Law 24.001

Law No. 24.001 of January 2024 on the Protection of Personal Data

Flag of CF
Central African RepublicOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2024
Enacted
January 1, 2024
Enforcing Authority
Independent administrative DPA (NOT YET ESTABLISHED); Ministry of Digital Economy serving as interim overseer
Consent Model
Opt-in
Applies To
All processing of personal data within the CAR or having effects within its territory; excludes personal/household use

Overview

The Central African Republic enacted Law 24.001 in January 2024 as its first comprehensive data protection legislation. The law mandated establishment of an independent DPA within 12 months, but this deadline was missed in January 2025. The Ministry of Digital Economy, Posts, and Telecommunications serves as an interim overseer. Administrative penalties of up to 5% of annual turnover are among the highest in Central Africa, with additional criminal sanctions for fraudulent collection and data misuse.

What This Means for Your Website

If your website processes personal data of CAR visitors, consent is required before processing. Sensitive data categories including racial origin, political opinions, religious beliefs, health, and biometrics are subject to strict prohibition with limited exceptions. The law has broad scope, covering all processing having effects within CAR territory.

Key Requirements

Administrative penalties reach 5% of annual turnover, with criminal sanctions including imprisonment for fraudulent collection, data misuse, or unlawful retention. Prior notification or authorization is required before processing. Data subjects have rights of access, rectification, and deletion. The Ministry of Digital Economy oversees compliance on an interim basis.

How ConsentStack Handles This

ConsentStack detects CAR-based visitors and displays a compliant consent banner with opt-in, ensuring your website is prepared for enforcement when the permanent DPA is established.

Penalties

Administrative: up to 5% of annual turnover. Criminal: imprisonment and fines for fraudulent collection, data misuse, or unlawful retention.

Revenue-based
5% of annual revenue

Key Requirements

  • Consent required for personal data processing
  • Sensitive data subject to strict prohibition with limited exceptions
  • Data subjects have rights of access, rectification, and deletion
  • Prior notification or authorization before processing
  • Data security measures mandatory
  • Exceptions for consent, vital interests, preventive medicine, and legal claims

Notable Provisions

  • DPA NOT ESTABLISHED -- missed January 2025 deadline
  • Ministry of Digital Economy serves as interim overseer
  • 5% turnover penalty among the highest in Central Africa
  • Broad scope includes public security and defense processing

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does the CAR have an active data protection authority?

Not yet. The DPA mandated by the law missed its January 2025 establishment deadline. The Ministry of Digital Economy serves as interim overseer.

What are the penalties under Law 24.001?

Administrative penalties of up to 5% of annual turnover, plus criminal sanctions including imprisonment for fraudulent data collection and misuse.

When was the CAR's data protection law enacted?

Law 24.001 was enacted in January 2024 as the Central African Republic's first comprehensive data protection legislation.

Stay compliant with Law 24.001

ConsentStack helps you implement Opt-in consent for Central African Republic automatically.

Get started free