What is POPIA Section 18 and why does it apply to pool quotes?

POPIA Section 18 requires that, at the point of collecting personal information, the responsible party give the data subject a clear notice covering: the information being collected, the purpose, whether collection is voluntary or mandatory, the consequences of refusing, and the data subject's rights. A pool quote form that asks for your name, contact details and property data without this notice is non-compliant — and the operator can be reported to the Information Regulator (SA).

Can a builder ask for my ID number to issue a quote?

No. There is no lawful basis to require a South African ID number for a quote. ID is needed at contract signing for FICA compliance, not at the lead-generation stage. Any request before a written agreement should be refused — and is a strong signal to deal with a different provider.

What can I do if a pool company has misused my data?

Lodge a complaint with the Information Regulator (SA) at inforegulator.org.za. You can also exercise your right under POPIA Section 23 to request access to the personal information held about you, and Section 24 to request correction or deletion. The regulator has issued enforcement notices and administrative fines for cold-marketing without consent.

Are lead-aggregator pool quote sites legal under POPIA?

They can be, but only with explicit, separately captured consent at the point of submission that names the third parties your data will be shared with. A single 'I agree to terms' checkbox bundling onward transfer to multiple builders is generally insufficient. If the site cannot tell you which builders will receive your details, do not submit.

POPIA · Section 18 · 2026

POPIA-Safe Pool Quote Checklist for SA Homeowners

By Swimming Pool Builders Editorial Team Reviewed by SPB Independent Review Desk Last reviewed 28 June 2026Editorial standards Report a correction

Submitting a pool quote request looks harmless — your name, email, suburb and a project description. In practice, that form is a regulated data-processing event under the Protection of Personal Information Act, and the operator has specific obligations the moment you click submit. This checklist shows the six lawful collection patterns (green flags) and the six unlawful or high-risk ones (red flags) that should prompt you to walk away.

Green flags — lawful

Name and contact details
Full name, email and phone number for direct communication about your quote — the minimum lawful basis.
Property suburb (not full address)
Suburb is enough to scope a quote. Full street address should only be requested when you confirm a site visit.
Pool size and type preferences
Material, dimensions and style help generate a meaningful estimate. This is purpose-limited data collection — the POPIA standard.
Budget range
An indicative range is reasonable and helps the builder filter scope. Hard requirement for an exact figure is not.
Builder identifies their Information Officer
POPIA Section 56 requires every responsible party to designate an Information Officer. Their name and contact must be discoverable before you submit data.
Clear opt-in consent, not pre-ticked
Active opt-in for marketing or data sharing is a POPIA requirement. Pre-ticked boxes are non-compliant under regulator guidance.

Red flags — walk away

ID copy demanded before contract
South African ID is not required to issue a quote. Requesting it pre-contract is a serious POPIA red flag and creates identity-theft exposure.
Banking details before site visit
No legitimate quote process requires your bank account number. This is a fraud risk indicator — walk away.
Pre-ticked direct-marketing consent
Consent must be active. A pre-ticked subscription to newsletters or partner offers is non-compliant and the regulator has issued enforcement notices for it.
No POPIA notice on the quote form
Section 18 requires a clear privacy notice at the point of collection — purpose of processing, who has access, retention period, your rights. Its absence is non-compliance.
Data sold to multiple builders without disclosure
Lead-aggregator sites that share your details with several builders must disclose this and obtain explicit consent. Silent onward transfer is unlawful.
No Information Officer named anywhere
If the website has no privacy policy, no registered Information Officer and no contact for data subject requests, it cannot lawfully process your information.

POPIA-Safe Pool Quote Checklist for SA Homeowners

Green flags — lawful

Red flags — walk away

Frequently Asked Questions

Read next

Choosing a pool builder

Hidden costs in pool quotes

Pool insurance in South Africa