CTA
Latest Articles
Excellent rating
Based on 1 reviewsTrustindex verifies that the original source of the review is Google. The Bloc Studio continues to be one of our strongest partnerships my company has ever made. We have been working together for over 5 years and it is such a pleasure. We continue to grow together and I love that I am able to empower my clients to see the value of a phenomenal website knowing the Bloc Studio deliver every time. The team is knowledgable, collaborative, flexible and are always keeping up with what's happening in their world so you know you are in good hands. Could not recommend them more. Lauren Palmer
Are you missing one of the following for website compliance?
- Privacy Policy
- Terms and Conditions
- PAIA Manual (for South Africa only)
Most businesses seem to overlook the importance of having a few key compliance pages because they are either not aware they are required by law or they feel it doesn’t apply to them because “I’m just a wee business selling malva pudding”. But I’m here to tell you that you are wrong, Ms Malva.
In this article we will break down exactly what pages you need and why you need them, and you will thank me for keeping you out of prison.
Privacy Policy
What compliance is this?
A privacy policy protects your clients or customers. It assures them that you will absolutely not abuse the information you are collecting from them, i.e: sell it to data centres that sell it to call centres that harass you on Sundays.
You will also reassure them that their information is safe and will only be used to provide them with a service. You will need to specify how long you will keep their information, where it is stored, and what happens should you be hacked. No biggie.
Here’s the catch. The privacy policy has to be tailored according to your country’s laws. These are the GDPR (EU), GDPR (UK), CCPA and the wider US state law patchwork, and POPIA (SA) laws that we mainly deal with when it comes to building our clients website.
How Each Region Differs
| EU (GDPR) | UK (UK GDPR + DPA 2018) | US (state laws) | South Africa (POPIA) | |
|---|---|---|---|---|
| Type of law | Single EU-wide regulation | Retained GDPR plus domestic Act | Patchwork of 19 to 20+ state laws, no comprehensive federal law | Single national act |
| Regulator | National data protection authorities per member state | ICO (Information Commissioner’s Office) | State Attorneys General, varies by state | Information Regulator |
| Privacy policy required | Yes | Yes | Yes, per applicable state law | Yes |
| Lawful basis for processing | Yes, one of six bases required | Yes, same six bases | Varies, generally notice plus opt-out rather than opt-in | Yes, consent is the main basis for most SME sites |
| Cookie consent | Yes, opt-in before non-essential cookies load | Yes, same standard | No general rule, tied to opt-out of sale or targeted advertising in most states | Not explicitly cookie-specific, implied through consent and processing limitation principles |
| Data subject rights | Access, rectification, erasure, portability, objection | Same as EU | Access, correction, deletion, opt-out of sale or targeted ads, varies by state | Access and correction |
| Breach notification | Within 72 hours to the regulator | Within 72 hours to the ICO | Varies by state, generally “without unreasonable delay” | Required to the Regulator and affected data subjects |
| Applies based on | Processing data of EU residents, regardless of business location | Processing data of UK residents | Thresholds vary by state, e.g. volume of residents’ data or revenue from data sales | Processing personal information of South Africans, regardless of business location |
| Maximum penalty | Up to €20 million or 4% of global turnover | Broadly mirrors EU GDPR penalties | $7,500 to $10,000 per violation, depending on state | Up to R10 million or imprisonment |
| Cure period before enforcement | No | No | Varies, some states allow 30 days, others allow none | No formal cure period, Regulator issues corrective orders |
Penalties for not having this page
Fines. Big fines. And prison (in some places). We’re talking into the millions in fines here. For example:
Europe: GDPR penalties
Source: Article 83 GDPR, general conditions for imposing administrative fines.
| Tier | Maximum fine | Applies to |
|---|---|---|
| Lower tier | €10 million or 2% of global annual turnover, whichever is higher | Administrative failures, e.g. record-keeping, breach notification, data protection officer requirements |
| Upper tier | €20 million or 4% of global annual turnover, whichever is higher | Core violations, e.g. no lawful basis for processing, ignoring data subject rights, unlawful cross-border transfers |
United Kingdom: GDPR penalties
| Tier | Maximum fine | Applies to |
|---|---|---|
| Lower tier | £8.7 million or 2% of global annual turnover, whichever is higher | Administrative failures, mirrors the EU lower tier |
| Upper tier | £17.5 million or 4% of global annual turnover, whichever is higher | Core violations, mirrors the EU upper tier |
The ICO can also issue enforcement notices and reprimands short of a fine, which is its more common first step.
United States: state law penalties
| Example state | Maximum penalty | Cure period |
|---|---|---|
| California (CCPA) | $2,500 per violation, $7,500 per intentional violation or violation involving a minor’s data | No general cure period |
| Indiana / Kentucky | $7,500 per violation | 30 days |
| Rhode Island | $10,000 per violation | None |
Every state law differs, and there is no single federal ceiling. Penalties above are illustrative, not exhaustive. Enforcement sits with each state’s Attorney General. Sources: California Attorney General, CCPA, IAPP US State Privacy Legislation Tracker.
South Africa: POPIA penalties
| Type | Maximum penalty | Applies to |
|---|---|---|
| Administrative fine (Section 109) | Up to R10 million | General non-compliance, issued by the Information Regulator |
| Serious criminal offences (Section 107(a)) | Fine and/or up to 10 years imprisonment | Obstructing the Regulator, failing to comply with an enforcement notice, unlawful acts involving account numbers |
| Lesser criminal offences (Section 107(b)) | Fine and/or up to 12 months imprisonment | Breach of confidentiality, obstructing a warrant, false statements or evidence |
POPIA is the only one of the four with imprisonment as a stated penalty. The Information Regulator has already issued at least one R5 million fine, against a government department, so enforcement is active. Sources: Section 107 Penalties, POPIA, POPIA offences, penalties and administrative fines, Michalsons, Information Regulator issues first R5 million fine under POPIA, Bowmans..
Don't want to go to prison?
But what if you do have a privacy policy? Well, Mr. Efficient, did you auto-generate it? Was it ripped from another website? Unfortunately, you may be referencing the wrong laws in your current policy which in itself is misleading and non-compliant.
Stating “governed by the laws of England” on a South Africa website is so wrong you have no idea. To prison with you!
Saying you don’t share the user’s data with third parties but you have Google Analytics alive and kicking is also untrue. You are, in fact, sharing with Google. Here’s your orange jumpsuit. See you in a few years.
Read this Next
Terms & Conditions
What compliance this?
Same-same but different. While privacy policies cover the user’s data, the terms and conditions cover relationship, transaction, and liability.
Got a business? Selling something? You need a terms and conditions page. And once again, not a generic one as it most likely does not explain what it is you sell, or how your business operates.
If state in your Ts & Cs that you sell “goods” but you only really offer services, eg: companionship (if you know what I mean), there is nothing for you to enforce should the poop hit the fan and you have a dispute on your hands.
This is especially important if you sell goods. Stating your refund policy can save you loads of time and money with what your dodgy customers.
The terms and conditions are heavily tied into your GDPR and POPIA laws with regards to consumer rights, and specifically your consumer protection laws too, the EU Unfair Contract Terms Directive, the UK Consumer Rights Act 2015, and South Africa’s Consumer Protection Act 68 of 2008, and therefore tie in with your privacy policy. Sorry to say but they come as a pair.
Penalties for not having this page
Not so much a fine but rather losing your disputes and shaming your family for generations to come. Which is worse than I fine, I guess.
The last thing you want is a client relationship turning legal with zero contract protection. These issues may only appear later on in your business with unresolved disputes, bad debt, reputation damage and loss of income.
Do you really want that because you have yet to implement this important page on your website? No? Didn’t think so.
Read Enough? Are You Scared?
And because we love a good Ai generated table to organise data, especially the kind of data that scares you, here’s your breakdown of consequences for not have a terms and conditions page:
| EU | UK | US | South Africa | |
|---|---|---|---|---|
| Governing law / framework | Consumer Rights Directive, plus national contract law per member state | Consumer Rights Act 2015, Consumer Contracts Regulations 2013 | Varies by state, generally state contract law plus FTC oversight on unfair or deceptive practices | Consumer Protection Act 68 of 2008 (CPA) |
| What weak T&Cs actually risk | Unfair terms can be struck out entirely under the Unfair Contract Terms Directive, leaving the business with no protection on that clause | Same risk under the Consumer Rights Act, an unfair term simply isn’t binding on the consumer, even if they “agreed” to it | Terms that violate state consumer protection law can be void, and the FTC can act on deceptive or unconscionable terms regardless of what’s written | The CPA overrides contradictory T&Cs outright, e.g. a “no refunds” clause is unenforceable against a consumer’s statutory right to a refund on defective goods or services |
| Enforceability standard | Courts require genuine, informed consent to terms, a footer link alone is weak evidence of agreement | Same clickwrap vs browsewrap distinction, UK courts have repeatedly favoured the consumer where consent wasn’t clearly given | Varies significantly by state, but courts increasingly require clear, affirmative acceptance, especially post-2020 case law on browsewrap agreements | South African courts also lean toward requiring clear acceptance, especially post-CPA, given its consumer-protective intent |
| Who bears the cost of a dispute | Business, since unfair terms are read in favour of the consumer by default | Business, same principle | Business, plus potential exposure to class action risk in some states | Business, and the National Consumer Commission can also get involved for CPA breaches, not just civil courts |
| Typical real-world consequence | Chargeback disputes, unresolved payment claims, unenforceable liability caps | Same, plus reputational risk via consumer complaint bodies like Trading Standards | Chargebacks, small claims exposure, and in worse cases, class action or FTC scrutiny for pattern-of-practice issues | Chargebacks, complaints to the National Consumer Commission, and civil claims where the CPA voids a protective clause |
| Regulator actively enforcing | Limited, mostly consumer complaint driven rather than proactive audits | Limited, similar complaint-driven model via Trading Standards / CMA | Patchy, FTC engages mainly on deceptive practice patterns, not routine SME disputes | More active than the others, since the National Consumer Commission has a clear consumer complaints mandate under the CPA |
Read this Next
Promotion of Access to Information Act Manual
What is this?
For those of you with businesses outside of South Africa, please calm down. You are not required to have this document.
South Africans, continue to panic. This is not POPIA but they are linked and share the same Information Regulator. How are they different, you ask? POPIA protects personal information (as GDPR and CCPA do). PAIA governs the right of access to this information held by the business, both personal and non-personal, and it’s full text is available from the South African government.
Most South Africans don’t realise that this PAIA manual is mandatory regardless of type and size of business. Both public and private bodies a required to have one, under Section 51 of PAIA.
Penalties for not having this page
Failure to have a PAIA manual is a direct compliance failure that the Information regulator can act on independently. What happens if you get busted for not having one?
While the risk of penalties is real, you will most likely get a notice of correction rather than maximum penalties upfront. But what happens if you ignore the warning?
Are you screwed? We can help!
This would be under Section 77K where an information officer of a public body or head of a private body who refuses to comply with an enforcement notice is guilty of an offence.
Wilfully ignoring authorities is a criminal offence, punishable by a fine or imprisonment for a period not exceeding two years, under section 90 of PAIA.
Yes, this is a real thing that gets acted on in South Africa. And to keep with the flow of the Ai generated tables, here are your consequences:
| Offence | Maximum penalty | When it applies |
|---|---|---|
| No PAIA Manual at all (Section 90(3)) | Fine and/or up to 2 years imprisonment | The head of a private body wilfully or in a grossly negligent manner fails to comply with the Section 51 requirement to have a manual |
| Ignoring a Regulator recommendation | No direct penalty stipulated | Not implementing a recommendation isn’t itself an offence, but it signals non-compliance and invites further scrutiny |
| Ignoring a formal enforcement notice (Section 77K) | Fine and/or up to 3 years imprisonment | The head of a private body refuses to comply with an enforcement notice issued under Section 77J, after the Regulator has already stepped in directly |
Ignoring a formal enforcement notice carries a heavier maximum sentence than never having had a manual in the first place. The Information Regulator has been actively issuing and following through on these notices, this isn’t a power sitting unused on paper.
Read this Next
How The Bloc Studio Will Help You Not Go to Prison
It’s true. We can help. Every website built comes standard with a Privacy Policy page that is compliant according to your own region, a Terms and conditions page that protects you, and for South Africa, a PAIA Manual that you can show off to your friends and family and the police.