DPA 2018

Data Protection Act, 2018

Flag of BW
BotswanaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2021
Enacted
August 3, 2018
Enforcing Authority
Data Protection Commission
Consent Model
Opt-in
Applies To
All data controllers processing personal data within Botswana

Overview

Botswana's Data Protection Act 2018 is the country's first legislation focused solely on personal data protection. Enacted in August 2018 and effective from 2021, it establishes the Data Protection Commission with broad enforcement powers. The law carries some of Africa's harshest criminal penalties, with imprisonment terms of up to 12 years for serious violations.

What This Means for Your Website

If your website collects personal data from Botswana visitors, you must obtain consent before processing and inform data subjects of their rights before collection. Data must be processed lawfully, transparently, and fairly. Visitors have rights to access, correct, erase, and object to processing of their data.

Key Requirements

The Data Protection Commission enforces the Act with fines of BWP 20,000 to BWP 1,000,000 and imprisonment terms of 3-12 years. Data controllers must implement adequate security measures and comply with cross-border transfer adequacy requirements. Prior consent is mandatory for all personal data processing activities.

How ConsentStack Handles This

ConsentStack detects Botswana-based visitors and presents a compliant consent banner requiring affirmative opt-in before activating non-essential cookies and data processing technologies.

Penalties

BWP 20,000-1,000,000 fines; 3-12 years imprisonment

Maximum Fine
BWP 1,000,000 per violation

Key Requirements

  • Consent required before processing personal data
  • Data subjects must be informed of their rights before collection
  • Personal data processed lawfully, transparently, and fairly
  • Data subjects have rights of access, correction, erasure, and objection
  • Data security measures mandatory
  • Cross-border transfers subject to adequacy requirements

Notable Provisions

  • 12-year maximum imprisonment among the highest in Africa
  • BWP 1M maximum fine for failure to inform data subjects of rights
  • First statutory enactment in Botswana focused solely on personal data protection

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

What are the penalties under Botswana's DPA?

Fines range from BWP 20,000 to BWP 1,000,000, with imprisonment terms of 3 to 12 years for serious violations.

Does Botswana require consent for cookies?

Botswana's DPA has no cookie-specific provisions, but personal data collected via cookies is subject to general consent requirements.

When did Botswana's DPA take effect?

The law was enacted in August 2018 and became effective in 2021.

Stay compliant with DPA 2018

ConsentStack helps you implement Opt-in consent for Botswana automatically.

Get started free