A Guide to South Africa's eCommerce Laws
Two men working on a laptop together

Owning an online business means that you can do things the way you want. You have the freedom of deciding the look and feel of your website, how much you will charge for your products and which payment gateway options are the best for you. But, running an eCommerce store also requires you to act within the limits of regulations prescribed by authorities.

Every registered company that accepts credit card and EFT payments online must familiarise themselves with the laws that protect consumers, as these can have significant implications for your business practices and processes. However, the volume of legislation, amount of clauses, and regular updates can leave many inexperienced business owners scratching their heads. To help you get a clear understanding of eCommerce laws, we've summarised some important ones that can potentially affect your brand.

The Electronic Communications and Transactions Act (ECT)

Under the Electronic Communications and Transactions (ECT) Act, you are required to provide consumers with information about the full name and legal status of your website. You must also ensure that the following elements are clearly displayed: your business’ email address, telephone number, the price of products, the payment methods available and return policies.

After a customer placed an item in their cart, you must enable them to review their transaction, make changes or cancel the purchase onsite. If they do purchase something, they must receive their order within 30 days or get a full refund upon failure of delivery. The customer also has the right to cancel the transaction within seven days of receiving the order. You may not penalise them for the cancellation; they are only responsible for covering the cost of returning the product to your warehouse.

In regards to marketing and communication, you may only send emails to customers who signed up for your newsletter. If your business collects and stores personal information, you have an obligation to only collect, use and distribute the data for reasons that customers agreed to. To comply with your website's security policies, you should aim to never store credit card details on your site.

Protection of Personal Information Act (POPIA)

Customers' personal details must be treated in a legitimate and respectful manner. The Protection of Personal Information Bill states that personal information must be used for explicitly-defined and lawful purposes related to a function or activity of your business. For example, you may reveal a customer’s information to a credit card company to collect payment for a purchase. The onus is on you to also ensure a customer's information is complete, accurate, truthful and up to date.

Keeping information confidential requires that you identify possible internal and external risks to a customer's identity. It is your duty to implement the necessary security measures to protect personal information stored in your eCommerce database. Special care should be exercised when processing information of minors and should only be allowed when a parent has given their permission.

woman working on computer

eCommerce VAT laws

According to the Value Added Tax (VAT) Act of 1991, all prices charged, advertised or quoted by a vendor must include VAT. It must be levied on all online transactions at a standard rate of 14%. For this reason, eCommerce startups need to register their business as a VAT merchant and would be required to submit tax returns and make punctual tax payments to the South African Revenue Service (SARS).

On 28 March 2014, a former Minister of Finance updated the VAT regulations to compel foreign merchants to pay VAT. This means that if you're a foreign eCommerce site that provides electronic services to South African consumers or receives payment from a South African bank, and your business' revenue exceeds R50 000 a year, you must register with SARS.

The standard tax rate applies to all products and services sold on the internet. The VAT regulation identifies electronic services as involving the supply of internet-based auction services, games, e-books, videos, music, online betting, subscription services, and educational services.

If you only provide exempted products such as donated goods or financial services, you are not a candidate for VAT. But, if you are registered, you may not levy VAT on exempt supplies. If you ship products to any country outside South Africa, you may not need to pay VAT, however, if orders are delivered locally, you must charge VAT at the standard rate.

Regulation of Interception of Communication and Provision of Communication-Related Information Act (RICA)

RICA is a piece of legislation that governs paper-based and electronic communications and prevents the unlawful interception of any communication during occurrence or transmission. For eCommerce store owners, however, this act holds an exception related to business purposes. In the event that communication occurs only indirectly during the transaction process (meaning it is not aimed at your business), you may purposely intercept communication with the permission of one the parties involved in the transaction.

RICA allows the interception of employee emails as well as internet usage without any prior consent, provided that the employer acts within the terms of lawful interception.


No matter what the size of your online business is, it’s important to always keep your practices in compliance with eCommerce legislation in order to build a positive reputation and ensure consumer trust.