Does my social media have to be POPIA compliant?
Thankfully, no. The Protection of Personal Information Act (POPIA) regulates and imposes obligations on how organisations collect, use, store, delete and process personal information of “data subjects” in pursuit of their commercial activities. Information can only be collected and shared for a legitimate purpose.
It explicitly states that POPIA does not apply to the processing of personal information during a purely personal or household activity. The Act does not define what a purely personal or household activity is, but it can be argued that it excludes any activity that is not a “commercial activity”.
For example, if a woman takes a selfie of herself at a concert and there are several people in the background and she posts the selfie on Instagram, this is a purely personal activity. The woman does not need to get consent from every person who happened to appear in the background of her selfie. This falls outside of any commercial activity that the woman engages in, and it would be excluded from the application of POPIA.
Can I continue posting selfies in public?
The POPI Act should not affect individuals significantly, yes you may continue posting photos with your friends at the beach or any other public space you like. However, it is important to make sure that the information you post online is information you are comfortable having out in the world because POPIA does not protect your personal information if you post it publicly.
There is a difference in protection between filling in your bank account information for online payments, which POPIA will protect, and posting your bank card or information on your timeline for all to see and possibly use, which POPIA will not offer you protection over.
What are the potential pitfalls?
It is also important to be extremely careful with the type of information posted online. Minding one’s business is the best approach because according to section 12 (2)(a) of POPIA; information needs to be collected directly from the data subject unless, it is included in – or derived from – a public record or the data subject has made it publicly known. This means you cannot publicly post about someone else’s behaviour, offenses, or drama you heard about on your online platforms.