POPIA for estate agents, in plain language
What the Protection of Personal Information Act actually asks of a working agent: consent, direct marketing, ID numbers in chats, and how to stay on the right side of it without a law degree.
Updated 17 July 2026 · 8 minute read · by the Deed team
An estate agent's phone is a POPIA case study: ID numbers in chat history, FICA documents in the camera roll, a spreadsheet of past buyers, and a WhatsApp thread with half of last year's show-house visitors. The Protection of Personal Information Act isn't out to catch you; it asks for something simpler than most agents fear. Here it is without the legalese.
One honest note before we start: this guide is practical orientation, not legal advice. For decisions with money or disputes attached, talk to a professional.
The one-sentence version
Collect only the personal information you need, use it only for the reason you collected it, keep it safe, and delete it when the reason is gone.
What counts as personal information
More than you'd think: names, phone numbers and emails, ID numbers, financial details on an offer to purchase, even a buyer's viewing history. If it identifies a living person (or an existing company), POPIA covers it. As the agent or agency deciding what happens to that information, you are the responsible party, and the duties below sit with you.
The five habits that cover most of an agent's risk
- Collect with a purpose you could say out loud. "I need your ID number for the FICA check on this offer" is fine. Harvesting numbers from a show-house register "for marketing someday" is not.
- Treat direct marketing as opt-in. Section 69 is the sharp edge of POPIA: electronic marketing to people who aren't your clients needs their consent, and every message needs a way to opt out. A buyer who enquired about a specific home is a conversation, not a mailing list.
- Get ID numbers out of chat threads. A client's ID sitting in years of WhatsApp history is a breach waiting for a stolen phone. Move identity documents into one secure place and delete them from the thread.
- Know where your book lives. If your contacts are spread across a personal phone, three spreadsheets and a departed colleague's laptop, you can't honour the Act's core promises: telling someone what you hold, correcting it, or deleting it.
- Delete what you no longer need. Records tied to a concluded transaction have retention rules (FICA wants five years), but the show-house register from 2019 does not need to live forever.
People's rights, your obligations
Anyone in your book can ask what you hold about them, ask you to correct it, or ask you to delete it (where no other law requires you to keep it). None of these are hostile requests; they're the test of whether your book is under control. If you can answer "show me what you have on me" in ten minutes, you're in good shape.
Where AI tools fit
New question, same principles. If software reads client messages to draft replies, ask your vendor two things: what personal information reaches the AI, and where it goes. The good answer is that identifiers are stripped out before any model reads a message and that your data is never used to train someone else's system.
How Deed is built for this: ID numbers, card numbers, emails and phone numbers are redacted before any AI reads a message; every action lands in an audit trail; your book exports on request and deletes when you leave. You can see the redaction working on our security page.
The short version
POPIA rewards exactly the habits that make you a better agent: one tidy book, clear reasons for what you keep, permission before marketing, and the ability to answer for your data. Get those right and the Act largely takes care of itself.
