The Protection of Personal Information Act 4 of 2013 (POPI or POPIA) is not a consent-driven law. The default position is that you do not need to get someone’s consent to process their personal information. POPIA does not require you to get the consent of the data subject in all instances. There are many other justifications in section 11 that you can rely on to process lawfully. It can be very useful, but it is not the only justification.

But there are some instances when you do need to get the data subject’s consent. For example, if you are direct electronic marketing to a prospect or if you are processing the personal information of a  child and POPI does not authorise you in another way to process their personal information.

What are the legal requirements for this consent? What form must it take? What is prescribed in the POPIA Regulation 6 regards direct marketing consents?

Consent is closely related to two other important issues – disclosure and signature. The three are often so closely related that you can’t actually deal with one without the others. Often consent is obtained electronically and in this context electronic consents, disclosures and signatures become a very important issue.

The legal definition of consent

POPI defines consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“. This is the measure or test that you must meet if you need to get consent. The words specific and informed are of particular relevance. They are however open to some interpretation.

Some key points regarding consent and POPI

  • A person must have a choice whether to consent or not (it must be voluntary).
  • It must relate to a specific purpose (for example, to contact me about insurance products). You must specify your purpose.
  • You must notify the data subject of various things as set out in section 18 of POPIA.
  • You must inform the person sufficiently to enable them to make a decision.
  • There must be an expression of will. For example, tick a tick box, or click on a link. This is open to interpretation. Can a box be ticked by default for example? Is deemed or inferred consent OK?

How we can help

  • Get consent from data subjects to lawfully process their personal information for a specific purpose in terms of POPI by asking us to draft a consent form for you (or review your existing form). We will review it, make suggested edits, and insert comments as necessary.
  • Get consent from data subjects lawfully by joining our data protection programme and working it out yourself.
  • Raise your level of awareness by getting our Consent and Disclosure Guide for POPI.
  • Comply with the law and reach a consensus in a digital context by getting our assistance with electronic consents, disclosures and signatures.

The overlapping of laws

You need to be aware of the overlap of different laws when it comes to consent to make sure you comply with them. POPI may require a degree of consent that is less or more than what is required by a particular industry (like health or financial sectors.).

In some cases, POPI will prevail if the degree of consent required by POPI is higher than what your sector requires. But, when it comes to the medical field you must be careful of how you obtain it. When it comes to privacy in healthcare there is a higher standard required. The healthcare industry processes large amounts of personal information and special personal information which needs extra protection.