Tracking technologies have become a standard feature of modern Internet-based services, commonly used for persisting state, analytics, targeted advertising, and understanding user behaviour. While they can provide valuable insights and functionality, these tools are often more intrusive than they appear. In many cases, tracking occurs in ways that lack transparency, not only for users, but also for the operators of Internet-based services, such as website owners, who deploy these technologies.

This blog post briefly considers compliance obligations that may arise from the Protection of Personal Information Act, 2013 ("POPIA") in this context. We will focus on websites as a common form of Internet-based services.

The term "tracking technologies" broadly refers to digital tools designed to monitor, collect, and analyse information about how users interact with websites. These tools are capable of capturing and reporting a wide range of information, such as user behaviour, device attributes, navigation patterns, engagement metrics, interaction history and the like.

The most widely recognised type of tracking technology is the cookie – a small data file stored on a user’s browser when a website is accessed which contains data that can be used to identify a user. Once identified, this can allow a user’s activity to be tracked during a single session or across multiple visits, recognise returning users, store preferences, and contribute to profiling for advertising or analytics purposes, even across multiple sites.

While cookies are the most familiar to users, they are just one component of a much larger ecosystem of tracking technologies. Other commonly deployed technologies include:

• Tracking pixels or beacons, which are used to collect data such as page views, device information, and similar metrics by causing a hypertext transfer protocol ("HTTP") request to be made in the background, without the knowledge of the user. HTTP is the protocol used for transferring data (like web pages, images, etc.) between a web server and a web browser over the internet.
• Browser fingerprinting, which is a technique used to identify anonymous users based on a combination of device and browser attributes, such as operating system, language, and time zones, to create a unique user profile.
• Session replay tools, which record a user’s real-time interaction with a website, including mouse movements, scrolling behaviour, clicks, and even typed input, depending on its configuration.
• Audio-based tracking tools, while generally not deployed on websites, may be used in applications that support voice input or speech recognition. These tools are capable of recording audio through a device’s microphone, either in response to a user's action (such as initiating a voice search) or, depending on how the technology is configured, passively in the background.
• Third-party plugins or widgets (such as those that display social media or advertisement content), while not tracking tools in and of itself, can be used to allow publishers the ability to use any of the aforementioned technologies. For example, if multiple websites load content from the same advertising network (e.g. an ad banner or tracking pixel), that network can set or read a cookie associated with its domain across all those websites, thereby identifying and profiling the same user across multiple sites.
• Hyperlink parameters, which function by appending unique identifiers to the link (referred to as the query string), which identifiers can then be passed between websites to continue tracking the user session or behaviour.
• CNAME cloaking, which makes third-party trackers appear as if they are part of the first-party domain, effectively bypassing certain browser-based privacy protections. A CNAME is a type of record in the domain name system used to map one domain name (an alias) to another.

These technologies are often deployed through third-party analytics platforms, such as the Google Analytics' Tag Manager. A website developer would embed a small JavaScript file in each page which, when the page loads, reports metadata about the HTTP request asynchronously, and deploys any number of "tags" (i.e. tracking technologies).

Typically tracking technologies are highly configurable to allow website owners to specify the data they want to collect. By default, they are often configurated op operate to their maximum efficacy.

Applicability of POPIA

When does POPIA apply?

Broadly speaking, POPIA was enacted to promote the protection of personal information and to introduce conditions that establish minimum requirements for lawful processing. POPIA applies to the "processing" of "personal information" by public or private bodies in South Africa, where the responsible party is domiciled in the Republic or where the processing takes place within its borders, unless a specific exception in terms of the Act applies.

POPIA defines "processing" very broadly, so as to include any operation or activity, whether automated or not, involving personal information. This includes the collection, storage, use, dissemination, and even the mere accessing of data. Once personal information is being processed through tracking technologies, the responsible party must identify and rely on a lawful basis for such processing.

POPIA further defines "personal information" as any information relating to an identifiable, living individual or an identifiable, existing juristic person. The definition encompasses a wide array of identifiers, including names, contact details, demographic information, location information and online identifiers or other particular assignments to the person. This broad and non-exhaustive definition reflects a deliberate legislative choice to capture both direct and indirect means of identification.

It is clear that where any tracking technologies collect personal information in South Africa, the information is clearly "processed" and POPIA would apply. This broadly means that the processing is regulated.

Whether or not the personal information collected by tracking technologies is used or not is of no consequence. The mere collection thereof constitutes processing for purpose of POPIA.

Under POPIA, a "responsible party" is the person or entity who determines the purpose of and means for "processing" personal information, and then assumes accountability for compliance.

Thus, if a person decides to publish a website with tracking technologies, they would be the responsible party, whether or not a third-party developer was involved in the creation of the website.

POPIA accordingly imposes a duty on website owners to know and understand the compliance obligations arising from the specific tracking technologies deployed, and the manner in which they are configured.

Lawful processing of POPIA

A detailed analysis of the compliance obligations arising from POPIA falls outside the scope of this blog post, but below we raise a number of issues that need to be navigated for compliance purposes.

Although POPIA sets out a number of bases for lawful processing, seeking the consent of the data subject (i.e. the person whose personal information is being processed), is often necessary when personally identifiable data is collected by tracking technologies.

Under POPIA, consent is only valid when it is voluntary, specific and informed:

• Voluntary: Consent must be given freely, based on a genuine choice without coercion.
• Specific: Consent is specific when tied to a clearly defined purpose. A request for consent that is vague, general, or bundled is less likely to meet this threshold.
• Informed: The user must be given clear, accurate, and adequate information about what data is being collected, why and by whom.

These requirements make it clear that consent cannot be inferred from silence, inaction, or mere continued use of a website.

The requirement for the data subject to be placed in a position to make an informed decision, means that the more invasive the tracking is, the more information needs to be provided to ensure a valid consent.

As an aside, when dealing with minors as data subjects, it is important to note that they cannot give a valid consent without the assistance of their legal guardian.

Data processing agreements

The third-party vendors that provide tracking technologies are processing personal information on behalf of the website owner. In the context of POPIA, this makes them an "operator", and the act imposes a duty on the responsible party to enter into an agreement with each operator to generally specify how personal information will be safeguarded in a compliant manner.

Each such vendor accordingly needs to be vetted, and a suitable data processing agreement must be concluded. These vendors will often have standard form documentation, but they these documents may not comply with the specific requirements imposed by POPIA, and so need to be carefully scrutinised.

Where tracking technologies result in the transfer of personal information to servers located outside the Republic, the responsible party must ensure that such transfers comply with POPIA's cross-border transfer requirements.

Broadly, POPIA provides that personal information may only be transferred to a foreign jurisdiction if certain safeguards are in place. These include, most commonly, that the recipient is subject to a law, binding corporate rules, or agreement that provides an adequate level of protection, that the data subject has consented to the transfer, or that the transfer is necessary for the performance of a contract or in the clear interest of the data subject.

Takeaways

Website owners should make sure that they understand the tracking technologies used by their websites, and the data privacy compliance obligations arising from POPIA.

If third parties are used to configure and manage tracking technologies, they should be contractually bound to:

• be transparent;
• configure tools only as authorised;
• self-audit and certify compliance at regular intervals;
• generally, be subject to a compliance audit by the responsible party.

POPIA requires data subjects to be informed of the manner in which their personal information is processed. In our view, it is best practice to record the use of tracking technologies and how the data collected is processed in an accessible privacy statement, even if a specific consent has been sought. In short, say what you do, and do what you say.