By Ahmore Burger-Smidt – Director and Head of Regulatory

South Africa’s Protection of Personal Information Act, 2013 (“POPIA“) provides multiple lawful bases for processing personal information, and one ought to be reminded that consent is only one of them.

The straightforward answer to the recurring misconception is this: consent is not the primary or preferred basis for most processing under POPIA, and in many scenarios it is a poor choice.

POPIA’s section 11 sets out six lawful grounds, including the responsible party’s legitimate interests.  In practice, legitimate interest is often more stable, proportionate and protective of data subjects when used correctly.

The consent myth under POPIA

Section 11 of POPIA, which states that personal information may be processed if one of six grounds applies. These include the data subject’s consent, necessity for a contract with the data subject, compliance with a legal obligation, protection of the data subject’s legitimate interests, performance of a public law duty, or the legitimate interests of the responsible party or a third party to whom the information is supplied. POPIA does not set a hierarchy between these grounds. Consent is therefore not privileged over the others and should not be treated as the default.

POPIA defines consent as a voluntary, specific and informed expression of will.

Section 11 places the burden of proof on the responsible party to demonstrate that valid consent was obtained and allows the data subject to withdraw consent at any time, without affecting the lawfulness of processing already undertaken or processing grounded on other section 11 bases. POPIA also creates a right to object, on reasonable grounds relating to the person’s particular situation, where processing relies on legitimate interests or related grounds. These structural features mean that consent is deliberately fragile and reversible, while legitimate interest is contestable through objection rather than withdrawable at will.

South African courts are beginning to consider POPIA’s lawful basis rules. In a 2024 Western Cape High Court matter, a respondent’s publication of an individual’s mobile number on social media was held to breach section 11 of POPIA. However, it must be pointed out that the court did not consider this in detail.[1]

Why consent often fails in practice

Consent is highly attractive in theory but precarious in operation.

The first difficulty is voluntariness. In relationships with an inherent power imbalance, such as employment or essential services, consent is rarely freely given.  Employees, for instance, may feel compelled to consent to human resources processing that is actually necessary for contract performance or for the employer’s legitimate interests. Using consent in such contexts risks invalidity and undermines trust.

The second difficulty is revocability. Because consent can be withdrawn at any time, processing operations that depend on continuity, integrity and auditability can be destabilised overnight. An organisation that builds core functions on consent must be ready to cease processing immediately upon withdrawal, which may be operationally impossible where the purpose is compliance, safety, fraud prevention or security.

A third practical weakness is evidential and administrative overhead. POPIA requires the responsible party to prove consent. That implies robust records, clear versioning of notices, and demonstrable linkage between each processing purpose and a discrete consent event. In complex ecosystems, the record-keeping burden becomes significant, and consent fatigue undermines quality. Overbroad, bundled or ambiguous requests risk being neither specific nor informed, while consent obtained through vagueness fails POPIA’s openness condition in any event.

Finally, consent is simply the wrong tool for many statutory or public interest purposes. If the processing is necessary to comply with law, to perform a contract, or to pursue compelling interests such as network security or debt recovery, consent introduces uncertainty without improving the data subject’s position. POPIA anticipates this by offering alternative grounds that are less brittle and more proportionate to the risk.

Legitimate interest under POPIA: what it is and what it is not

Legitimate interest features twice in section 11: protection of the data subject’s legitimate interests, and the legitimate interests of the responsible party or a third party. POPIA does not define the term, but the concept is embedded elsewhere in the Act. For example, section 12 permits collection from sources other than the data subject where that would not prejudice the data subject’s legitimate interests, and section 18 recognises limits to notification where non-compliance would not prejudice those interests. Section 71, which restricts automated decision-making, also refers to the data subject’s legitimate interest.

Although POPIA lacks a formal test in the text, its structure implies a balancing exercise. The responsible party should be able to articulate a legitimate purpose, show that processing is necessary for that purpose, and demonstrate, through a reasoned assessment, that the data subject’s rights are not overridden. South African constitutional context matters here: the right to privacy in section 14 of the Constitution informs the balancing, and section 233 allows courts to consider international law when interpreting uncertain terms. In practice, organisations in South Africa have adopted a disciplined, documented balancing approach analogous to global practice.

However, legitimate interest is not a carte blanche. The conditions for lawful processing in Chapter 3 still apply in full. Purpose specification and minimality require that only relevant personal information be processed for a defined aim. Further processing must be compatible with the original purpose. Openness requires meaningful notice under section 18. Security safeguards and data subject participation rights apply in the same way as for processing based on consent. Critically, section 11(3) gives data subjects a right to object, on reasonable grounds relating to their particular situation, to processing based on legitimate interests. Responsible parties must provide accessible, effective channels for receiving and honouring such objections.

Applying legitimate interest well: scenarios and safeguards

Legitimate interest is often the better ground in familiar, everyday contexts where data subjects benefit from predictable, proportionate processing without the fragility of consent. Security and fraud prevention are classic examples. Operating access controls, monitoring systems to detect malicious activity, and maintaining audit trails are ordinarily necessary to protect systems and users. Debt collection after a customer default likewise aligns with a responsible party’s legitimate interest; using limited personal information to locate a debtor and recover sums due is typically justified when done proportionately and with appropriate safeguards.

Customer experience and service quality can also be compatible with legitimate interests when designed with restraint. For example, retaining a suppression list after an unsubscribe request is a legitimate means to honour the person’s wishes and avoid future marketing. Low-intrusion analytics that are necessary to improve service delivery may be justified if undertaken in a privacy-preserving manner, explained transparently, and subject to an easy right to object. In every instance, the analysis should be recorded, the scope kept to what is necessary, and practical mitigations such as access controls and short retention periods should be implemented.

Legitimate interest does not displace specific statutory regimes that require consent.

Choosing the right basis: governance, objections and risk

Selecting a lawful basis is a design decision, not an afterthought. POPIA’s accountability condition requires responsible parties to determine the purpose and means of processing and ensure compliance at the outset. Documenting the lawful basis, whether consent or legitimate interest or another ground, is part of this discipline. Once a basis is chosen and communicated, organisations should avoid opportunistically switching grounds, as this undermines transparency and invites challenge.

Where consent is genuinely appropriate – such as for direct marketing by electronic communications to new prospects, organisations should invest in consent that is specific, informed, voluntary and evidenced, with a withdrawal mechanism that is as easy as granting. Where legitimate interest is more appropriate, a written assessment setting out the purpose, necessity, safeguards and balancing rationale is best practice. This should be coupled with intelligible notices under section 18, clear opt-out channels to honour section 11(3) objections, and measurable data minimisation and retention controls.

Conclusion

Consent has an enduring and important place in South African data protection law, but it is not the centre of gravity under POPIA. In many operational contexts, consent is brittle, hard to evidence, vulnerable to power imbalances and operationally risky. Legitimate interest, by contrast, when applied with discipline, transparency and safeguards, often better reflects the proportionality that POPIA demands while preserving meaningful data subject control through the right to object.

Uncertainty remains at the margins because POPIA does not define “legitimate interests”, and local jurisprudence is still developing. However, organisations that adopt a reasoned balancing methodology, anchor their decisions in POPIA’s eight conditions, and respect specific statutory carve-outs, for direct marketing by electronic communications, special personal information, children, and cross-border transfers, will be well placed.

The pragmatic recommendation for Privacy Day 2026 is therefore to retire the reflex to reach for consent and instead choose the lawful basis that fits the purpose, respects the person and withstands scrutiny.

To be sure I must; and therefore I may assume that your silence gives consent.

Plato[2]

——————————————————————————————————————————————————————————————————————————————————————–

[1] Munetsi v Madhuyu and Another (16255/2024) [2024] ZAWCHC 209 (6 August 2024)

[2] “Plato Quotes.” BrainyQuote.com. BrainyMedia Inc, 2026. 16 January 2026. https://www.brainyquote.com/quotes/plato_401345