POPIA cookie banner compliance is something most South African websites still get wrong in 2026 — usually by importing a GDPR template that does not actually map to the POPI Act, or by sticking a small “This site uses cookies” notice in the corner and calling it done. The Information Regulator has steadily increased enforcement, and a complaint can land in your inbox at any time.
This is the practical checklist we wish every SA SMB had: what POPIA actually requires for cookies, what a compliant banner looks like, and which plugins to use. Built around the POPI Act, not GDPR retro-fitted.
What POPIA actually requires for cookies
POPIA classifies cookies that identify a user — analytics, advertising, tracking pixels — as personal information processing. Section 11 of the Act requires informed, voluntary, specific consent before that processing happens. The Information Regulator has clarified through guidance notes that for non-essential cookies this means opt-in, not opt-out.
Essential cookies — the ones strictly required to make the site function, like session and security cookies — do not need consent. Everything else does.
The five elements of a POPIA cookie banner
A POPIA cookie banner that will survive scrutiny has five things:
1. A clear statement that cookies are used and what they do. Plain language. “We use cookies for analytics and marketing” is the floor; better is naming the categories specifically.
2. A way to accept and a way to reject non-essential cookies, with equal prominence. A big green “Accept All” and a hidden grey “Reject” link does not meet the bar.
3. Granular control over categories — essential, analytics, marketing, functional. The visitor must be able to opt in or out of each independently.
4. A link to your full cookie policy with detail on every cookie, its purpose, who sets it, and how long it lives.
5. A way to change the choice later. A persistent “Cookie preferences” link in the footer, or a floating preferences icon.
What is not compliant
Pre-checked consent boxes. “By using this site you agree” walls. Cookies set before the banner is interacted with. Banners that disappear after a few seconds whether or not the user clicked anything. Bundling cookies with terms-of-service acceptance. All of these have been called out by SA and international regulators.
Plugins that handle POPIA properly
Three options that work well on WordPress in 2026:
Complianz — has a POPIA preset, scans your site for cookies, and generates a compliant cookie policy. Free tier handles most SA SMBs.
Cookie Notice & Compliance — lighter, free, and adequate for simple sites without heavy tracking.
CookieYes — paid SaaS, polished UI, good for ecommerce sites with many tracking pixels.
The POPIA cookie banner checklist before you publish
Before pushing live: (a) test your site in a fresh incognito window — does any analytics or tracking script load before you click? (b) Open your browser dev tools and watch the Network tab — any cookies set before consent? (c) Click “Reject all” and refresh — are the analytics cookies actually gone? (d) Use the browser’s Inspect → Storage tab to spot the offenders. (e) Pop open your privacy policy and confirm every cookie is listed.
Most non-compliant sites fail at step (b) or (c). Tag managers and theme-embedded analytics often fire before the consent state is read, which makes the banner cosmetic rather than functional.
The risk of getting it wrong
Beyond the regulator, the bigger risk for most SA SMBs is reputational. A customer who notices that you set tracking cookies before they consented now distrusts your privacy posture across the board. POPIA cookie banner compliance is a trust signal as much as a legal requirement.
Want a compliance check on your site? Our WordPress maintenance plans include POPIA and cookie audits. Or read other posts on our blog for related 2026 compliance guidance.
