Cookie Policy
Template — South Africa

A plain-language explanation accessible to non-technical users, covering: what cookies are (small text files stored on the visitor's device), the difference between session cookies (deleted when the browser closes) and persistent cookies (remain until they expire or are deleted), first-party cookies (set by the website itself) versus third-party cookies (set by external services like Google, Facebook, or LinkedIn), and other tracking technologies covered by the policy — including tracking pixels, web beacons, local storage (HTML5), ETags, and device fingerprinting techniques. This foundational section ensures informed consent by explaining the technology before asking for permission.

Categorised disclosure of cookie types following the internationally recognised classification: strictly necessary cookies (authentication, security tokens, load balancing, shopping cart — no consent required), functional cookies (language preferences, display settings, user preferences), analytics and performance cookies (Google Analytics, Hotjar, Matomo — measuring website usage and performance), and marketing and advertising cookies (Facebook Pixel, Google Ads, LinkedIn Insight Tag — retargeting and conversion tracking). Each category includes a clear explanation of its purpose and whether consent is required.

A comprehensive table listing every cookie used on the website — including the cookie name, provider (first-party or specific third-party service), purpose, data collected, type (session or persistent), and expiry period. This granular disclosure is required for GDPR compliance and represents best practice under POPIA. The inventory must be maintained and updated whenever new cookies are added or existing cookies are modified, ensuring the policy remains accurate and current.

Describes the consent mechanism — the cookie consent banner or cookie management platform (CMP), how it works on first visit, the default state of non-essential cookies (not loaded until consent is given — required for GDPR compliance and recommended for POPIA), granular category selection (allowing visitors to accept analytics but reject marketing cookies), how consent is recorded and stored (typically via a consent cookie with a unique identifier), and how the website handles visitors who do not interact with the banner. This section also addresses the requirement that consent be as easy to withdraw as it was to give.

Practical instructions for visitors who want to manage or delete cookies — including step-by-step browser settings instructions for Chrome, Firefox, Safari, Edge, and mobile browsers; links to browser-specific help pages; how to access the website's cookie preference centre to change consent choices; and a clear warning about the functional impact of disabling certain cookies (for example, disabling authentication cookies will prevent login). The section also addresses the Global Privacy Control (GPC) signal and Do Not Track (DNT) browser settings, and whether the website honours these signals.

Identifies every third-party service that sets cookies on the website — including Google Analytics, Google Ads, Facebook/Meta Pixel, LinkedIn Insight Tag, Hotjar, YouTube, Vimeo, social media widgets, and any other embedded content or advertising networks. For each service, the section provides the provider's name, the purpose of their cookies, a link to their privacy and cookie policies, and instructions for opting out of their tracking directly. This transparency is essential because the website operator does not control third-party cookies — the third party's own policies govern their data collection practices.

Discloses whether cookie data is transferred outside South Africa — which it almost certainly is if the website uses Google Analytics (data processed in the US and other countries), Facebook Pixel (data processed by Meta in the US and EU), or other international services. Under POPIA Section 72, cross-border transfers of personal information are permitted only if the recipient country provides adequate protection, or if the data subject consents, or if the transfer is necessary for the performance of a contract. For EU visitors, GDPR Article 44 requires appropriate safeguards for transfers outside the EEA. The section identifies the countries and safeguards involved.

Addresses the processing of personal information of children through cookies. Under POPIA Section 35, processing of children's personal information is prohibited unless specific grounds are met — including the consent of a competent person (parent or guardian). The GDPR requires parental consent for children under 16 (or under 13, depending on the member state). If the website does not target or knowingly collect data from children, this section states so explicitly. If the website does have child users, it addresses the additional consent requirements for cookie-based tracking.

Explains visitors' rights regarding their personal information collected through cookies — including the right to access (POPIA Section 23), the right to correction (Section 24), the right to deletion (Section 24), the right to object to processing (Section 11(3)), and the right to lodge a complaint with the Information Regulator. Provides the contact details of the website's Information Officer or Data Protection Officer, the process for submitting data subject requests, and the expected response timeline (POPIA allows a reasonable period, typically 30 days).

Explains how visitors will be notified of material changes to the Cookie Policy — whether through an updated notice on the website, a notification banner, or email communication for registered users. Includes the effective date of the current version and a version history or changelog for transparency. Addresses whether material changes require renewed consent for previously accepted cookies (best practice under GDPR, recommended under POPIA) and the process for obtaining fresh consent when the cookie inventory changes significantly.