EDITORIAL

How to Collect Data Online Without Violating POPIA

Yuvin Kim

September 4, 2025

EDITORIAL

How to Collect Data Online Without Violating POPIA

Yuvin Kim

September 4, 2025

Collecting data online—through contact forms, newsletter sign-ups, event registrations, and surveys—is the lifeblood of modern business in South Africa. It’s how you find new customers, serve them better, and grow. But this everyday activity is also where businesses are most at risk of violating the Protection of Personal Information Act (POPIA).

Many businesses are still unsure if their simple website form is compliant. The good news is that it doesn’t have to be complicated. By following a few fundamental principles, you can ensure your online data collection is lawful, secure, and, most importantly, builds trust with your customers.

Here is a 5-step guide to collecting data online the right way.

Step 1: Be Open and Transparent From the Start

The principle of "Openness" under POPIA requires you to be transparent about your data practices. This starts with a clear and easy-to-understand Privacy Notice (or Privacy Policy).

  • Action: Your Privacy Notice must be easily accessible at or before the point where you collect personal information. Don’t hide it in the footer of your website. Add a clear link directly on your form that says, "Before you submit, please review our Privacy Policy."

Step 2: Practice Data Minimisation (Only Collect What You Need)

A key principle of POPIA is that you should only collect information that is adequate, relevant, and not excessive for the purpose. In simple terms: don’t be greedy with data.

  • Action: Before you create a form, ask yourself: "Do I absolutely need every single piece of information I'm asking for to achieve my goal?" For a newsletter sign-up, you likely only need an email address. Asking for a phone number and home address in this context would be a violation of this principle.

Step 3: Get Valid Consent (The Right Way)

For most online data collection, consent is your legal basis. Under POPIA, consent must be a voluntary, specific, and informed expression of will.

  • Action: Your forms must use an "opt-in" mechanism. This means using unchecked checkboxes that require the user to take a clear, affirmative action. Pre-checked boxes that assume consent are not compliant. If you are collecting data for multiple purposes (e.g., to fulfill an order AND to send marketing emails), you must get separate consent for each purpose.

Step 4: Implement Strong Security Safeguards

You are legally obligated to protect the data you collect. Using an unsecure form or storing the data in an insecure way is a direct violation of POPIA.

  • Action:

    • Use HTTPS: Ensure your website and all your forms are secured with SSL/TLS encryption. Your URL should start with https://.

    • Secure Storage: The data you collect must be stored in a secure, encrypted database with strict access controls. Simply sending form submissions to an unencrypted email inbox is a major risk.

Step 5: Have a Plan for Data Subject Rights

Your responsibility doesn't end once you've collected the data. POPIA gives individuals the right to access their information and request its correction or deletion.

  • Action: Have a simple and clear process for handling these requests. This could be a dedicated email address (e.g., privacy@yourcompany.co.za) or a contact form mentioned in your Privacy Notice. The key is to be able to find and manage an individual's data when they ask.

Conclusion: Compliance Builds Trust

Collecting data online without violating POPIA isn't about navigating legal minefields; it’s about demonstrating respect for your customers. Every step you take to be transparent and secure is a step towards building a stronger, more trustworthy brand.

Walla is designed to make this easy. From providing the secure infrastructure with end-to-end encryption to enabling the creation of forms with granular consent options, we give you the tools to collect data with confidence. Focus on your business, knowing your data collection is built on a foundation of compliance and trust.

Collecting data online—through contact forms, newsletter sign-ups, event registrations, and surveys—is the lifeblood of modern business in South Africa. It’s how you find new customers, serve them better, and grow. But this everyday activity is also where businesses are most at risk of violating the Protection of Personal Information Act (POPIA).

Many businesses are still unsure if their simple website form is compliant. The good news is that it doesn’t have to be complicated. By following a few fundamental principles, you can ensure your online data collection is lawful, secure, and, most importantly, builds trust with your customers.

Here is a 5-step guide to collecting data online the right way.

Step 1: Be Open and Transparent From the Start

The principle of "Openness" under POPIA requires you to be transparent about your data practices. This starts with a clear and easy-to-understand Privacy Notice (or Privacy Policy).

  • Action: Your Privacy Notice must be easily accessible at or before the point where you collect personal information. Don’t hide it in the footer of your website. Add a clear link directly on your form that says, "Before you submit, please review our Privacy Policy."

Step 2: Practice Data Minimisation (Only Collect What You Need)

A key principle of POPIA is that you should only collect information that is adequate, relevant, and not excessive for the purpose. In simple terms: don’t be greedy with data.

  • Action: Before you create a form, ask yourself: "Do I absolutely need every single piece of information I'm asking for to achieve my goal?" For a newsletter sign-up, you likely only need an email address. Asking for a phone number and home address in this context would be a violation of this principle.

Step 3: Get Valid Consent (The Right Way)

For most online data collection, consent is your legal basis. Under POPIA, consent must be a voluntary, specific, and informed expression of will.

  • Action: Your forms must use an "opt-in" mechanism. This means using unchecked checkboxes that require the user to take a clear, affirmative action. Pre-checked boxes that assume consent are not compliant. If you are collecting data for multiple purposes (e.g., to fulfill an order AND to send marketing emails), you must get separate consent for each purpose.

Step 4: Implement Strong Security Safeguards

You are legally obligated to protect the data you collect. Using an unsecure form or storing the data in an insecure way is a direct violation of POPIA.

  • Action:

    • Use HTTPS: Ensure your website and all your forms are secured with SSL/TLS encryption. Your URL should start with https://.

    • Secure Storage: The data you collect must be stored in a secure, encrypted database with strict access controls. Simply sending form submissions to an unencrypted email inbox is a major risk.

Step 5: Have a Plan for Data Subject Rights

Your responsibility doesn't end once you've collected the data. POPIA gives individuals the right to access their information and request its correction or deletion.

  • Action: Have a simple and clear process for handling these requests. This could be a dedicated email address (e.g., privacy@yourcompany.co.za) or a contact form mentioned in your Privacy Notice. The key is to be able to find and manage an individual's data when they ask.

Conclusion: Compliance Builds Trust

Collecting data online without violating POPIA isn't about navigating legal minefields; it’s about demonstrating respect for your customers. Every step you take to be transparent and secure is a step towards building a stronger, more trustworthy brand.

Walla is designed to make this easy. From providing the secure infrastructure with end-to-end encryption to enabling the creation of forms with granular consent options, we give you the tools to collect data with confidence. Focus on your business, knowing your data collection is built on a foundation of compliance and trust.

Collecting data online—through contact forms, newsletter sign-ups, event registrations, and surveys—is the lifeblood of modern business in South Africa. It’s how you find new customers, serve them better, and grow. But this everyday activity is also where businesses are most at risk of violating the Protection of Personal Information Act (POPIA).

Many businesses are still unsure if their simple website form is compliant. The good news is that it doesn’t have to be complicated. By following a few fundamental principles, you can ensure your online data collection is lawful, secure, and, most importantly, builds trust with your customers.

Here is a 5-step guide to collecting data online the right way.

Step 1: Be Open and Transparent From the Start

The principle of "Openness" under POPIA requires you to be transparent about your data practices. This starts with a clear and easy-to-understand Privacy Notice (or Privacy Policy).

  • Action: Your Privacy Notice must be easily accessible at or before the point where you collect personal information. Don’t hide it in the footer of your website. Add a clear link directly on your form that says, "Before you submit, please review our Privacy Policy."

Step 2: Practice Data Minimisation (Only Collect What You Need)

A key principle of POPIA is that you should only collect information that is adequate, relevant, and not excessive for the purpose. In simple terms: don’t be greedy with data.

  • Action: Before you create a form, ask yourself: "Do I absolutely need every single piece of information I'm asking for to achieve my goal?" For a newsletter sign-up, you likely only need an email address. Asking for a phone number and home address in this context would be a violation of this principle.

Step 3: Get Valid Consent (The Right Way)

For most online data collection, consent is your legal basis. Under POPIA, consent must be a voluntary, specific, and informed expression of will.

  • Action: Your forms must use an "opt-in" mechanism. This means using unchecked checkboxes that require the user to take a clear, affirmative action. Pre-checked boxes that assume consent are not compliant. If you are collecting data for multiple purposes (e.g., to fulfill an order AND to send marketing emails), you must get separate consent for each purpose.

Step 4: Implement Strong Security Safeguards

You are legally obligated to protect the data you collect. Using an unsecure form or storing the data in an insecure way is a direct violation of POPIA.

  • Action:

    • Use HTTPS: Ensure your website and all your forms are secured with SSL/TLS encryption. Your URL should start with https://.

    • Secure Storage: The data you collect must be stored in a secure, encrypted database with strict access controls. Simply sending form submissions to an unencrypted email inbox is a major risk.

Step 5: Have a Plan for Data Subject Rights

Your responsibility doesn't end once you've collected the data. POPIA gives individuals the right to access their information and request its correction or deletion.

  • Action: Have a simple and clear process for handling these requests. This could be a dedicated email address (e.g., privacy@yourcompany.co.za) or a contact form mentioned in your Privacy Notice. The key is to be able to find and manage an individual's data when they ask.

Conclusion: Compliance Builds Trust

Collecting data online without violating POPIA isn't about navigating legal minefields; it’s about demonstrating respect for your customers. Every step you take to be transparent and secure is a step towards building a stronger, more trustworthy brand.

Walla is designed to make this easy. From providing the secure infrastructure with end-to-end encryption to enabling the creation of forms with granular consent options, we give you the tools to collect data with confidence. Focus on your business, knowing your data collection is built on a foundation of compliance and trust.

Continue Reading

당신이 그토록 찾던 폼, 무료로 사용하세요.

바로 여기, 왈라에서.

당신이 그토록 찾던 폼, 무료로 사용하세요.

바로 여기, 왈라에서.

당신이 그토록 찾던 폼, 무료로 사용하세요.

바로 여기, 왈라에서.