Here at Novcon using the word ‘consent’ is pretty much like telling us you do not like our Lego … yes, we take offence! So, we have dubbed consent the c-word, mostly because it is misunderstood and abused so often.
Here’s why. Whenever someone asks me for my consent I immediately think that whatever they want to do will be intrusive or unexpected, it’s like asking consent to do a credit check or to load a debit order on to my bank account. Serious stuff.
In terms of the POPIA, consent is one of the six lawful grounds for processing personal information and in most cases consent is not the appropriate justification for processing.
If consent is difficult, rather use an alternative. And if you go ahead and ask for consent, knowing that you would still process the personal data, asking for consent would be misleading and inherently unfair. We also do not advise you to make consent a precondition of a service as it is unlikely to be the most appropriate justification.
What are the other lawful grounds for processing personal information?
Now that we know that asking for consent is not the only justification for processing personal information , let’s look at other lawful grounds for processing personal information. We can lawfully process personal information if
- it is necessary to conclude or perform in terms of a contract
- we need to comply with an obligation imposed by law
- we are protecting the legitimate interest of a data subject
- it is necessary for the proper performance of a public law duty
- we are pursuing the legitimate interest of the responsible party or of a third party
Only if we’re certain that we cannot rely on any one of the above grounds we consider asking for consent.
It is appropriate to ask for consent if you can offer someone not only a real choice, but also the opportunity to control how you use his or her information. This will also help to build a trusting and engaging relationship. However, if you cannot offer a genuine choice, consent will never be the appropriate basis for processing someone’s personal information.
What do we need to know about asking for consent?
If you must ask for consent, then make sure your consent is
- specific – the consent must relate to a specific processing purpose
- informed – you must give the person (data subject) enough information about the consent before he or she has to make a decision about whether to give consent or not
- explicit – the data subject must give consent through a clear, specific, and affirmative act. The consent must be distinct from any other action. A good example would be to give consent to receive direct marketing. If I purchase a product from an online store, my consent to receive direct marketing from that store cannot be hidden in the purchasing contract.
Remember that the data subject can withdraw his or her consent at any time. You must be ready to act on such a withdrawal.
If you have to ask, do it properly.
Make sure your request for consent
- is separate from any other contract that may apply;
- is in an opt-in format, this means that you should stay clear of any pre-ticked boxes or any type of default consent;
- is written in plain language;
- provides specific information about the processing activity to which it relates;
- has your organisation’s details and those of any third party you will be sharing the information with;
- allows a person to consent separately for different purposes and types of processing; and
- informs a person that they are entitled to withdraw consent and the process they must follow to do so.
How do you manage consent?
Please look at these tips to manage consent effectively: You must
- have a process in place to update your consents regularly
- allow data subjects to withdraw their consent at any time; for example, if they unsubscribe
- remove data subjects from your contact list when they unsubscribe
- not penalise data subjects when they withdraw their consent
If you are wondering whether your request for consent is unnecessary or (gasp) unfair, get in touch and we’ll help you make sure it’s not.