Why is CONSENT important?
“I Agree” is no longer enough. Here's what every Nigerian business, app builder, or data collector must know about lawful consent
We live in a world powered by data. Whether you're running an online store, building a mobile app, or managing a customer database, chances are you're collecting personal information every single day, including names, emails, purchase history, and even location data. But are you doing it legally?
In 2023, Nigeria passed the Nigerian Data Protection Act (NDPA), a game-changing law that sets clear standards for how data should be collected, processed, and protected. And right at the heart of this new legal framework is one powerful word: Consent.
Consent is no longer just about ticking a box. Under the NDPA, it's a legally binding requirement, one that must be freely given, informed, specific, and unambiguous.
This blog post shares simplified insights and key highlights from the notes of a fellow lawyer, Daniel Abah Iduh Esq, who recently attended the EMERGING PRACTICES AWARENESS SERIES 1.0, themed: Privacy in Practice – Equipping Lawyers for Data Protection Roles. His reflections on the NDPA’s rules on consent were so practical, we knew they deserved a wider audience.
Whether you’re a Nigerian startup founder, tech professional, digital marketer, or legal advisor, these excerpts will help you understand what valid consent looks like, how to implement it, and how to stay legally compliant while protecting your users.
Let’s dive in
CONSENT UNDER THE NIGERIAN DATA PROTECTION ACT (NDPA) 2023
The Nigerian Data Protection Act (NDPA) 2023 puts consent at the heart of lawful data processing. Depending on the different situations, consent can sometimes be oral, other times strict and expressly affirmed, and in some other cases, may be required from a third party, like in the case of infants.
Some important aspects of consent in the Act include:
DEFINITION OF CONSENT
Section 65 of the Act, which defines consent, expressly states that consent must be freely given, specific, informed, and unambiguous. The Act requires that before a data collector collects data from a data subject, AKA you, you must know exactly what you’re agreeing to, and you must actively say yes or no, no silence, confusion, or trickery. The general legal principle “silence means acquiescence” does not apply here (see section 26(3) of the Act.
HOW TO GIVE CONSENT
According to section 26(7) [a] and [b], consent to the use of your data must be affirmative and can be given orally, in writing, or by electronic means. So, by clicking on the “I AGREE” button on some websites, you may be deemed to have consented to the use of your data.
RIGHT TO CHANGE YOUR MIND
Section 26(4) of the Act gives you the right to withdraw consent at any time, and it must be just as easy to withdraw as it was to give (See also section 35 of the Act). However, it is apt to note that the mere fact that you have withdrawn consent would not make the previous use with your consent invalid and illegal. So, if you consented to Facebook using your personal data, and you decide to withdraw the consent two months later, you cannot sue Facebook for the time you agreed to them using your data. See section 26(5) of the Act. But of course, you can sue them if they continue to use your data after you have withdrawn your consent.
WHO IS TO PROVE THE EXISTENCE OF CONSENT?
Section 26(1) of the Act makes it clear that whoever is collecting your data has the burden and duty to prove that you gave him or her consent to use your data. No verbal guesses. No, “we thought you were okay with it.” They need evidence, like digital logs, signatures, or recorded consent, to prove and establish that consent was given by you. This provision seems to negate the trite position of the law that “he who asserts must prove”, as the law doesn’t seem to care about who is asserting. The burden of proof is strictly on the data collector.
WHO GIVES CONSENT FOR CHILDREN?
According to Section 31 of the Act, the general rule is that if the data subject is a child (under 18, as per Section 65), consent must come from a parent or legal guardian, else same will not be deemed as valid consent. But how do I know I know on my website that he’s a child? Section 31 (2) makes it mandatory for data collectors to apply or come up with mechanisms to verify the age and consent of each user. While I am aware that some websites will ask: “How old are you?” Before allowing you to use their site, I really doubt if this is sufficient, bearing in mind the duty now imposed by the law to further verify the age. Section 31(4) mentions the instances where you can take a child’s information without recourse to parental consent.
AUTOMATED DECISIONS
I included this because I read the Act and found it interesting. You applied for a job, and an automatic email is sent to you saying, “Your application has been rejected.” Section 37(a) empowers you with the right to ask, “How did you arrive at the fact that I am not qualified?” Some systems are programmed to reject applications of people from certain regions, age brackets, sex, ethnicity, religion, etc. (although these are not express requirements for the application), so that, when you send in your CV and the system screens it, you get an automatic rejection, an AI response. The law says, “No! Oga, don’t do that anymore.” This law now gives you the right, as the applicant, to challenge such automatic responses and demand the basis of such rejection.
Thus far, it’s clear that,
Under the NDPA, Consent isn’t a checkbox; it’s a legal requirement and a fundamental right when dealing with people’s information.
This is not limited to online sites, as section 2 of the Act makes the NDPA applicable to both automated data collectors and those who do so by other means.
The NDPA gives Nigerians control over how their data is collected and used. Whether you’re running a business, building an app, or signing up online, consent must be obtained properly and respected always.
Thank you for reading.
Daniel Abah Iduh, Esq.
Principal Solicitor
D. A. Iduh Advocates
Conclusion
As digital interactions become central to business and daily life in Nigeria, data protection is no longer optional, it’s the law. The NDPA makes it clear: You cannot collect someone’s data without their proper consent. And once given, that consent must be documented, respected, and revocable at any time.
For tech founders, developers, marketers, and even traditional businesses using spreadsheets or contact lists, this is your cue to audit your systems, update your privacy practices, and embed consent mechanisms that meet legal standards.
Consent isn't just about avoiding fines, it's about respecting people’s rights, building trust, and staying future-ready.
Need Help?
If you're unsure how to embed proper consent mechanisms into your app, website, or client process, or if you need help drafting compliant privacy notices, consent forms, or data-sharing policies, reach out to a data protection lawyer or compliance professional, like me, today.
About Legal Bytes
We are Adune Legal’s weekly Newsletter, which simplifies the Law for Busy Executives, Entrepreneurs, and Tech Enthusiasts interested in the legal aspects of Business, Technology, and Intellectual Property.
We love emails from our readers— reply to this email and let us know your thoughts and suggestions.
WAIT!!!
Become a paid subscriber and access;
Q&A sessions with Nneoma Grace via chats on Substack.
Detailed Legal Templates and examples to save you time and legal fees
Expert Interviews and Case Studies
Don't miss out on these perks - subscribe today and start enjoying it!
Thanks for reading Legal Bytes
Adune Legal’s Team
P.S. Like Legal Bytes? Please forward us to a friend.
P.P.S. Was this publication forwarded to you? Sign up here & see previous publications.