In June 2023, the Information Regulator issued its first enforcement notice against the Department of Justice over a Public Protector data leak. It was a procedural matter, not a fine. Three months later, the Regulator issued an enforcement notice against TransUnion over the credit-bureau breach. By 2024 the cadence had picked up. Several South African brands and one major bank had been formally cautioned. The Regulator had moved from training-wheels mode into the operational phase POPIA always promised.
Most marketing teams missed it. They had spent the previous five years treating POPIA as a less strict GDPR. The Act is more prescriptive than that, in three places GDPR is not, and the cookie-deprecation timeline now folds those constraints directly into the campaign workflow.
Where POPIA is stricter
- Conditions for processing apply to all personal information, not just sensitive categories
- The Act assigns explicit accountability to a named Information Officer registered with the Regulator
- Cross-border data transfers require evidence of equivalent protection, not just a contract clause
- Direct marketing has its own opt-in regime distinct from general consent
- Data subject access requests have shorter response windows in practice
The first point is the one most marketing stacks fail. Treating routine campaign data as if it were less regulated than financial or health data leads to processing chains that cannot be audited. The Act does not make that distinction.
Why the cookie deprecation makes it worse
Third-party cookies have already disappeared from Safari's ITP and Firefox. Chrome's roadmap continues to wobble but the direction of travel is consistent. The replacement most stacks are reaching for is first-party data. That is the right answer technically. It is also the worst answer compliance-wise.
First-party data implies higher accountability. The brand collects it, the brand stores it, the brand is the responsible party. Third-party cookies were a shared liability model. First-party data is not.
- Every CRM record needs a documented lawful basis
- Every audience push to ad networks needs a transfer-evidence trail
- Every progressive-profiling form needs an explicit POPIA-compliant disclosure
- Every consent-state change needs to propagate to ad networks within a defensible window
The maths gets unfriendly fast. A brand with five connected channels, three CRM systems and one consent platform has fifteen integration points where a POPIA violation can occur. Most stacks have not been audited at that level.
“The teams that treat first-party data like a marketing asset eventually face the regulator. The teams that treat it like a regulated asset never do.”
What good looks like
Three operational habits separate the well-run stacks from the rest.
- A consent platform that is the single source of truth, propagating both in and out to every connected system in seconds
- A documented lawful basis attached to every audience export, not just every database table
- Quarterly audits of the data flowing to ad networks, not annual reviews
The last one is where most teams underspend. Ad-network audiences are mutable. Lookalikes get expanded, suppression lists get rotated, exclusions get rebuilt. A quarterly cadence catches drift before it becomes a violation.
What this means for the agency
The agency's role is not just creative and media anymore. It is the integration audit point between consent platform, CRM and channels. That is operational work that does not bill like creative work, but it is increasingly where the regulatory exposure sits.
We treat it as core operational hygiene rather than a separate compliance project. The brands that work with us this way carry less regulatory exposure than the brands that bolt compliance on after the fact.