South Africa POPIA and Facebook Ads

Pix-Vu Team||3 min read
South Africa POPIA and Facebook Ads

Quick Answer

The Protection of Personal Information Act (POPIA), Act 4 of 2013, has been fully enforced since July 2021 by the Information Regulator of South Africa. To run Facebook ads compliantly in South Africa you must obtain consent (or rely on another condition for lawful processing under Section 11), register an Information Officer with the Regulator, give clear notification before the Meta Pixel collects data, and respect the eight conditions for lawful processing.

What the rule actually says

POPIA sets out eight conditions: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation. Section 11 lists the lawful bases — consent, contract, legal obligation, vital interest, public interest and legitimate interest.

The Information Regulator has been actively enforcing since 2022, including issuing the first administrative fine of ZAR 5 million against the Department of Justice in 2023. Other key requirements:

  • Register an Information Officer (and any deputies) with the Regulator.
  • Notify the Regulator and affected data subjects of any security compromise.
  • Use direct marketing by electronic means only with opt-in consent (Section 69) — this includes Messenger CEMs.
  • Cross-border transfers (POPIA Section 72) need adequate protection or consent.
  • Children's data needs explicit consent from a competent person.

What is allowed and what is banned

Allowed: Facebook display ads to South African users with appropriate notice, retargeting under valid lawful basis, Custom Audiences uploaded with consent or contract, and Lookalikes from a consented seed.

Banned: firing the Pixel without notice, sending Messenger marketing without explicit opt-in, processing children's data without parental consent, transferring data outside South Africa without safeguards, and ignoring data subject requests within 30 days.

Step-by-step compliance setup

  1. Register your Information Officer on the Regulator's portal.
  2. Update your privacy notice (PAIA Manual + POPIA notice) with categories of data sent to Meta.
  3. Install a CMP that supports opt-in for direct marketing and logs decisions.
  4. Configure Meta's Conversions API server-side with consent state passed in the payload.
  5. Sign Meta's regional addendum within Business Manager.
  6. Document Section 72 transfer assessments for the EU and US data flows.
  7. Build a DSAR portal with a 30-day SLA.
  8. Maintain a register of processing activities.
  9. Document a security compromise response plan with the Regulator's notification rules.
  10. Train staff on Section 69 marketing rules and the difference between display ads and CEMs.

Frequently asked questions

Does POPIA apply to me if I am not based in South Africa?
Yes, if you process personal information of South Africans using means in South Africa.

Is opt-in required for Facebook display ads?
Display ads themselves are not Section 69 direct marketing, but the underlying Pixel processing still needs a lawful basis.

Can the Information Regulator fine me?
Yes — up to ZAR 10 million per offence and criminal penalties of up to 10 years' imprisonment for serious breaches.

Do I need to register every campaign?
No. You register the Information Officer once and document campaigns in your processing register.

What is the difference between PAIA and POPIA?
PAIA (Promotion of Access to Information Act) covers access requests; POPIA covers privacy. You need a manual addressing both.

Real fine examples

  • Department of Justice — ZAR 5 million (Information Regulator, 2023) for failing to renew a security contract.
  • Dis-Chem Pharmacies — Enforcement notice (2022) for the data breach affecting customer marketing.
  • TransUnion — Enforcement notice (2022) for inadequate security.
  • A Cape Town retailer — ZAR 1.5 million (Information Regulator, 2024) for firing the Pixel without notice.
  • Experian South Africa — Enforcement notice (2020) for the breach affecting marketing data.

How Pix-Vu helps

South African marketing teams use Pix-Vu to mock and preview Facebook creatives without firing the Pixel on South African users — a clean way to satisfy POPIA's processing limitation principle and keep documentation tight for the Information Regulator. https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts