Evaluating Data Privacy Compliance of South African E-Commerce Websites Against POPIA

  • Adele Da Veiga University of South Africa, South Africa
  • Hanifa Abdullah University of South Africa, South Africa
  • Sunet Eybers University of South Africa, South Africa
  • Elisha Ochola University of South Africa, South Africa
  • Mathias Mujinga University of South Africa, South Africa
  • Emilia Mwim University of South Africa, South Africa
Keywords: data privacy, e-commerce, websites, evaluation criteria, Protection of Personal Information Act (POPIA)

Abstract

South African e-commerce websites must comply with the Protection of Personal Information Act (POPIA) to process customer’s personal information. However, limited research exists about data privacy implementation within these websites. This study assesses the extent of data privacy integration in 50 SA e-commerce websites. The assessment uses 57 evaluation criteria developed in the initial phases of the study, mapped to POPIA and refined in this study. While some e-commerce websites meet the requirements, significant improvements are required to safeguard users' personal information. Key areas requiring attention include processing consent, strong password management, and quality of data that was not ensured. Recommendations include clear data collection practices, explicit purpose specification, consent acquisition for processing, marketing preferences and sharing with third parties, data quality maintenance and enhanced security measures for passwords. Many online privacy policies fail to cover all POPIA privacy conditions and specific recommendations for content are included. These findings highlight a critical need for stronger data privacy practices in South African e-commerce to protect customer information. The refined evaluation criteria are a novel contribution for use by organisations to assess or develop their websites to operationalise POPIA requirements, supporting better self-assessment and integration of data privacy measures.

Downloads

Download data is not yet available.

References

G. Greenleaf, “Global data privacy laws 2023: 162 national laws and 20 bills,” Privacy Laws and Business International Report, vol. 181, no. 1, pp. 1–4, 2023, doi: 10.2139/ssrn.4426146.

South African Government, “Protection of Personal Information Act No. 4 of 2013.,” 2013. Accessed: Oct. 22, 2023.

Z. Wu, S. Shen, H. Zhou, H. Li, C. Lu, and D. Zou, “An effective approach for the protection of user commodity viewing privacy in e-commerce website,” Knowl Based Syst, vol. 220, no. 2021, p. 106952, 2021, doi: 10.1016/j.knosys.2021.106952.

R. Bandara, M. Fernando, and S. Akter, “Privacy concerns in e-commerce: A taxonomy and a future research agenda,” Electronic Markets, vol. 30, no. 3, pp. 629–647, 2020, doi: 10.1007/s12525-019-00375-6.

A. Eckert, G. S. Milan, G. Roy, and R. Bado, “Welcome back: Repurchase intention of Brazilian customers on e-commerce websites,” Revista de Ciências da Administração, vol. 23, no. 59, pp. 106–120, May 2021, doi: 10.5007/2175-8077.2021.e69913.

Legalese, “What are the Most Common POPIA Violations,” Legalese, 2024. Accessed: Nov. 14, 2024.

S. Mzekandaba, “InfoReg slaps TransUnion with enforcement notice,” IT Web, 2024. Accessed: Nov. 14, 2024.

Information Regulator South Africa, “Information Regulator South Africa: Enforcement notices,” Information Regulator South Africa, 2024. Accessed: Nov. 14, 2024.

C. Matte, N. Bielova, and C. Santos, “Do cookie banners respect my choice?: Measuring legal compliance of banners from IAB Europe’s transparency and consent framework,” In Proceedings of IEEE Symposium on Security and Privacy, vol. 2020-May, pp. 791–809, 2020, doi: 10.1109/SP40000.2020.00076.

Y. Javed, K. M. Salehin, and M. Shehab, “A study of South Asian websites on privacy compliance,” IEEE Access, vol. 8, pp. 156067–156083, 2020, doi: doi.org/10.1109/ACCESS.2020.3019334.

D. Brandreth and J. Ophoff, “Investigating customer-facing security features on South African e-commerce websites,” in Information and Cyber Security: 19th International Conference, ISSA 2020, Springer Science and Business Media Deutschland GmbH, 2020, pp. 144–159. doi: 10.1007/978-3-030-66039-0_10.

A. Vorster and A. da Veiga, “Proposed guidelines for website data privacy policies and an application thereof,” in International Symposium on Human Aspects of Information Security and Assurance, Skovde: Springer Nature Switzerland, Jul. 2023, pp. 192–210. doi: 10.1007/978-3-031-38530-8_16

J. Maraba and A. Da Veiga, “A study of online privacy policies of South African retail websites,” in International Conference on Advanced Research in Technologies, Information, Innovation and Sustainability, Madrid: Springer Nature Switzerland, Oct. 2023, pp. 426–440. doi: 10.1007/978-3-031-48855-9_32.

A. Da Veiga, E. Ochola, M. Mujinga, and E. Mwim, “Investigating data privacy evaluation criteria and requirements for e-commerce websites,” in Advanced Research in Technologies, Information, Innovation and Sustainability. ARTIIS 2022. Communications in Computer and Information Science, M. F. Guarda, T., Portela, F., Augusto, Ed., Springer, Cham, 2022, pp. 297–307. doi: 10.1007/978-3-031-20316-9.

A. Roos, “Data protection principles under the GDPR and the POPI Act: A comparison,” THRHRS, vol. 86, no. February 2023, pp. 1–26, 2023.

G. Greenleaf, Global tables of data privacy laws and bills (8th Ed.), 2023

M. Goddard, “The EU General Data Protection Regulation (GDPR): European regulation that has a global impact,” International Journal of Market Research, vol. 59, no. 6, pp. 703–705, 2017, doi: 10.2501/ijmr-2017-050.

C. Murray, “U.S. data privacy protection laws: A comprehensive guide,” Forbes. Accessed: Mar. 20, 2024.

European Commission, “European Commission launches EU-U.S. privacy shield: Stronger protection for transatlantic data flows.” Accessed: Mar. 20, 2024.

G. Greenleaf, “Global data privacy laws 2019: 132 national laws & many bills,” Privacy Laws & Business International Report, vol. 2019, no. 157, pp. 14–18, 2019, doi: 10.2139/ssrn.4426146.

A. Gurung and M. K. Raja, “Online privacy and security concerns of consumers,” Information and Computer Security, vol. 24, no. 4, pp. 348–371, 2016, doi: 10.1108/ICS-05-2015-0020.

S. Barth, D. Ionita, and P. Hartel, “Understanding online privacy - A systematic review of privacy visualizations and privacy by design guidelines,” ACM Comput Surv, vol. 55, no. 3, 2022, doi: 10.1145/3502288.

F. Pereira, P. Crocker, and V. R. Q. Leithardt, “PADRES: Tool for PrivAcy, Data REgulation and Security,” SoftwareX, vol. 17, p. 100895, 2022, doi: 10.1016/j.softx.2021.100895.

G. Fox, C. Tonge, T. Lynn, and J. Mooney, “Communicating compliance: Developing a GDPR privacy label,” in In Proceedings of the 24th Americas Conference on Information Systems 2018: Digital Disruption, AMCIS 2018, 2018, pp. 1–5.

A. Rossi and M. Palmirani, “A visualization approach for adaptive consent in the European data protection framework,” Proceedings of the 7th International Conference for E-Democracy and Open Government, CeDEM 2017, pp. 159–170, 2017, doi: 10.1109/CeDEM.2017.23.

A. Clement, D. Ley, T. Costantino, D. Kurtz, and M. Tissenbaum, “The PIPWatch toolbar: Combining PIPEDA, PETs and market forces through social navigation to enhance privacy protection and compliance,” in In Proceedings of 2008 IEEE International Symposium on Technology and Society, IEEE, 2008, pp. 1–10. doi: 10.1109/ISTAS.2008.4559759.

D. Basimanyane, “The regulatory dilemma on mass communications surveillance and the digital right to privacy in Africa: The case of South Africa.,” African Journal of International and Comparative Law , vol. 30, no. 3, pp. 361–382, 2022, doi: 10.3366/ajicl.2022.0414.

Constitution of the Republic of South Africa, “South African Government,” 1996. Accessed: Oct. 22, 2023.

South Africa Government, “Protection of Personal Information Act No. 4 of 2013.,” 2013. Accessed: Oct. 22, 2023.

Organisation for Economic Co-operation and Development (OECD), “The OECD Privacy Framework. Technical Report. OECD.” Accessed: Oct. 22, 2023.

I. Wagner, “Privacy Policies Across the Ages: Content of Privacy Policies 1996–2021.,” ACM Transactions on Privacy and Security, vol. 26, no. 3, pp. 1–32, 2023.

P. J. de Waal, “The Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA): It is time to take note.,” Current Allergy & Clinical Immunology, vol. 35, no. 4, pp. 232–236, 2022.

M. Katurura and L. Cilliers, “Privacy in wearable health devices: How does POPIA measure up?,” in Proceedings of 4th International Conference on the Internet, Cyber Security and Information Systems, 2019, pp. 112–122. doi: 10.29007/qsp7.

E. Raaff, N. Rothwell, and A. Wynne, “Aligning South African data and cloud policy with the POPI Act,” in International Conference on Cyber Warfare and Security, 2022, pp. 279–287. doi: 10.34190/iccws.17.1.19.

T. Moabalobelo, S. Ngobeni, B. Molema, P. Pantsi, M. Dlamini, and N. Nelufule, “Towards a Privacy Compliance Assessment Toolkit,” in 2023 IST-Africa Conference (IST-Africa), IEEE, 2023, pp. 1–8.

South African Government, “Promotion of Access to Information Act 2 of 2000,” 2000.

R. Amos, G. Acar, E. Lucherini, M. Kshirsagar, A. Narayanan, and J. Mayer, “Privacy policies over time: Curation and analysis of a million-document dataset,” in Proceedings of the Web Conference 2021 , 2021, pp. 2165–2176.

J. Tang, H. Shoemaker, A. Lerner, and E. Birrell, “Defining privacy: How users interpret technical terms in privacy policies,” in Proceedings on Privacy Enhancing Technologies, 2021. doi: 10.2478/popets-2021-0038.

Information Commissioner’s Office, “Information Commissioner’s Office - For organisations.” Accessed: Aug. 21, 2023.

GDPR.EU, “GDPR.EU.” Accessed: Aug. 21, 2023.

Information Regulator of South Africa, “Information Regulator (South Africa_,” Guidance notes. Accessed: Aug. 21, 2023.

R. K. Yin, Case study research - Design and Methods, 3rd ed. Thousand Oaks, California: SAGE Publications, 2002.

M. Saunders, P. Lewis, and A. Thornhill, Research methods for business students, Seventh ed. England: Pearson Education Limited, 2016.

K. Mori, T. Nagai, Y. Takata, and M. Kamizono, “Analysis of Privacy Compliance by Classifying Multiple Policies on the Web,” in Proceedings - 2022 IEEE 46th Annual Computers, Software, and Applications Conference, COMPSAC 2022, Institute of Electrical and Electronics Engineers Inc., 2022, pp. 1734–1741. doi: 10.1109/COMPSAC54236.2022.00276.

T. Al Rahat, M. Long, and Y. Tian, “Is Your Policy Compliant? A Deep Learning-based Empirical Study of Privacy Policies Compliance with GDPR,” in WPES 2022 - Proceedings of the 21st Workshop on Privacy in the Electronic Society, co-located with CCS 2022, Association for Computing Machinery, Inc, Nov. 2022, pp. 89–102. doi: 10.1145/3559613.3563195.

X. Lin, H. Liu, Z. Li, G. Xiong, and G. Gou, “Privacy protection of China’s top websites: A Multi-layer privacy measurement via network behaviours and privacy policies,” Comput Secur, vol. 114, Mar. 2022, doi: 10.1016/j.cose.2022.102606.

T. Heino, R. Carlsson, S. Rauti, and V. Leppänen, “Assessing discrepancies between network traffic and privacy policies of public sector web services,” in ACM International Conference Proceeding Series, Association for Computing Machinery, Aug. 2022. doi: 10.1145/3538969.3539003.

T.-H.-G. Vu and X.-B. Hoang, “User Privacy Risk Analysis within Website Privacy Policies,” Institute of Electrical and Electronics Engineers (IEEE), Sep. 2024, pp. 1–6. doi: 10.1109/mapr63514.2024.10660854.

J. Kim, R. L. Baskerville, and Y. Ding, “Breaking the Privacy Kill Chain: Protecting Individual and Group Privacy Online,” Information Systems Frontiers, vol. 22, no. 1, pp. 171–185, Feb. 2020, doi: 10.1007/s10796-018-9856-5.

I.-D. Anic, V. Škare, and I. Kursan Milaković, “The determinants and effects of online privacy concerns in the context of e-commerce,” Electron Commer Res Appl, vol. 36, p. 100868, Jul. 2019, doi: 10.1016/j.elerap.2019.100868.

Published
2024-12-31
Abstract views: 160 times
Download PDF: 101 times
How to Cite
Da Veiga, A., Abdullah, H., Eybers, S., Ochola, E., Mujinga, M., & Mwim, E. (2024). Evaluating Data Privacy Compliance of South African E-Commerce Websites Against POPIA. Journal of Information Systems and Informatics, 6(4), 2693-2732. https://doi.org/10.51519/journalisi.v6i4.917
Section
Articles