Please note: this article is general informational guidance for marketers, not legal advice. POPIA, the CPA and related rules can apply differently to each business, so confirm your own position with a qualified professional before you act.
Why do cookie banners and privacy policies matter on SA sites?
Cookies power most of the useful things a website does, from remembering a cart to measuring which campaign brought a buyer. Many of those cookies carry personal information, which is exactly what POPIA, in force since July 2021, asks you to handle with care. A cookie banner and a privacy policy are how you show visitors, and the Information Regulator, that you take that seriously. They are also a trust signal: a clear, honest approach to data tells people you are a business worth dealing with.
What makes a cookie banner work properly?
The biggest mistake is a banner that informs but does not control. A compliant banner should let a visitor accept or reject non essential cookies before those cookies load, and that choice must connect to your actual tags. If a visitor rejects analytics cookies but your analytics still tracks them, the banner is decoration, and that is worse than having none because it implies a protection you are not providing.
A good banner does three jobs:
- Tells visitors clearly that the site uses cookies.
- Offers a genuine choice to accept or reject non essential cookies, not just an OK button.
- Connects that choice to your tags so the decision is honoured behind the scenes.
Most South African sites achieve this with a recognised consent platform linked to Google Tag Manager, rather than a home built banner that looks the part but does nothing.
What should a POPIA friendly privacy policy include?
A privacy policy is your plain language promise about data. It should answer the questions a reasonable visitor would ask: what do you collect, why, how long do you keep it, who do you share it with, and how can I see or delete my data. It should name a contact point and be reachable from your footer in one click.
The temptation is to make it long and legalistic. Resist it. A short, accurate policy that genuinely reflects your site beats a long, borrowed one that describes practices you do not follow. Write from your real data flows: the forms you run, the analytics you use, the email platform you send from, and the ad networks you work with.
Should you copy a privacy policy from another website?
It is tempting and risky. A copied policy usually describes someone else's data practices, which can mislead your visitors and leaves you unable to stand behind your own words. Start from what your site actually does. If you collect names and emails through a contact form and run GA4 with consent, say exactly that. Honesty is both safer and clearer.
How do the banner, the policy and your analytics fit together?
These three are a single system. The banner captures the choice, the privacy policy explains the bigger picture, and your Consent Mode and GTM setup turns the choice into real tag behaviour. When they are aligned, a visitor who declines analytics is genuinely not tracked the way a consenting visitor is, and you can describe your practice with a straight face.
This all sits inside your broader POPIA responsibilities as a marketer and the wider advertising rules that govern South African campaigns. None of it needs to be heavy. A clean banner, an honest policy and a consent aware analytics setup cover the ground for most businesses.
Want it built in from the start?
Retrofitting consent onto a finished site is fiddly and easy to get wrong. Building it in from day one is far smoother. Our digital marketing service sets up consent aware tracking and clear privacy as standard, so your site respects visitors and still gives you the data you need. Founder led since 2015, 64 plus clients, packages from R6,000 per month.
Cookie banners and privacy policies: common questions
Do South African websites legally need a cookie banner?
POPIA does not spell out a banner in those exact words, but it sets expectations about handling personal information, and many cookies carry personal information. A cookie banner is the practical, widely used way to give visitors a real choice about non essential cookies and to record that choice. For most South African sites a clear banner is the sensible default. This is general guidance, so confirm your specifics with a professional.
What should a cookie banner actually do?
A good banner does three things. It tells visitors that the site uses cookies, it lets them accept or reject non essential cookies before those cookies load, and it connects that choice to your actual tags so the decision is honoured. A banner that only informs, without controlling what fires behind it, gives the appearance of compliance without the substance, which is the worst position to be in.
What goes into a POPIA friendly privacy policy?
A useful privacy policy explains, in plain language, what personal information you collect, why you collect it, how long you keep it, who you share it with, and how someone can ask what you hold or request deletion. It should name a contact point and be easy to find from your footer. The aim is genuine clarity, not a wall of legal text that no visitor will ever read.
Can I just copy a privacy policy from another site?
It is risky. A copied policy often describes data practices that are not yours, which can be misleading and unhelpful if a visitor or regulator ever looks closely. A short, accurate policy that actually reflects what your site does is far better than a long, borrowed one that does not. Start from your real data flows and describe them honestly.
How do cookie consent and analytics work together?
The banner captures the choice and your tag setup acts on it. Tools such as Google Consent Mode let your analytics and ad tags adjust to a visitor's decision, so someone who rejects analytics cookies is genuinely not tracked the same way. Linking the banner to that setup is what turns a consent choice into real behaviour rather than decoration.