Skip to main content

The Bloc Studio (Pty) Ltd

Are you missing one of the following for website compliance?

  • Privacy Policy
  • Terms and Conditions
  • PAIA Manual (for South Africa only)
If you said yes to either of those options, then I have some bad news for you. 

Most businesses seem to overlook the importance of having a few key compliance pages because they are either not aware they are required by law or they feel it doesn’t apply to them because “I’m just a wee business selling malva pudding”. But I’m here to tell you that you are wrong, Ms Malva.

In this article we will break down exactly what pages you need and why you need them, and you will thank me for keeping you out of prison.

Privacy Policy

What compliance is this?

A privacy policy protects your clients or customers. It assures them that you will absolutely not abuse the information you are collecting from them, i.e: sell it to data centres that sell it to call centres that harass you on Sundays. 

You will also reassure them that their information is safe and will only be used to provide them with a service. You will need to specify how long you will keep their information, where it is stored, and what happens should you be hacked. No biggie.

Here’s the catch. The privacy policy has to be tailored according to your country’s laws. These are the GDPR (EU), GDPR (UK), CCPA and the wider US state law patchwork, and POPIA (SA) laws that we mainly deal with when it comes to building our clients website. 

How Each Region Differs

 EU (GDPR)UK (UK GDPR + DPA 2018)US (state laws)South Africa (POPIA)
Type of lawSingle EU-wide regulationRetained GDPR plus domestic ActPatchwork of 19 to 20+ state laws, no comprehensive federal lawSingle national act
RegulatorNational data protection authorities per member stateICO (Information Commissioner’s Office)State Attorneys General, varies by stateInformation Regulator
Privacy policy requiredYesYesYes, per applicable state lawYes
Lawful basis for processingYes, one of six bases requiredYes, same six basesVaries, generally notice plus opt-out rather than opt-inYes, consent is the main basis for most SME sites
Cookie consentYes, opt-in before non-essential cookies loadYes, same standardNo general rule, tied to opt-out of sale or targeted advertising in most statesNot explicitly cookie-specific, implied through consent and processing limitation principles
Data subject rightsAccess, rectification, erasure, portability, objectionSame as EUAccess, correction, deletion, opt-out of sale or targeted ads, varies by stateAccess and correction
Breach notificationWithin 72 hours to the regulatorWithin 72 hours to the ICOVaries by state, generally “without unreasonable delay”Required to the Regulator and affected data subjects
Applies based onProcessing data of EU residents, regardless of business locationProcessing data of UK residentsThresholds vary by state, e.g. volume of residents’ data or revenue from data salesProcessing personal information of South Africans, regardless of business location
Maximum penaltyUp to €20 million or 4% of global turnoverBroadly mirrors EU GDPR penalties$7,500 to $10,000 per violation, depending on stateUp to R10 million or imprisonment
Cure period before enforcementNoNoVaries, some states allow 30 days, others allow noneNo formal cure period, Regulator issues corrective orders

Penalties for not having this page

Fines. Big fines. And prison (in some places). We’re talking into the millions in fines here. For example:

Europe: GDPR penalties

Source: Article 83 GDPR, general conditions for imposing administrative fines.

TierMaximum fineApplies to
Lower tier€10 million or 2% of global annual turnover, whichever is higherAdministrative failures, e.g. record-keeping, breach notification, data protection officer requirements
Upper tier€20 million or 4% of global annual turnover, whichever is higherCore violations, e.g. no lawful basis for processing, ignoring data subject rights, unlawful cross-border transfers

United Kingdom: GDPR penalties

TierMaximum fineApplies to
Lower tier£8.7 million or 2% of global annual turnover, whichever is higherAdministrative failures, mirrors the EU lower tier
Upper tier£17.5 million or 4% of global annual turnover, whichever is higherCore violations, mirrors the EU upper tier

The ICO can also issue enforcement notices and reprimands short of a fine, which is its more common first step.

United States: state law penalties

Example stateMaximum penaltyCure period
California (CCPA)$2,500 per violation, $7,500 per intentional violation or violation involving a minor’s dataNo general cure period
Indiana / Kentucky$7,500 per violation30 days
Rhode Island$10,000 per violationNone

Every state law differs, and there is no single federal ceiling. Penalties above are illustrative, not exhaustive. Enforcement sits with each state’s Attorney General. Sources: California Attorney General, CCPA, IAPP US State Privacy Legislation Tracker. 

South Africa: POPIA penalties

TypeMaximum penaltyApplies to
Administrative fine (Section 109)Up to R10 millionGeneral non-compliance, issued by the Information Regulator
Serious criminal offences (Section 107(a))Fine and/or up to 10 years imprisonmentObstructing the Regulator, failing to comply with an enforcement notice, unlawful acts involving account numbers
Lesser criminal offences (Section 107(b))Fine and/or up to 12 months imprisonmentBreach of confidentiality, obstructing a warrant, false statements or evidence

POPIA is the only one of the four with imprisonment as a stated penalty. The Information Regulator has already issued at least one R5 million fine, against a government department, so enforcement is active. Sources: Section 107 Penalties, POPIA, POPIA offences, penalties and administrative fines, Michalsons, Information Regulator issues first R5 million fine under POPIA, Bowmans..

Don't want to go to prison?

But what if you do have a privacy policy? Well, Mr. Efficient, did you auto-generate it? Was it ripped from another website? Unfortunately, you may be referencing the wrong laws in your current policy which in itself is misleading and non-compliant.

Stating “governed by the laws of England” on a South Africa website is so wrong you have no idea. To prison with you! 

Saying you don’t share the user’s data with third parties but you have Google Analytics alive and kicking is also untrue. You are, in fact, sharing with Google. Here’s your orange jumpsuit. See you in a few years. 

Read this Next

Terms & Conditions

What compliance this?

Same-same but different. While privacy policies cover the user’s data, the terms and conditions cover relationship, transaction, and liability.

Got a business? Selling something? You need a terms and conditions page. And once again, not a generic one as it most likely does not explain what it is you sell, or how your business operates.

If state in your Ts & Cs that you sell “goods” but you only really offer services, eg: companionship (if you know what I mean), there is nothing for you to enforce should the poop hit the fan and you have a dispute on your hands.

This is especially important if you sell goods. Stating your refund policy can save you loads of time and money with what your dodgy customers.

The terms and conditions are heavily tied into your GDPR and POPIA laws with regards to consumer rights, and specifically your consumer protection laws too, the EU Unfair Contract Terms Directive, the UK Consumer Rights Act 2015, and South Africa’s Consumer Protection Act 68 of 2008, and therefore tie in with your privacy policy. Sorry to say but they come as a pair.

Penalties for not having this page

Not so much a fine but rather losing your disputes and shaming your family for generations to come. Which is worse than I fine, I guess. 

The last thing you want is a client relationship turning legal with zero contract protection. These issues may only appear later on in your business with unresolved disputes, bad debt, reputation damage and loss of income. 

Do you really want that because you have yet to implement this important page on your website? No? Didn’t think so. 

Read Enough? Are You Scared?

And because we love a good Ai generated table to organise data, especially the kind of data that scares you, here’s your breakdown of consequences for not have a terms and conditions page: 

 EUUKUSSouth Africa
Governing law / frameworkConsumer Rights Directive, plus national contract law per member stateConsumer Rights Act 2015, Consumer Contracts Regulations 2013Varies by state, generally state contract law plus FTC oversight on unfair or deceptive practicesConsumer Protection Act 68 of 2008 (CPA)
What weak T&Cs actually riskUnfair terms can be struck out entirely under the Unfair Contract Terms Directive, leaving the business with no protection on that clauseSame risk under the Consumer Rights Act, an unfair term simply isn’t binding on the consumer, even if they “agreed” to itTerms that violate state consumer protection law can be void, and the FTC can act on deceptive or unconscionable terms regardless of what’s writtenThe CPA overrides contradictory T&Cs outright, e.g. a “no refunds” clause is unenforceable against a consumer’s statutory right to a refund on defective goods or services
Enforceability standardCourts require genuine, informed consent to terms, a footer link alone is weak evidence of agreementSame clickwrap vs browsewrap distinction, UK courts have repeatedly favoured the consumer where consent wasn’t clearly givenVaries significantly by state, but courts increasingly require clear, affirmative acceptance, especially post-2020 case law on browsewrap agreementsSouth African courts also lean toward requiring clear acceptance, especially post-CPA, given its consumer-protective intent
Who bears the cost of a disputeBusiness, since unfair terms are read in favour of the consumer by defaultBusiness, same principleBusiness, plus potential exposure to class action risk in some statesBusiness, and the National Consumer Commission can also get involved for CPA breaches, not just civil courts
Typical real-world consequenceChargeback disputes, unresolved payment claims, unenforceable liability capsSame, plus reputational risk via consumer complaint bodies like Trading StandardsChargebacks, small claims exposure, and in worse cases, class action or FTC scrutiny for pattern-of-practice issuesChargebacks, complaints to the National Consumer Commission, and civil claims where the CPA voids a protective clause
Regulator actively enforcingLimited, mostly consumer complaint driven rather than proactive auditsLimited, similar complaint-driven model via Trading Standards / CMAPatchy, FTC engages mainly on deceptive practice patterns, not routine SME disputesMore active than the others, since the National Consumer Commission has a clear consumer complaints mandate under the CPA

Read this Next

Promotion of Access to Information Act Manual

What is this?

For those of you with businesses outside of South Africa, please calm down. You are not required to have this document.

South Africans, continue to panic. This is not POPIA but they are linked and share the same Information Regulator. How are they different, you ask? POPIA protects personal information (as GDPR and CCPA do). PAIA governs the right of access to this information held by the business, both personal and non-personal, and it’s full text is available from the South African government.

Most South Africans don’t realise that this PAIA manual is mandatory regardless of type and size of business. Both public and private bodies a required to have one, under Section 51 of PAIA

Penalties for not having this page

Failure to have a PAIA manual is a direct compliance failure that the Information regulator can act on independently. What happens if you get busted for not having one?

While the risk of penalties is real, you will most likely get a notice of correction rather than maximum penalties upfront. But what happens if you ignore the warning?

This would be under Section 77K where an information officer of a public body or head of a private body who refuses to comply with an enforcement notice is guilty of an offence.

Wilfully ignoring authorities is a criminal offence, punishable by a fine or imprisonment for a period not exceeding two years, under section 90 of PAIA.

Yes, this is a real thing that gets acted on in South Africa. And to keep with the flow of the Ai generated tables, here are your consequences:

Offence Maximum penalty When it applies
No PAIA Manual at all (Section 90(3)) Fine and/or up to 2 years imprisonment The head of a private body wilfully or in a grossly negligent manner fails to comply with the Section 51 requirement to have a manual
Ignoring a Regulator recommendation No direct penalty stipulated Not implementing a recommendation isn’t itself an offence, but it signals non-compliance and invites further scrutiny
Ignoring a formal enforcement notice (Section 77K) Fine and/or up to 3 years imprisonment The head of a private body refuses to comply with an enforcement notice issued under Section 77J, after the Regulator has already stepped in directly

Ignoring a formal enforcement notice carries a heavier maximum sentence than never having had a manual in the first place. The Information Regulator has been actively issuing and following through on these notices, this isn’t a power sitting unused on paper.

Read this Next

How The Bloc Studio Will Help You Not Go to Prison

It’s true. We can help. Every website built comes standard with a Privacy Policy page that is compliant according to your own region, a Terms and conditions page that protects you, and for South Africa, a PAIA Manual that you can show off to your friends and family and the police. 

By now you should be keen to start, right?

Don’t waste anymore time. Speak to a designer and let’s see how far we can take your business.

Frequently Asked Questions

If you don’t see your answer in the list then you are welcome to ask us your questions by filling in the fields below.

    Do I legally need a privacy policy on my website?

    Yes, if your site collects any personal information, even just through a contact form or email signup. In the EU and UK this falls under GDPR, in South Africa under POPIA, and in the US under whichever state privacy laws apply to your visitors. There’s no small business exemption for having the policy itself, only for some of the more detailed obligations.
    You risk fines and, in South Africa’s case, potential imprisonment. GDPR penalties reach up to €20 million or 4% of global turnover, UK GDPR mirrors this at up to £17.5 million, and POPIA carries fines up to R10 million plus possible imprisonment under Section 107. Most enforcement starts with a complaint or correction notice, not an immediate maximum fine.
    No, but they’re closely related. POPIA is South Africa’s data protection law and was drafted with GDPR’s predecessor as a reference point, so the core principles overlap heavily. The key difference is enforcement: POPIA is the only one of the two with imprisonment (up to 10 years for serious offences) written into the law itself.
    Yes. There is no size-based exemption from the requirement to have a PAIA Manual under Section 51 of PAIA, it applies to all private bodies regardless of size. Not having one is itself a criminal offence under Section 90, punishable by a fine or up to two years imprisonment.
    A Privacy Policy governs how you handle personal data. Terms and Conditions govern the transaction, relationship, and liability between you and your customer. A PAIA Manual governs how someone can request access to records your business holds, both personal and non-personal. All three are separate legal requirements, not interchangeable documents.
    Not safely. A template referencing the wrong governing law, wrong regulator, or wrong consumer protection act is misleading and non-compliant, even if the general structure looks right. A South African business using a UK-governed template, for example, is stating something false about which law actually applies to its customers.
    Often yes. GDPR and UK GDPR apply based on where your website visitors are located, not where your business is registered. A South African business serving UK or EU clients typically needs to comply with those regions’ laws too, not just POPIA.
    Ignoring a formal enforcement notice under Section 77K of PAIA is a criminal offence carrying a fine and/or up to three years imprisonment, a heavier penalty than simply never having had a manual at all. The Information Regulator has actively issued and followed through on these notices in 2026.
    Not automatically. A cookie banner only helps if it actually blocks non-essential scripts like Google Analytics or Meta Pixel until the visitor consents, opt-in consent is required under GDPR and UK GDPR. A banner that displays but doesn’t stop tracking beforehand isn’t a compliant mechanism, it’s decoration.