How to Manage User Consent Under POPIA (A Practical Guide)

Consent is the Foundation of POPIA Compliance

At the core of the Protection of Personal Information Act (POPIA) is a simple idea: people have the right to decide what happens with their personal information. While consent is not the only legal basis for processing data, it is the one most South African websites rely on, and getting it wrong is one of the fastest ways to get fined.

What Counts as Valid Consent Under POPIA?

Not all consent is created equal. For consent to be valid under POPIA, it must be:

• Voluntary: The user must not be forced or coerced. Bundling consent with access to a service (e.g., "you must accept marketing to use our app") is not valid.
• Specific: Consent must be for a clearly defined purpose. A blanket "I agree to everything" is not sufficient.
• Informed: The user must understand what they are agreeing to. Use plain language, not legal jargon.

Pre-Ticked Checkboxes Are Illegal

This is one of the most common mistakes South African websites make. If your newsletter signup form, contact form, or checkout page has a pre-ticked "I agree" checkbox, you are violating POPIA. The user must actively tick the box themselves. Silence or inaction does not count as consent.

Keep a Record of Consent

POPIA places the burden of proof on you. If the Information Regulator asks you to prove a user consented, you must be able to produce evidence. This means you should record:

• The date and time consent was given.
• The method used (e.g., website form, email reply).
• The specific purpose they consented to.
• The version of the Privacy Policy that was in effect at the time.

Users Can Withdraw Consent at Any Time

POPIA gives users the right to withdraw consent easily and at any time. Your website must provide a clear mechanism for this, whether it is an unsubscribe link in emails, a "delete my account" button, or a simple email to your Information Officer. Withdrawing consent must be as easy as giving it.

Cookie Consent is a Separate Requirement

Consent for cookies is a separate and additional requirement. A user agreeing to your Privacy Policy does not automatically mean they have consented to tracking cookies. You need a dedicated cookie banner that allows users to accept or reject non-essential cookies before they are set. Read our cookie policy guide for details.

Consent for Children

If your website targets or collects data from children under 18, you must obtain consent from a competent person (a parent or guardian). This is a strict requirement under POPIA Section 35, and non-compliance carries heavy penalties.

Start with the Right Privacy Policy

Your consent mechanisms are only as strong as the Privacy Policy they point to. Use POPIA Ready to generate a clear, comprehensive Privacy Policy that properly informs users of their rights and your data practices.