“I understand that POPIA requires me to give consent for the use of my personal information and that a business cannot use my information without such permission. Although I am in favour of this approach, I was just wondering if I will now have to give consent every time or will I be asked to give consent once, but then it stays in place for ever? I don’t want to be bombarded with requests but at the same time I don’t want to be held to a consent I can hardly even remember giving. How is this going to work?”
The rule of thumb is that the Protection of Personal Information Act 4 of 2013 (“POPIA”) requires that responsible parties, namely the business or entity handling your personal information, must lawfully process your personal information, which can most easily be done with the consent of a data subject to whom the personal information relates.
Giving consent every time someone needs to use your personal information can seem like a massive undertaking, especially when you consider the broad definition of everything that could potentially constitute “personal information” in terms of POPIA, which can include anything from contact information to personal opinions, views or preferences.
POPIA, contrary to popular belief, does not always require that consent be obtained from data subjects prior to personal information being processed. For example, it may be possible for a business to use your personal information if there is a contractually legitimate reason to use such information, even without your specific consent. This is not open-ended, but definitely possible where justified.
It is therefore very important to determine when it is necessary to obtain consent and when not, as the purpose of POPIA is neither to overburden persons with constant requests for consent nor to ignore the protection that such a requirement would provide.
Under POPIA, consent will generally not be necessary in the following scenarios:
- Where processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
- Where processing complies with an obligation imposed by law on the responsible party.
- Where processing protects a legitimate interest of the data subject.
- Where processing is necessary for the proper performance of a public law duty by a public body.
- Where processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Only where a responsible party wishes to use your personal information for a purpose which does not fall into one of the above categories, or if the data subject is a minor child, or the information is deemed to be “special” in nature, will the responsible party be obliged to ask for your consent.
That said, some businesses are adopting a “rather safe than sorry” approach to consent and ask for consent at every turn, even if not always strictly necessary. As businesses get used to when and where consent should be asked, these requests will also probably become less frequent.
Another aspect to consider is what exactly is meant when we talk about consent in terms of POPIA. Where you are required to give consent, such consent must be specifically related to a particular objective or relationship, you must understand exactly what you are consenting to, and your consent must be voluntary and given of your own free will in order to be valid under the provisions of POPIA.
Once you give consent, your personal information may only be used for the purpose for which you agreed or gave consent to which must be clearly set out as part of the consent requested. Any further use, or use not related to the initial purpose, will require that you give further consent before the information may be used for such additional purpose.
It is also important to take note that you are entitled to withdraw your consent at any time. This means that you need not be concerned that by granting consent for a particular purpose will mean that you can’t change your mind later and retract your initial consent.
POPIA also requires that a responsible party does not keep the information collected for longer than strictly required to fulfil the purpose for which it was obtained in the first place.
So, although time will assist in clarifying the when and how businesses will require you to give consent, it is clear, that consent is not a free for all, or a life-time commitment you need to worry about. Should any business not adhere to the requirements regarding consent you are entitled to query this and can also if necessary, obtain assistance from your attorney to help address any privacy or consent issues you feel is not being adhered to.