POPIA Consent: When You Actually Need It (and When You Don't)

POPIA Consent: When You Actually Need It (and When You Don't)

Many South African business owners assume that POPIA means getting consent for everything. In practice, consent is just one of six lawful bases for processing personal information — and it is often not the most appropriate one. Understanding the full picture can save you from both over-collecting signatures and from processing information without any legitimate ground.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What POPIA Actually Says About Lawful Basis

POPIA section 11 sets out the grounds on which a responsible party (that is, your business) may process personal information lawfully. Consent is the first ground listed, but the section provides five others that can apply independently. Processing is lawful if it satisfies any one of the following:

1. Consent — the data subject agrees, voluntarily and specifically, to the processing.
2. Contract — processing is necessary to perform a contract the data subject is a party to, or to take steps at their request before entering a contract.
3. Legal obligation — processing is necessary to comply with a legal obligation that rests on the responsible party.
4. Protecting the data subject's interests — processing is necessary to protect the legitimate interests of the data subject.
5. Public-law duty — processing is necessary for the proper performance of a public-law duty by a public body.
6. Legitimate interest — processing is necessary to pursue the legitimate interests of the responsible party or a third party, unless those interests are overridden by the data subject's interests, rights, or freedoms.

This list is the foundation of lawful POPIA processing. Before you reach for a consent form, it is worth asking whether another ground applies more naturally to what you are doing.

---

When Consent Is the Right Choice

Consent is appropriate when none of the other five grounds fit the processing activity, or when you want to give the data subject clear, active control over a specific use of their information.

Typical situations where consent is commonly used:

• Email or SMS marketing — POPIA section 69 restricts direct marketing by electronic communication. The Information Regulator's published guidance makes clear that opt-in consent is the expected standard for unsolicited electronic marketing messages. A pre-ticked box or inferred consent does not meet this standard.
• Sharing information with third parties for their own marketing purposes — if you want to pass a customer's details to a partner so that partner can market to them, consent from the customer is the clearest lawful basis.
• Processing that goes beyond what a reasonable person would expect — if you want to use information for a purpose the data subject could not anticipate from the context in which they gave it to you, consent makes the secondary use transparent and lawful.

For consent to be valid under POPIA it must be freely given, specific, informed, and unambiguous. A data subject also has the right under section 11(3) to object to processing at any time — meaning consent-based processing must remain revocable.

---

When You Probably Do Not Need Consent

This is where many businesses create unnecessary friction for themselves and their customers.

You Have a Contract

If a customer places an order, a supplier signs a service agreement, or an employee enters an employment contract, processing the personal information needed to perform that contract sits squarely on the contract ground. You do not need a separate consent form to store a delivery address, process payroll, or maintain an invoice record.

You Have a Legal Obligation

SARS requires you to keep financial records. The Companies Act imposes record-keeping duties. FICA requires you to conduct customer due diligence and retain identity documents. Processing personal information to meet these obligations rests on the legal obligation ground, not consent. Asking employees or customers to 'consent' to FICA-required ID verification creates a misleading impression — as if they could withhold consent and you would stop — when in fact you are legally required to collect that information regardless.

You Are Pursuing a Legitimate Interest

Legitimate interest is often the most flexible ground, but it requires a balancing exercise: your interest must not override the data subject's rights and freedoms. Examples where legitimate interest may apply include fraud prevention, network and information security, and internal analytics used to improve a service the data subject already uses. This is not a blanket exemption — document your reasoning, because the Information Regulator may ask to see it.

---

Practical Checklist Before Reaching for a Consent Form

Before you design a consent mechanism, work through these questions:

1. Is there a contract between you and the data subject that makes this processing necessary?
2. Does a law or regulation (SARS, FICA, Companies Act, sector-specific legislation) require you to collect or retain this information?
3. Do you have a legitimate business interest that is proportionate and not overridden by the data subject's interests?

If you answer yes to any of these, consent may be unnecessary — and using consent where another ground fits better can actually create problems. If you rely on consent and the data subject later withdraws it, you lose your lawful basis entirely, even if a more durable ground was available all along.

---

Documenting Whatever Ground You Choose

Regardless of which ground you rely on, POPIA's requirements around documentation and notification still apply. Your business should be able to show, for each category of personal information it processes:

• Which lawful basis under section 11 applies.
• The specific purpose for which the information was collected (aligned with section 13).
• How long the information is retained (aligned with section 14).
• That data subjects were notified at collection (aligned with section 18).

The Information Regulator publishes guidance and resources at inforegulator.org.za that can help you understand how these requirements are interpreted in practice.

---

The Bottom Line

Consent is a meaningful tool in the right context — particularly for electronic direct marketing and for processing that a data subject would not otherwise expect. But treating consent as the default for every interaction adds unnecessary complexity, creates revocability risks, and can mislead data subjects about their actual rights.

Mapping your processing activities against all six grounds in section 11 will give you a cleaner, more accurate compliance position than blanket consent forms ever can.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation — including which lawful basis applies to your specific processing activities — consult a qualified attorney.