Lawful grounds

POPIA consent: when you need it — and when you don’t

Consent is voluntary, specific and informed — fragile by design, revocable at will, and often the wrong ground to choose.

Published Last reviewed 8 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
You need POPIA consent only where no other lawful ground covers the processing — typically optional extras like newsletters, profiling, and electronic marketing to non-customers. Consent must be a voluntary, specific and informed expression of will; you bear the burden of proving it; and the data subject may withdraw it at any time. Where contract, legal obligation or legitimate interest genuinely applies, choosing consent instead makes your processing weaker, not safer.

On this page

What counts as consent under POPIA?

POPIA’s consent is not a checkbox formality — it is a defined term with three cumulative requirements:

Source — the actual words

“’consent’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;”

Protection of Personal Information Act 4 of 2013, s 1, definition of “consent”Read it on Dept of JusticePDF

Voluntary — given freely, without coercion or bundling into terms the person cannot refuse. Specific — tied to an identified purpose; a blanket “we may do anything with your data” clause fails. Informed — the person knew what they were agreeing to. And an expression of will — so a pre-ticked box is not consent, and silence is not consent. Under the amended Regulations (April 2025), consent for electronic marketing may be obtained by email, telephone, SMS or WhatsApp — but telephonic consent requests must be electronically recorded, and regulation 6.4 closes the old loophole in one sentence: opt-out does not constitute consent.

When is consent actually required?

Less often than South African business practice suggests. Consent is the right ground when nothing else fits — when the processing is genuinely optional for the data subject and serves no contract, legal duty or balanced legitimate interest. The clearest cases where the Act genuinely demands consent:

  • Electronic marketing to non-customers — section 69(1)(a), with the once-off consent ask under section 69(2). See section 69.
  • Optional extras — newsletters, profiling beyond the service, sharing with partners for their own marketing.
  • Some special-information and children gateways — where no other section 27 or 35 gateway applies. See special personal information.

For everything else — performing contracts, paying staff, FICA checks, invoicing, security, debt recovery, references — one of the other five grounds almost always fits better.

Why consent is often the worst choice

Two subsections make consent fragile by design. First, the burden of proof sits with you:

Source — the actual words

“The responsible party bears the burden of proof for the data subject’s or competent person’s consent”

Protection of Personal Information Act 4 of 2013, s 11(2)(a)Read it on Dept of JusticePDF

Second, the data subject “may withdraw his, her or its consent... at any time” (s 11(2)(b)) — although processing that happened before withdrawal, and processing resting on grounds (b) to (f), is unaffected. So if you collect consent for something you could have done under contract or legitimate interest, you have voluntarily made your processing revocable at will and taken on the burden of proving the consent. That is not caution; it is self-sabotage.

The 2021 “please re-consent or we delete you” wave

As the POPIA grace period closed in mid-2021, inboxes filled with emails begging customers to “re-consent” on pain of deletion. For most businesses the exercise was legally pointless: their processing already rested on contract, legal obligation or legitimate interests, none of which needed consent then or now. Worse, businesses that deleted non-responders destroyed records they were entitled — sometimes required — to keep. The lesson stands: before asking for consent, ask which ground actually carries the processing. The answer is usually already in section 11.

Frequently asked questions

Is silence consent under POPIA?

No. The Information Regulator’s Guidance Note on Direct Marketing puts it bluntly: "Therefore, silence cannot mean consent." Consent requires an expression of will — a pre-ticked box or a failure to object is not one.

Who must prove that consent was given?

You do. Section 11(2)(a) places the burden of proof for the data subject’s consent on the responsible party — if you cannot evidence the consent, you cannot rely on it.

Can consent be withdrawn?

Yes, at any time (s 11(2)(b)). Processing that happened before withdrawal remains lawful, and processing resting on the other grounds — contract, legal obligation, legitimate interests — is unaffected by a withdrawal.

Do existing clients need to re-consent to stay on my books?

No. If your processing rests on contract, legal obligation or legitimate interests, no consent was needed in the first place — and asking for it achieves nothing except creating a withdrawal right that did not exist before.

Who consents for a child?

A competent person — typically a parent or guardian (s 11(1)(a) read with s 35). Children’s information has its own regime in sections 34 and 35.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Lawful grounds

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub