Consent vs Legitimate Interest in Nigeria: Which Lawful Basis Should Your Business Use?

Every business processing personal data in Nigeria must anchor each processing activity to a lawful basis under the Nigeria Data Protection Act 2023 (NDPA). For most commercial operations, marketing campaigns, customer analytics, employee records, cross-border transfers, the practical choice comes down to two options: consent or legitimate interest. Choosing between consent vs legitimate interest in Nigeria is no longer a theoretical exercise: the Nigeria Data Protection Commission (NDPC) intensified enforcement through 2025 and into 2026, issuing its General Application and Implementation Directive (GAID) with explicit requirements for documented Legitimate Interest Assessments (LIAs) and tighter audit scrutiny. Get the choice wrong and you face administrative fines, remedial orders, and reputational damage.

This guide delivers a direct, dimension-by-dimension comparison, a ready-to-use decision framework, and the concrete triggers that should send you to a data protection lawyer.

Option A: Consent Under the NDPA

Legal Definition and Statutory Requirements

Under the NDPA, consent must be freely given, specific, informed, and unambiguous. The data subject must clearly indicate agreement to the processing of their personal data for one or more specified purposes. Silence, pre-ticked boxes, or inactivity do not constitute valid consent. For sensitive personal data, including health records, biometric data, religious beliefs, and political opinions, the NDPA imposes a higher threshold, requiring explicit consent unless a statutory exception applies.

The NDPC’s GAID reinforces these requirements and adds operational expectations: controllers must maintain granular records proving that each consent was validly obtained, and privacy notices must be clear enough for the average data subject to understand what they are agreeing to.

Practical Consent Mechanics

Implementing consent as your lawful basis demands specific operational infrastructure:

• Active opt-in. Each processing purpose requires a separate, affirmative action, bundled consent for multiple unrelated purposes is unlikely to satisfy the NDPA’s specificity requirement.
• Granularity. Where you process data for marketing, analytics, and service delivery, you need separate consent capture for each.
• Withdrawal mechanism. Data subjects must be able to withdraw consent as easily as they gave it. Withdrawal must halt processing and you cannot penalise the data subject for exercising this right.
• Recordkeeping. Maintain timestamped logs of who consented, when, to what purpose, and through which interface. These records are your primary audit evidence if the NDPC investigates.

When Consent Is Mandatory

Consent is not merely one option among equals, in certain scenarios it is the only permissible lawful basis under the NDPA and GAID:

• Sensitive personal data. Processing health, biometric, genetic, or political data requires explicit consent unless a narrow statutory exception applies.
• Electronic direct marketing. Where sector-specific rules or GAID provisions require opt-in for commercial electronic messages, consent is the mandatory basis.
• Children’s data. Processing personal data of minors below the statutory age threshold requires verifiable parental or guardian consent.
• Cross-border transfers to non-adequate jurisdictions. Explicit consent may be required where no adequacy determination or appropriate safeguards exist.

Option B: Legitimate Interest Under the NDPA

Statutory Position in the NDPA and GAID

Legitimate interest is recognised as a lawful basis for processing under Section 25 of the NDPA. This represents a significant development from the earlier Nigeria Data Protection Regulation (NDPR), which omitted legitimate interest entirely and forced controllers to rely almost exclusively on consent. Under the NDPA, a controller or third party may process personal data where the processing is necessary for the purposes of their legitimate interests, provided those interests are not overridden by the rights and freedoms of the data subject.

The NDPC’s GAID tightens this considerably. Controllers relying on legitimate interest must now prepare and maintain a documented Legitimate Interest Assessment (LIA) that demonstrates each step of the analysis. The GAID makes clear that an undocumented reliance on legitimate interest will not withstand NDPC audit scrutiny.

The Three-Part Test

Legitimate interest under the NDPA mirrors the widely adopted three-part test structure. Each element must be satisfied and documented:

• Purpose test. Identify the specific legitimate interest being pursued. It must be lawful, clearly articulated, and real, not vague or speculative. Common qualifying interests include fraud prevention, network security, internal administrative purposes, and direct marketing where the data subject reasonably expects it.
• Necessity test. Confirm that the processing is genuinely necessary to achieve the identified interest. If you can achieve the same purpose through less intrusive means, legitimate interest fails at this stage.
• Balancing test. Weigh the controller’s interest against the data subject’s rights, interests, and reasonable expectations. Consider the nature of the data, the relationship between controller and data subject, the potential impact on the individual, and whether adequate safeguards or mitigations are in place.

When Legitimate Interest Is Unsuitable

Legitimate interest is not a catch-all alternative to consent. It will fail or attract high enforcement risk in these situations:

• The processing involves sensitive personal data (the NDPA does not permit legitimate interest for most sensitive data categories).
• Electronic direct marketing is involved and sector rules or GAID provisions require consent.
• There is a significant imbalance of power between the controller and data subject (e.g., employer–employee relationships in certain contexts).
• The processing would be unexpected or surprising to the data subject, making the balancing test difficult to satisfy.

Consent vs Legitimate Interest in Nigeria: Side-by-Side Comparison

The following table is the centrepiece of this analysis. Use it to compare the two lawful bases across every decision dimension that matters to NDPC audit readiness and operational cost.

Three quick rules emerge from this comparison:

• If the NDPA or GAID requires consent for the specific data type or processing activity, legitimate interest is not available, use consent.
• If consent would be impractical or would undermine the processing purpose (e.g., fraud detection), and the balancing test is clearly satisfied, legitimate interest is the appropriate basis.
• Whichever basis you choose, documentation is non-negotiable. The NDPC expects evidence, consent logs or a written LIA, at audit.

Dimension-by-Dimension Analysis: Consent vs Legitimate Interest Nigeria

Eligibility and Necessity

Both lawful bases are available under Section 25 of the NDPA, but they are not interchangeable. Consent is the only route for sensitive data processing (absent a statutory exception). Legitimate interest requires a genuine necessity link, if the same outcome can be achieved without processing the personal data in question, the necessity test fails and the basis collapses.

Cost and Quantified Enforcement Exposure

The financial exposure for choosing the wrong basis or implementing it poorly is material. The NDPA empowers the NDPC to impose administrative fines, and the GAID sets enforcement expectations that are already being applied.

Timing and Speed to Launch

Consent-based processing can delay product and campaign launches because consent capture flows must be designed, tested, and deployed before any data collection begins. Legitimate interest can be faster to operationalise at the point of collection, but only if the LIA has been completed and documented in advance. Rushing to rely on legitimate interest without a defensible LIA is the single most common compliance failure the NDPC targets.

Liability and Remedies

Under the NDPA, the NDPC can issue remedial and enforcement orders, impose administrative fines, order compensation to affected data subjects, and in severe cases refer matters for criminal prosecution. Both lawful bases expose controllers to civil claims from data subjects. The risk profile differs: consent failures tend to produce individual complaints and class actions, while LIA failures tend to trigger NDPC-initiated audits and sector-wide investigations.

Enforceability and Practical NDPC Tests

The GAID makes the NDPC’s expectations explicit: controllers relying on legitimate interest must produce a documented LIA that covers purpose identification, necessity analysis, balancing test reasoning, and mitigation measures. Periodic review of the LIA is expected, particularly when the processing context changes. For consent, the NDPC expects verifiable records demonstrating each element of valid consent.

What Changed in 2026: The Lawful Basis NDPA 2026 Landscape

The enforcement environment for consent vs legitimate interest in Nigeria shifted materially between 2024 and 2026. The NDPC issued its GAID in 2025, creating binding implementation standards that go beyond the NDPA’s statutory text. Key changes affecting the lawful basis choice include:

• Documented LIAs are now mandatory. The GAID requires controllers relying on legitimate interest to maintain a written assessment covering each step of the three-part test. An undocumented reliance on legitimate interest is treated as a compliance failure.
• Audit intensity increased. The NDPC’s 2025 Annual Report confirmed a rise in sector-specific audits and compliance investigations, with lawful basis documentation as a primary audit checkpoint.
• Fines are being imposed. Industry observers expect the enforcement pace to continue accelerating in 2026 and beyond, with the NDPC demonstrating willingness to impose meaningful financial penalties on controllers that cannot justify their chosen lawful basis.
• Consent standards tightened. The GAID reinforces that consent must be specific and granular, bundled or vague consent forms are increasingly likely to be found non-compliant.

The practical implication is straightforward: in 2026, both lawful bases demand robust documentation. The era of informal reliance on either consent or legitimate interest, without auditable evidence, is over.

Decision Framework: When to Choose Consent, When to Choose Legitimate Interest

Use the following framework to make the lawful basis decision for each processing activity. This is not a one-time exercise, the GAID expects controllers to reassess when processing contexts change.

Choose consent when:

• The processing is intrusive or involves sensitive personal data, the NDPA requires explicit consent for such processing.
• The activity is electronic direct marketing and sector rules or the GAID indicate consent is required.
• You cannot demonstrate necessity or reasonable expectation, the balancing test would fail.
• You need a reversible lawful basis where user withdrawal is expected, such as marketing preference management.

Choose legitimate interest when:

• Processing is necessary for security, fraud prevention, or anonymised analytics, and the data subject reasonably expects the processing.
• You have robust governance in place: a documented LIA, a DPIA where appropriate, mitigation measures, and transparent privacy notices.
• Consent would be impractical or would undermine the processing purpose (e.g., requiring consent for fraud screening would defeat its purpose), and the balancing test is satisfied.
• You can demonstrate the processing creates no significant risk to data subject rights and that adequate safeguards are in place.

When to Engage a Lawyer

Many lawful basis decisions can be made internally using the framework above. However, certain situations demand professional legal advice before processing begins. Engage a data protection lawyer in Nigeria when:

• Your processing involves cross-border transfers to jurisdictions without NDPC adequacy determinations, the interplay between lawful basis and transfer mechanisms is complex.
• You are processing sensitive personal data at scale (health tech, insurance, biometric identity) and need to determine whether a consent exception applies.
• Your business is classified as a data controller of major importance under the NDPA, exposing you to higher fine thresholds and more intensive NDPC scrutiny.
• You anticipate an NDPC audit or investigation and need to ensure your LIA or consent documentation is defensible.
• You are launching a direct marketing campaign across multiple channels and need to map each channel to the correct lawful basis under GAID.

Sources

1. Nigeria Data Protection Act, 2023 (NDPA)
2. NDPC General Application and Implementation Directive (GAID) 2025
3. NDPC Annual Report 2025
4. ICLG, Data Protection Laws and Regulations: Nigeria
5. Recording Law, Nigeria Data Privacy Laws
6. ICO, Legitimate Interests Guidance