Drafting Privacy Consent Notices: A Nigerian Bank Case Study

A Tier-1 Nigerian bank has the following Consent Notice in a section of its bank account opening form for corporate accounts:

“XXXX Bank Plc is committed to the highest data privacy standards at all times and will only use the personal information you have provided to administer your account. We would also like to update you periodically about our products, services, promotional offerings and other information that may be of interest to you.

Please confirm your consent by Signing below:

Signatory A: ______________________________  Date ___________ 

Signatory B: ______________________________  Date ___________

You can withdraw your consent at any time by sending an email to dataprotectionoffice@----.com. To find out more about Privacy policy, please visit —--bank.com”  (Emphasis ours)

How We Are Thinking: The Problem of Bundled Consent
The consent notice above is a textbook example of bundled consent. When analyzed against the Nigeria Data Protection Act (NDPA), at least five critical compliance gaps emerge:
1. The Capacity to Consent
This consent notice is found in a corporate account opening pack. Data protection law protects natural persons. A corporate entity is a legal fiction and cannot be a "Data Subject." By asking a company to sign a "Consent Notice," the bank is likely using the wrong legal instrument for the wrong audience. If a bank needs to process the personal data of the company's directors, providing a Privacy Notice to those individuals directly, rather than seeking "bundled consent" from the corporate entity itself, may be a better approach.
2. Granularity & Bundling
The consent notice appears to bundle two distinct purposes, namely, account administration, and on the other hand, marketing (i.e.updates on products/services). Whereas, in the realm of data protection law, the principle is that consent ought to be granular. In this scenario, a user should be able to consent to account administration (which in any event, is a contractual necessity) without being forced to accept marketing materials. Bundling these two purposes can potentially invalidate the consent for the secondary purpose.

3. Affirmative Action (The "Opt-in")
The consent notice says, "Please confirm your consent by Signing below.". The potential gap here is that, if signing the form is mandatory to open the bank account, the marketing consent can hardly be said to be "freely given." For true compliance, having a separate, unticked checkbox specifically for marketing communications, allowing for a clear "opt-in" that is independent of the account opening itself, may be more compliant.

4. Right to Withdraw Consent
The consent notice states that consent can be withdrawn by emailing a specific address. However, in data protection law, the principle is that, it should be as easy to withdraw consent as it was to give it. If giving consent is as simple as a signature on a page, but withdrawing it requires a formal email process, this might be viewed by regulators as a "friction" violation.

5. Transparency & Specificity
The consent notice mentions "other information that may be of interest to you." Under data protection law, such language can be considered vague. The principle here is that organisations should provide specific details on what personal data is being used and who the "third parties" might be if the personal data is shared. "Interest to you" appears too broad to constitute "informed" consent.

This publication is based on the authors' independent analysis, observations, and experience advising clients on regulatory and compliance matters. It is provided solely for informational purposes. The views expressed herein do not constitute legal advice or an official recommendation, nor do they represent the position of any institution or client. Readers should seek specific professional advice before relying on any part of this publication.