POPIA Compliance for Digital Advertisers: What South African Agencies Need to Know
If you run digital advertising in South Africa, you’re subject to the Protection of Personal Information Act (POPIA). That much is obvious. What’s less obvious is how POPIA actually applies to your ad tech stack — the tags firing on your website, the data flowing to ad platforms, the audiences you’re building, and the conversion events you’re tracking.
Most South African agencies and brands treat privacy compliance as a cookie banner problem. Put up a banner, tick the box, move on. That approach was barely adequate in 2024. In 2026, with the Information Regulator actively investigating complaints and Google requiring Consent Mode V2 for all advertisers targeting the EEA, it’s a liability.
This guide covers what POPIA actually requires from digital advertisers, where the real compliance gaps are hiding, and what you can do about them — practically, not theoretically.
POPIA Basics for Digital Advertisers
POPIA is South Africa’s comprehensive data protection law, in full effect since July 2021 with enforcement beginning in 2023. If you’ve worked with GDPR, the concepts will feel familiar — but there are important differences.
What POPIA Covers
POPIA protects “personal information” of “data subjects.” In the context of digital advertising, this includes:
- Cookie identifiers and device IDs — anything that can identify or single out a user
- IP addresses — explicitly mentioned in POPIA’s definition
- Email addresses and phone numbers — used in customer match, enhanced conversions, and CRM audiences
- Behavioural data — browsing patterns, purchase history, ad interactions
- Location data — used for geo-targeting and store visit tracking
If your ad tech stack processes any of this — and it does — POPIA applies.
POPIA vs GDPR: Key Differences
| Aspect | GDPR | POPIA |
|---|---|---|
| Lawful bases | 6 bases (consent, legitimate interest, contract, etc.) | 8 conditions (similar, but with nuances) |
| Consent standard | Must be freely given, specific, informed, unambiguous | Must be voluntary, specific, informed — similar standard |
| Legitimate interest | Available, with balancing test | Available under “legitimate interest of data subject or responsible party” — less tested in SA courts |
| Direct marketing | Opt-in required (ePrivacy Directive) | Existing customers: opt-out allowed. New prospects: opt-in required (Section 69) |
| Penalties | Up to 4% of global turnover | Up to R10 million fine, or imprisonment up to 10 years |
| Enforcement body | National DPAs (well-resourced) | Information Regulator (growing capacity, actively investigating since 2024) |
The critical difference for advertisers: POPIA’s direct marketing rules under Section 69 draw a clear line between existing customers (whom you can market to until they opt out) and new prospects (who must opt in). This directly affects how you build remarketing audiences and use customer lists.
The “Responsible Party” Problem
Under POPIA, the “responsible party” (equivalent to GDPR’s data controller) bears primary responsibility. If you’re an agency, your client is usually the responsible party — but you’re the “operator” (processor), and you have your own obligations.
More importantly, if your client’s website uses your GTM container, and that container fires tags that collect personal information without proper consent, both of you have a problem.
The practical implication: agencies can’t hide behind “that’s the client’s responsibility.” If you implemented the tags, you need to ensure they’re compliant.
Consent Mode V2: What Google Requires
In March 2024, Google made Consent Mode V2 mandatory for advertisers targeting EEA users. While this requirement is technically about European users, it has significant implications for South African advertisers:
- If you have any European traffic (and most sites do), you need Consent Mode implemented.
- Google is moving toward consent-based measurement globally. The EEA requirement is the beginning, not the end.
- POPIA’s consent requirements align closely with what Consent Mode enforces. Implementing it for GDPR compliance effectively makes you POPIA-compliant on the tag management side.
How Consent Mode Works
Consent Mode is a signalling mechanism between your Consent Management Platform (CMP) and Google tags. It uses four consent states:
// Default state — set BEFORE any tags fire
gtag('consent', 'default', {
'ad_storage': 'denied', // Advertising cookies
'ad_user_data': 'denied', // Sending user data to Google for ads
'ad_personalization': 'denied', // Remarketing and personalisation
'analytics_storage': 'denied' // Analytics cookies
});
// Updated when user grants consent
gtag('consent', 'update', {
'ad_storage': 'granted',
'ad_user_data': 'granted',
'ad_personalization': 'granted',
'analytics_storage': 'granted'
});In basic mode, Google tags simply don’t fire until consent is granted. You lose data from users who don’t consent.
In advanced mode, Google tags fire in a “cookieless” mode when consent is denied. No cookies are set and no personal data is collected, but Google uses the pings to model conversions and behaviour. This is the recommended approach because it preserves measurement coverage while respecting consent.
POPIA and Consent Mode Alignment
Here’s why Consent Mode matters for POPIA compliance specifically:
ad_storage: deniedprevents advertising cookies from being set — aligning with POPIA’s requirement that personal information processing be limited to what the data subject consented to.ad_user_data: deniedprevents user data from being sent to Google for advertising purposes — directly relevant to POPIA’s purpose limitation condition.ad_personalization: deniedprevents remarketing list building — relevant to POPIA’s Section 69 direct marketing provisions.
If your GTM container doesn’t implement Consent Mode, every Google tag fires with full data collection from the first page load, regardless of whether the user has consented. Under POPIA, that’s processing personal information without a lawful basis.
The Tag Management Compliance Gap
This is where theory meets practice — and where most South African advertisers are exposed.
The Problem
A typical e-commerce site’s GTM container has 30-50 tags across Google Analytics, Google Ads, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, and various third-party scripts. For each of these tags, you need to answer two questions:
- Does this tag fire before the user consents? If yes, you’re processing personal information without a lawful basis.
- Does this tag respect consent mode signals? A tag can fire after consent is granted but still ignore consent mode, effectively backdating its data collection.
Google tags natively support Consent Mode — if it’s implemented correctly, they’ll respect the consent signals. But non-Google tags (Meta Pixel, TikTok Pixel, LinkedIn Insight Tag) do not natively understand Google’s consent signals. They need separate consent-based triggers in GTM.
What “Compliant” Actually Looks Like
For each tag in your container, the correct setup depends on the tag type:
Google tags (GA4, Google Ads, Floodlight):
- Consent Mode defaults set before tag fires
- Tag fires on page load (Consent Mode handles the rest in advanced mode)
- Or: tag fires only after consent in basic mode
Meta Pixel:
- Tag fires only when a consent trigger confirms
ad_storageandad_user_dataare granted - OR: Meta’s Limited Data Use flag is set for non-consented users (US-specific, but shows the pattern)
TikTok Pixel:
- Tag fires only after consent
- TikTok’s
limited_data_useparameter set appropriately
LinkedIn Insight Tag:
- Tag fires only after consent
- No native consent mode — fully dependent on trigger-based control
Any other third-party script:
- Must be gated behind a consent trigger
- If it sets cookies or collects identifiers, it cannot fire until consent is granted
The uncomfortable truth: in our experience auditing GTM containers for South African businesses, fewer than 20% have proper consent-based triggering for non-Google tags. Most Meta Pixels fire on page load, regardless of consent state.
Enhanced Conversions and POPIA
Enhanced conversions is Google’s solution to the measurement gap caused by cookie deprecation and consent-based tracking. Instead of relying solely on cookies, you send hashed first-party data (email address, phone number, name, address) to Google, which matches it against signed-in Google users to attribute conversions.
Can You Use Enhanced Conversions Under POPIA?
The short answer: yes, but with conditions.
The data you send must be hashed. Enhanced conversions uses SHA-256 hashing before the data leaves the browser (when implemented via GTM) or your server. The hashed data is not reversible — Google can’t recover the original email address.
You need a lawful basis for the processing. Consent is the cleanest option. If a user has consented to advertising cookies and data sharing (ad_storage: granted, ad_user_data: granted), you can process their data for conversion measurement.
Legitimate interest may apply — POPIA allows processing where there’s a legitimate interest that doesn’t infringe on the data subject’s privacy. Conversion measurement for a purchase the user just completed arguably falls within this, but it hasn’t been tested by the Information Regulator.
You must disclose it. Your privacy policy needs to mention that you use hashed first-party data for conversion measurement. Most privacy policies don’t.
Pro tip: If you’re using enhanced conversions, implement it server-side rather than client-side where possible. Server-side implementation gives you more control over what data is sent and when, and makes it easier to respect consent signals programmatically.
The Practical Recommendation
For South African advertisers, we recommend:
- Implement enhanced conversions — the measurement benefits are significant.
- Gate it behind consent — only send hashed data when the user has granted
ad_user_dataconsent. - Disclose it clearly in your privacy policy.
- Use server-side implementation if you have the technical capability.
This gives you the measurement accuracy of enhanced conversions while maintaining a defensible compliance position under POPIA. For the full implementation checklist, see our Google Ads audit guide.
Cookie Banners Are Not Compliance
Let’s address the elephant in the room. Most South African websites that have any privacy implementation at all have a cookie banner. It usually says something like “This site uses cookies. Click OK to continue.” Sometimes there’s a link to a cookie policy.
This is not compliance. Not under GDPR, and not under POPIA.
What a Compliant Consent Mechanism Requires
Under POPIA (and GDPR, which is relevant if you have any international traffic), consent must be:
- Informed: The user must understand what they’re consenting to. “This site uses cookies” tells them nothing about what data is collected, who receives it, or why.
- Specific: Consent must be granular. A single “Accept All” button without the option to choose categories (analytics, advertising, functional) does not constitute specific consent.
- Voluntary: Pre-checked boxes, dark patterns (a big green “Accept” button and a tiny grey “Manage preferences” link), and cookie walls (you can’t use the site unless you accept) undermine voluntariness.
What You Actually Need
-
A Consent Management Platform (CMP) that integrates with GTM. Options include Cookiebot, OneTrust, Termly, or Google’s built-in consent mode with a lightweight banner.
-
Granular consent categories — at minimum: Necessary (no consent required), Analytics, and Advertising.
-
Integration with Consent Mode — the CMP must fire
gtag('consent', 'update', {...})with the correct signals based on user choices. -
GTM triggers that respect consent state — non-Google tags must have consent-based triggers, not just page load triggers.
-
A reject option that actually works — if a user declines advertising cookies, Meta Pixel must not fire. Period.
-
Record of consent — you should be able to demonstrate what a user consented to and when. Most CMPs provide this automatically.
Auditing Your Compliance
Here’s a practical audit process you can run on any site:
Step 1: Clear all cookies and visit the site in an incognito window
Before interacting with the cookie banner, open your browser’s developer tools and check:
- What cookies are already set?
- What network requests have fired?
- Has the Meta Pixel, TikTok Pixel, or any advertising tag already loaded?
If advertising tags fire before you interact with the consent banner, you have a compliance violation.
Step 2: Decline all optional cookies
Click “Reject” or disable advertising cookies in the consent preferences. Then check:
- Are advertising cookies still being set?
- Are advertising network requests still firing?
- Does the Meta Pixel still load?
If anything advertising-related fires after you’ve declined consent, your consent implementation is decorative, not functional.
Step 3: Accept all cookies and check consent signals
Now accept everything and verify:
- Do consent mode signals update correctly? (Check in GTM Preview mode)
- Do tags fire with the correct consent state?
- Are enhanced conversion tags sending data?
Step 4: Check your privacy policy
- Does it mention all the platforms you send data to?
- Does it describe enhanced conversions or customer match?
- Does it list the specific cookies your site sets?
- Does it name the Information Regulator as the relevant authority?
- Does it provide a clear mechanism for data subject requests (access, deletion, objection)?
How Alethia Automates This
Manually auditing consent compliance across multiple client sites is time-consuming and error-prone. It requires checking browser developer tools, GTM Preview mode, network requests, and privacy policies for each site — and repeating the process every time a tag is added or changed.
Alethia’s compliance audit runs this process programmatically. It inspects the GTM container for consent mode implementation, checks tag firing rules against consent states, verifies that non-Google tags have consent-based triggers, and flags gaps with specific remediation steps. For agencies managing multiple client sites, it runs the same audit across all of them with consistent thoroughness.
If you’re unsure about your current compliance posture, that’s the best place to start. An audit tells you exactly where the gaps are, so you can fix them in priority order rather than guessing.
The Bottom Line
POPIA compliance for digital advertisers isn’t about cookie banners. It’s about ensuring that every piece of your ad tech stack — every tag, every pixel, every conversion event — processes personal information only when it has a lawful basis to do so.
The good news: the technical infrastructure exists. Consent Mode V2 gives you the signalling mechanism. GTM gives you the trigger-based control. CMPs give you the user-facing consent collection. The challenge is wiring it all together correctly and keeping it correct as tags are added, platforms change, and regulations evolve.
For South African agencies, there’s an additional consideration: the Information Regulator is getting more active, not less. The first wave of enforcement focused on large data breaches and obvious violations. The next wave will look at digital marketing practices — cookies, tracking, audience building, cross-platform data sharing. The agencies that have their house in order will have a competitive advantage. The ones that don’t will have a compliance problem.
Start with an audit. Fix what you find. Build consent into your tag management process, not around it. And if you’re managing this across multiple clients, automate the monitoring — because manual checks don’t scale and compliance gaps don’t announce themselves.