In our first podcast, we explored the topic of client contact books, what they are and if or how you can use them when POPIA becomes legally enforceable. In some cases, the answer was a matter of getting consent. Which is why, in this episode, we discuss the topic of consent under POPIA in a lot more depth – what it is, when you need it and how to get it.
What is consent according to POPIA?
Under POPIA, consent means that the Data Subject has given you permission to use their Personal Information for the purposes that you have outlined to them. According to POPIA, consent needs to be voluntary, specific and informed.
Why is consent so important in POPIA?
Consent is important for two key reasons : processing and marketing. In the first instance, a Responsible Party must have a legal ground for processing a person’s Personal Information. One of these legal grounds is that the person consented to the processing of their Personal Information.
The second instance is related to direct marketing, and in this instance a guideline is provided for by the Act in an example of the consent form to be completed, called Form 4, which is discussed in more detail below.
What does POPIA mean by processing?
POPIA sees the processing of Personal Information as doing anything with that data. And I do mean anything whether you collect it, store it, use it, delete it, share it or change it, anything you do with it is considered to be processing. Essentially, the term processing refers to the handling of data in any which way.
You mentioned the term Responsible Party. Who does this refer to in POPIA?
POPIA identifies 2 main role players when it comes to processing Personal Information. The main one is the Responsible Party. And by this they mean the party collecting the Personal Information from the Data Subject and/or deciding the purpose of that collection.
The second role player is the Operator. This is any party processing the Personal Information on behalf of the Responsible Party. In the context we are discussing today, the Dealership or MBR would be the Responsible Party for all the seller’s Personal Information. When the Dealership enters the seller’s details into Lightstone’s Signio system to capture a credit application, Lightstone becomes the Operator. This is because Lightstone would then process the details that the dealership enters into the system and delivers this information to the Credit provider.
We’ll return to these roles in a future podcast episode and make further sense of the responsibilities for each. In the meantime, exactly is meant by voluntary, specific, and informed consent?
Each of these words is very specific. For consent to be voluntary it cannot be received from a Data Subject that has been coerced in any way. The consent must be provided as the result of a genuine choice. This is probably less relevant to Dealerships and MBR’s, but not so in the case of a business that only allows access to a service once you give consent to your details being used for direct marketing purposes.
Specific and informed means that the consent cannot be a general and far-reaching consent. It has to be focused and specific, informing the person that his Personal Information will be processed and used in a specific manner.
Specific consent means that you need to tell the Data Subject what you want to use their Personal Information for. You must make the Data Subject aware of any and all situations that you will use the Personal Information for and they must consent to the information being used in this manner.
Does that include specifying what and why you will communicate with them in future?
Yes it does. If a user signs up to receive newsletters from you and consents to the use of their email address for that particular purpose, you should not use this information for direct marketing. POPIA is very specific about how unsolicited direct marking may be sent to a person.
What about informed consent?
You need to inform the Data Subject why you need their Personal Information, and a few other things that are specified in Section 18 of POPIA. The most notable being that you need to inform them of the name and address of the Responsible Party (that is you, the Dealership or MBR). You need to inform them whether you need to share their information with another party. You also need to inform them of the fact that they have a right to access and rectify any Personal Information you hold on them. There are others, so I suggest all Dealerships and MBR’s familiarise themselves with Section 18 of the Act before designing their consent process, whether it’s because you want to use a person’s Personal Information in your business, or whether you want to market your services to them. On the website page that hosts this podcast you will find a link to the Section 18 content for your quick reference.
What if someone comes into your show room and you want their contact details so you can call them about vehicles they might be interested in?
This is exactly when you should be gathering consent. Make sure you gather consent for all the purposes you will need to contact that person for.
What does consent look like? Is there a particular manner in which you need to get that consent?
That depends. If the purpose is for direct marketing, then the POPI Act contains an example of a consent in Form 4. You don’t have to use that form exactly, but you do have to ensure that the content contained in that form is part of your consent. Here is an example of the consent form if you need it.
What about consent for things other than direct marketing? Like the example above, when you want to set up viewings for a potential client?
In that case you can gather consent in any form you wish. It is advisable though, to ensure you have a record of the consent, just in case there’s a dispute later on about the granting of consent. It could become a situation of ‘he said, she said’ if you can’t produce the record showing that they’ve given consent.
Say I have a list of contact details that I purchased before POPIA became enforced and I want to call those people to see if they want to sell their vehicle. I can’t seek consent from them without contacting them, so how do I proceed?
POPIA is very clear on this. You are allowed to contact each person on that list once and once only, in order to establish whether they’re happy to be contacted in future or not. So make sure you use this call to gather consent for any further uses of their Personal Information. You only get one shot at it.
So if they say they don’t want to be contacted by me, I can never call them again?
That’s right, unless something changes and they indicate that they’re now open to the services you’re wanting to market. For example, they come to your showroom to view a vehicle and you ask if they would like to be contacted about similar vehicles, or whether they’re selling their own vehicle. You can now see why it’s so important to obtain the exact and correct nature of consent from your customers.
So when in doubt, get consent. Is that the case?
Yes and no. To answer that, we need to get to the core of POPIA, so bear with me for a sec. Firstly, if you are getting the contact details from the Data Subject and in deciding the purpose of that, you are considered the Responsible Party under POPIA. Being the Responsible Party means that you have to have legal grounds to process that information – although consent is one of the legal grounds, there are actually five other legal grounds on which to legally process a Data Subject’s Personal Information. And these are :
That’s a lot more options than just getting consent for everything?
Yes, but the two that are most applicable to Dealerships and MBR’s, other than consent, are
What kind of example would cover that last one, as in protecting the legitimate interest of the Data Subject?
I can’t actually think of one that is relevant to Dealerships and MBR’s. Most legal grounds will be because they have consent, have a contract with a customer, or because the law requires it. Perhaps our readers can think of an example, and if so could send it to us via the link on our website. That would be very helpful!
That last one you mentioned, about processing being necessary to pursue the legitimate interests of the Responsible Party. As a Dealership or MBR, it is definitely in my legitimate interest to be able to canvas for new business. So does POPIA allow me to continue to do this on the basis of this being Legal Grounds?
No it doesn’t. While it’s not very clear exactly what will and won’t be allowed under this Legal Ground, it is clear that the Data Subject’s right to have a say in the use of their data is still the important thing here, and thus the Regulator who is responsible for governing POPIA is unlikely to look favorably, or even kindly on people who say that they’re using Personal Information because their ability to make money as a business, depends on it.
So some of this doesn’t seem 100% clear cut or absolutely certain as to what the requirements are?
As with any new law, establishing that certainty comes about through case law. This means people challenging aspects of the law and a judge deciding on the case. The same will be true of POPIA, but the safest thing to do is to ask yourself, 'does my action require the use of Personal Information and, if so, am I ensuring that the Data Subject has a say in the use of their own data?' It is also important to make sure that when you have determined that you have a legitimate right to store the Personal Information of the Data Subject, that you always comply with the eight conditions for lawful processing of that Personal Information.
That seems simple enough – making sure the Data Subject has a say in the use of their Personal Information?
It might seem simple, but please be aware that the Act is 183 pages long and we’ve simply discussed one very small part of it. In future episodes we will cover other critical parts, such as when a Responsible Party has Legal Grounds for processing Personal Information, what else do they have to ensure this is in place? As I mentioned there are eight conditions for the lawful processing of data, all of them are relevant to Dealerships and MBR’s and all are important to understanding the full picture. For example, security safeguards. Some Dealerships might use laptops that they take home in the car with them, and that laptop contains Personal Information. So what do you need to do to ensure that the Personal Information contained on that laptop is not at risk if your laptop gets stolen? What about the handwritten notes you’ve made of someone else’s information and then left lying around at the office? Do you see how much more there is to discuss?
So that’s it for now. I would also like to remind everyone that, while we try to unpack these topics in as much detail as possible, we can’t possibly cover all angles on any one given topic in this format. And while the purpose of this series is not to give legal advice and the views we set out here are simply Lightstone’s interpretation of the key topics related to POPIA, we cannot stress enough that this information is not intended to be legal advice. If you are looking for formal legal advice on the specifics of managing consent in terms of POPIA and general POPIA compliance, please seek the advice of a registered lawyer or licensed practitioner.
That said, we hope this helped you understand consent under POPIA a little better and made your job just a little easier.
In the next episode, we’ll discuss the eight conditions for lawful processing of Personal Information.