In the era of Open Finance, “I agree to the Terms and Conditions” is often the most dangerous lie in finance. For South African banks, fintechs, and insurers, relying on a hastily ticked box to justify sharing sensitive financial data is no longer just bad customer experience—it is a regulatory minefield.

As South Africa moves toward a regulated Open Finance regime, the pressure is on. Under Section 1 of the Protection of Personal Information Act 4 of 2013 (POPIA)[1], consent is defined as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.” Financial institutions often treat it as a compliance hurdle rather than a consumer right. Many believe a single “Accept All” button covers everything from credit checks to selling transaction history. It doesn’t.

To understand what true consent looks like in a financial context, we must look beyond our borders. By examining failures and successes in Africa, the UK, the EU, the USA, and Singapore, we can unpack the four key elements of POPIA’s definition of consent: it must be Voluntary, Specific, Informed, and an Expression of Will.

1. The “Voluntary” Standard

The word “voluntary” in Section 1 of POPIA means that a data subject must have a genuine, free choice about whether to consent. Consent obtained under duress, through coercion, or by “bundling” it with non-essential services is not voluntary and is therefore invalid. Separately, Section 11(2)(b) provides that a data subject may withdraw consent at any time, reinforcing that consent is an ongoing, revocable act—not a once-off, irrevocable commitment. The right of withdrawal and the requirement of voluntariness are distinct but complementary protections: voluntariness governs the quality of consent at the point it is given, while revocability governs the data subject’s continuing control after that point.

Case Study: Nigeria (FCCPC vs. Meta/WhatsApp)

On 19 July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) imposed a $220 million administrative penalty on Meta following a 38-month joint investigation with the Nigeria Data Protection Commission.[2] While the consent-bundling element—a “take it or leave it” privacy update that forced users to accept data sharing between WhatsApp and Facebook companies to maintain access—attracted the most attention, the FCCPC’s findings were broader. The Commission found violations of both the Federal Competition and Consumer Protection Act (FCCPA) 2018 and the Nigeria Data Protection Regulation (NDPR) 2019, including abuse of dominant market position, discriminatory treatment of Nigerian users compared with users in other jurisdictions, and appropriation of personal data without consent.

The Lesson for the South African Financial Sector:

This ruling is a warning for “Super Apps.” A bank cannot say, “To keep using your transactional account, you must agree to share your spending habits with our insurance partners.” In Open Finance, consent must be unbundled. If a primary service is held hostage to extract consent for secondary data sharing, that consent is not voluntary and is therefore void under POPIA. Nor can the institution treat its users in South Africa less favourably than users elsewhere—the competition law dimension of the Nigerian ruling underscores that bundling can also raise market dominance concerns.

2. The “Specific” Standard

Section 1 of POPIA requires consent to be “specific” to a purpose. Section 13 reinforces that personal information must be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party.

Case Study: USA (California – Dark Patterns Guidance)

In September 2024, the California Privacy Protection Agency (CPPA) issued Enforcement Advisory No. 2024-02 addressing “Dark Patterns”—user interfaces designed to subvert consumer autonomy.[3] The Advisory emphasises “symmetry in choice,” meaning that the path for a consumer to exercise a more privacy-protective option must not be longer, more difficult, or more time-consuming than the path to exercise a less privacy-protective option. It is important to note that this Advisory is regulatory guidance, not the product of an enforcement action; the CPPA has not yet publicly penalised any company specifically for dark patterns, though it has disclosed that multiple investigations are under way.

The Lesson for the South African Financial Sector:

In the world of screen-scraping and API integrations, specificity is king. A budgeting app cannot simply ask for “access to your bank account.” Under POPIA, the consent request must be granular:

  • “Do you consent to share your current account transaction history…”
  • “…for the past 3 months…”
  • “…specifically for the purpose of generating a credit score?”

If a user consents to a credit check, that data cannot be quietly reused to market a holiday loan. And the interface through which consent is collected must make it equally easy to say “no” as to say “yes.”

3. The “Informed” Standard

Section 1 of POPIA requires consent to be “informed.” Section 18 (Notification to Data Subject) outlines the specific details a responsible party must provide before collecting data to ensure the subject is truly informed.

Case Study: UK (RTM v Sky Betting & Gaming)

In the High Court case of RTM v Bonne Terre Limited (t/a Sky Betting and Gaming) [2025][4], Collins Rice J ruled in favour of a recovering gambling addict (“RTM”) who claimed that Sky Betting & Gaming (SBG) had unlawfully processed his personal data through cookies for the purposes of profiling and personalised direct marketing. The court’s analysis was more nuanced than a simple finding that addiction impaired consent. Collins Rice J identified three distinct strands of legally effective consent: the subjective state of mind of the data subject, the autonomous quality of the consent procedure, and the evidentiary standard the data controller must meet to demonstrate consent. On the facts, the court found that RTM’s consenting behaviour could not be described as free, unambiguous, informed, or specific under UK GDPR Article 4(11)—his addiction meant he clicked through consent mechanisms without genuine engagement.

It should be noted that Collins Rice J cautioned that this ruling was specific to RTM’s individual circumstances and the relevant time period (2017–2018) and should not be taken as establishing a broad precedent. Nevertheless, the principles it articulates about the quality of consent are instructive.

The Lesson for the South African Financial Sector:

This is critical for aggressive lending. If a bank uses AI to identify financially distressed customers and asks for consent to share their data with a debt consolidation partner, is that consent valid if the customer is desperate? To meet the “Informed” standard, financial institutions must clearly explain the risks, ensuring that even vulnerable customers understand that sharing their data moves it outside the bank’s secure environment. The RTM judgment reminds us that consent is not merely a procedural checkbox—it has a subjective, autonomous, and evidentiary dimension. Where a customer’s decision-making capacity is impaired by their circumstances, the institution carries the risk that consent may later be found invalid.

4. The “Expression of Will” Standard

The fourth element of POPIA’s definition—often overlooked—is that consent must be an “expression of will.” This requires a positive, affirmative act by the data subject: ticking a box, clicking a button, or otherwise signalling agreement. The implication is that silence, pre-ticked boxes, or mere inactivity should not constitute valid consent. In an Open Finance context, where consent mechanisms are overwhelmingly digital, this element is critical. A financial institution that relies on pre-selected toggles or interprets a customer’s failure to opt out as consent is unlikely to satisfy this standard.

The Lesson for the South African Financial Sector:

Product designers building Open Finance consent flows should ensure that every data-sharing permission requires an affirmative act by the customer. Default-on settings for data sharing, or terms that deem consent from continued use of a service, carry significant legal risk under POPIA.

5. When Consent Isn’t Needed

Section 11(1) of POPIA provides six grounds for lawful processing, of which consent is only one. These include processing that protects a legitimate interest of the data subject (Section 11(1)(d)) and processing necessary for pursuing the legitimate interests of the responsible party or a third party (Section 11(1)(f)). Critically, processing that complies with an obligation imposed by law (Section 11(1)(c)) is also a standalone ground—a point often overlooked in practice.

Case Study: Singapore (Re RedMart Limited)

In Re RedMart Limited [2023][5], the Personal Data Protection Commission (PDPC) of Singapore considered a complaint that RedMart had collected photographs of identification documents from suppliers delivering goods to its warehouses without obtaining consent. The PDPC found that consent was not validly obtained because the collection of ID photographs was a condition of entry into the warehouses, and it was not apparent to suppliers that their documents would be photographed and stored. However, the Commission ruled that the processing was still lawful under the Legitimate Interests Exception introduced to the Personal Data Protection Act (PDPA) by the 2020 amendments, as RedMart had a legitimate interest in deterring food security incidents and had implemented measures to mitigate the adverse effects on suppliers.

The Lesson for the South African Financial Sector:

Banks often over-request consent for processes where other lawful grounds apply. If you are submitting a name to the Southern African Fraud Prevention Service (SAFPS) or conducting FICA checks, do not ask for consent. FICA checks are a statutory obligation, making Section 11(1)(c) (compliance with a legal obligation) the more natural basis. For fraud prevention activities that go beyond statutory mandates—such as sharing data across banks to detect syndicate activity—Section 11(1)(f) (legitimate interest) is the appropriate ground. If a customer refuses consent for a fraud check, you are stuck—but if you have relied on the correct lawful ground from the outset, the customer’s willingness to consent is not a factor. In Open Finance, sharing data to detect financial crime does not require a user’s permission—it requires robust governance.

Summary: The Open Finance Compliance Checklist

As we move toward a connected financial ecosystem, compliance officers and product owners should ask these five questions to ensure they meet the POPIA consent standard:

  • The “Voluntary” Test: Is it Unbundled? Can the customer get the loan without agreeing to share data with your marketing partners? If the answer is “no,” the consent is coerced and invalid.
  • The “Specific” Test: Is it Granular? Are you asking for generic “financial data” (too vague) or “90 days of credit card history” (specific)? Specificity is your defence against “dark pattern” accusations.
  • The “Informed” Test: Is the Risk Clear? Does the customer understand that sharing this data might affect their credit terms or privacy? If the potential harm isn’t disclosed, the customer is not truly informed.
  • The “Expression of Will” Test: Is it Affirmative? Does the consent mechanism require a positive action from the customer, or does it rely on pre-ticked boxes, default-on settings, or deemed consent from continued use? Only an affirmative act satisfies POPIA.
  • The Legitimate Interest Exception: Is Consent Even Necessary? Are you sharing data for fraud prevention or to comply with a statutory obligation? If so, stop asking for permission—rely on the appropriate lawful ground under Section 11(1).

Ultimately, moving beyond the checkbox is not just about avoiding regulatory penalties, but about building a financial ecosystem rooted in trust and transparency. By treating consent as a dialogue rather than a hurdle, institutions can empower consumers and secure their place in the future of Open Finance.