responsible party vs. operator

You are the responsible party. You determine the purpose of and means for processing personal information on your website. You are accountable for ensuring your site's overall POPIA compliance.

CookieBoss acts as an operator. We process consent data on your behalf — storing consent records, serving the consent script, and providing analytics. We only process data according to your instructions and our terms of service.

Infrastructure

CookieBoss is operated by Transformination OU, registered in Tallinn, Estonia. All consent data is stored on Cloudflare infrastructure. Edge-compiled scripts are served from 300+ Cloudflare PoPs globally, ensuring fast load times for South African visitors.