- the offending company’s website did not contain sufficient information pertaining to both the types of cookies and the number of cookies which it deployed on its website;
- although the website users were primarily Dutch and French-speaking persons, the information on the company’s website pertaining to the company’s cookies was only available in English;
- the company’s website did not contain an appropriate consent mechanism in terms of which the requisite consents for certain types of cookies which were used on the website could be obtained; and
Notwithstanding the above, and considering the principle-based nature of POPIA, the following sections of POPIA will have a bearing on the data protection liability of website owners in relation to website cookies:
- section 11 of POPIA lists consent as a lawful basis upon which personal information may be processed. From a consent perspective, therefore, website owners utilising cookies on their websites should note that the utilisation of cookies (which collect the personal information of website users) constitutes the ‘processing of personal information’ under POPIA. Accordingly, website owners will need to ensure that appropriate consent mechanisms, which correctly facilitate a website user’s giving and withdrawal of consent to the relevant cookies, be built into their website(s); and
- section 19 of POPIA requires responsible parties to take appropriate and reasonable technical and organisational measures in order to prevent the unlawful processing of personal information. From an organisational security perspective, website owners must ensure that their cookie policies and statements which appear on their websites are, inter alia: (i) drafted clearly and concisely; (ii) drafted in plain and understandable language; (iii) specifically tailored to the website owner’s business and processing activities; and (iv) sufficiently detailed with regard to the cookies which are used on their websites.
Although POPIA is not yet fully in force and will only commence on a date to be determined by the President by proclamation in the Government Gazette, website owners are reminded that the office of the Information Regulator has already been established by the coming into effect of sections 39–54 of POPIA. In this regard, the Information Regulator has, on occasion, proactively engaged companies in order to assist them in bringing their processing activities in line with the provisions of POPIA. In view of this practice, and in view of the impending commencement of the operative provisions of POPIA, website owners are advised to take measures to bring their website cookie policies, statements and consent mechanisms in line with the provisions of POPIA sooner rather than later.