Ivory Coast Law 2013-450

Law No. 2013-450 of June 19, 2013 on the Protection of Personal Data

Flag of CI
Ivory CoastOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 19, 2013
Enacted
June 19, 2013
Enforcing Authority
Autorité de Régulation des Télécommunications/TIC de Côte d'Ivoire (ARTCI)
Consent Model
Opt-in
Applies To
All natural and legal persons collecting personal data in Ivory Coast

Overview

Ivory Coast's data protection law features an escalating penalty structure — repeat offenders within 5 years face up to XOF 100 million or 5% of pre-tax sales. ARTCI has been actively issuing formal notices, particularly against online lending applications. Prior declaration or authorization is required before processing.

What This Means for Your Website

  • Prior declaration to ARTCI is required before processing personal data
  • Authorization is needed for sensitive data processing
  • First offense penalties reach XOF 10 million; repeat offenses escalate to 5% of pre-tax sales
  • ARTCI actively enforces compliance particularly in the fintech/lending sector
  • Data must be collected for specified, legitimate purposes only

Key Requirements

ARTCI enforces the law with escalating penalties: up to XOF 10M for first offenses, up to XOF 100M or 5% of revenue for repeats within 5 years (capped at XOF 500M). Prior declaration is required before processing. ARTCI has been particularly active against online lending applications.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Ivorian visitors meeting ARTCI's declaration and consent requirements.

Penalties

First offence: up to XOF 10,000,000. Repeat within 5 years: up to XOF 100,000,000 or 5% of pre-tax sales (capped at XOF 500,000,000).

Maximum Fine
F CFA 500,000,000 per violation
Revenue-based
5% of annual revenue

Key Requirements

  • Prior declaration to ARTCI required before processing
  • Authorization required for processing sensitive data
  • Consent required for lawful processing
  • Data collected for specified legitimate purposes only
  • Appropriate security measures mandatory
  • Data subject rights: access, rectification, objection

Notable Provisions

  • Escalating penalties — 5% revenue cap for repeat offenders
  • ARTCI active against online lending applications
  • Prior declaration or authorization required
  • Among higher penalty frameworks in West Africa

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Uganda DPPA 2019Republic of Uganda
Uganda's Data Protection and Privacy Act 2019 establishes the PDPO as an independent office under NITA-U. It prohibits processing personal data without prior consent and mandates accountability, lawful collection, data minimization, and purpose limitation. Criminal penalties of up to 10 years imprisonment make it one of the strictest enforcement regimes in East Africa.

Frequently Asked Questions

How do Ivory Coast penalties escalate?

First offense: up to XOF 10M. Repeat within 5 years: up to XOF 100M or 5% of pre-tax sales, capped at XOF 500M.

Is ARTCI actively enforcing?

Yes. ARTCI has been active in issuing formal notices, particularly targeting online lending applications.

Must processing be declared in Ivory Coast?

Yes. Prior declaration to ARTCI is required, with authorization needed for sensitive data processing.

Stay compliant with Ivory Coast Law 2013-450

ConsentStack helps you implement Opt-in consent for Ivory Coast automatically.

Get started free