NDPA

Nigeria Data Protection Act, 2023

Flag of NG
NigeriaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 12, 2023
Enacted
June 12, 2023
Enforcing Authority
Nigeria Data Protection Commission (NDPC)
Consent Model
Opt-in
Applies To
All data controllers/processors in Nigeria or processing data of Nigerian residents; two-tier classification

Overview

Nigeria's NDPA is one of Africa's most comprehensive data protection laws, replacing the earlier NDPR 2019. The GAID (General Application and Implementation Directive), effective September 2025, provides Africa's most detailed cookie consent framework — explicitly requiring conspicuous consent banners with accept/reject options for non-essential cookies.

What This Means for Your Website

  • Explicit, freely given, specific, informed, and unambiguous consent is required
  • Essential cookies are exempt; non-essential cookies require accept/reject banners (GAID)
  • The cookie consent banner must be conspicuous and easily accessible
  • A two-tier penalty structure applies based on organizational significance
  • Organizations processing 200+ data subjects in 6 months are classified as "major importance"
  • DPO appointment is mandatory for organizations of major importance

Key Requirements

The NDPC enforces the NDPA with penalties of NGN 10M or 2% of gross revenue for organizations of major importance, and NGN 2M or 2% for others. The GAID provides specific cookie consent requirements — the most detailed in Africa. DPIAs are required for high-risk processing.

How ConsentStack Handles This

ConsentStack detects Nigerian visitors and shows a GAID-compliant cookie consent banner with conspicuous accept and reject options for non-essential cookies.

Penalties

Organizations of Major Importance: NGN 10M or 2% of annual gross revenue. Others: NGN 2M or 2% of annual gross revenue.

Revenue-based
2% of annual revenue

Key Requirements

  • Explicit, freely given, specific, informed, and unambiguous consent
  • Data processing agreements between controllers and processors
  • DPIAs required for high-risk processing
  • DPO mandatory for organizations of major importance
  • Cookie consent banner with accept/reject for non-essential cookies (GAID)

Notable Provisions

  • Africa's most detailed cookie consent framework via GAID
  • Two-tier penalty structure based on organizational significance
  • Organizations of major importance: 200+ data subjects in 6 months
  • GAID effective September 2025

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Uganda DPPA 2019Republic of Uganda
Uganda's Data Protection and Privacy Act 2019 establishes the PDPO as an independent office under NITA-U. It prohibits processing personal data without prior consent and mandates accountability, lawful collection, data minimization, and purpose limitation. Criminal penalties of up to 10 years imprisonment make it one of the strictest enforcement regimes in East Africa.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.

Frequently Asked Questions

Does Nigeria have cookie-specific requirements?

Yes. The GAID (effective September 2025) provides Africa's most detailed cookie consent framework, requiring conspicuous banners with accept/reject options for non-essential cookies.

What are Nigeria's penalties?

Organizations of major importance: NGN 10M or 2% of revenue. Others: NGN 2M or 2% of revenue.

What makes an organization of major importance?

Processing data of 200+ subjects in 6 months, sector-based criteria, or volume-based criteria.

Stay compliant with NDPA

ConsentStack helps you implement Opt-in consent for Nigeria automatically.

Get started free