Algeria's Data Protection Framework: Law 18-07
Algeria passed Law No. 18-07 on the Protection of Individuals in the Processing of Personal Information in June 2018. The law established a broad framework governing how organisations collect, store, and use personal data belonging to individuals in Algeria.
Article 47 of the Algerian Constitution already enshrines the right to privacy, covering correspondence, communications, and personal data. Law 18-07 built on that constitutional foundation by setting out specific obligations for data controllers and processors. It applies to natural persons, legal entities, and public bodies, though it excludes processing for purely domestic use, national security, and law enforcement purposes.
The law requires that all personal data processing respect human dignity, the right to privacy, and public liberties.
In July 2025, Algeria adopted Law No. 25-11, which amended and supplemented the original framework. The amendment introduced mandatory Data Protection Officer appointments, detailed processing records, Data Protection Impact Assessments for high-risk processing, and a five-day breach notification window to the supervisory authority. New definitions covering biometric data, profiling, and personal data breaches were also added.
Does Algeria Have Cookie-Specific Rules?
No. Neither Law 18-07 nor the 2025 amendment (Law 25-11) contains provisions specifically addressing cookies, tracking pixels, or advertising technology.
Algeria has no equivalent of the EU's ePrivacy Directive, which explicitly regulates the storage of information on user devices. There is no dedicated cookie consent regime, no cookie categorisation requirements, and no separate rules for analytics or marketing trackers.
That said, cookies that collect personal data - such as _ga, _fbp, or any identifier linked to an individual - fall under the general consent requirements of Law 18-07. If a cookie processes personal data as defined by the law, the same rules apply as for any other form of data collection.
Consent Requirements Under Law 18-07
Law 18-07 requires express consent before personal data is collected. Consent must meet four conditions:
Voluntary - given freely, without pressure or coercion
Informed - the data subject must know the purpose, recipient, and scope of processing
Specific - consent must relate to a defined purpose; blanket consent for unrelated purposes is not valid
Withdrawable - individuals may revoke consent at any time
These conditions closely mirror GDPR consent standards under Article 7. Organisations that already comply with European consent requirements will find the Algerian standard familiar, though the enforcement landscape differs significantly.
Sensitive data categories - ethnic origin, political opinions, religious beliefs, trade union membership, health data, and genetic information - require heightened protection and explicit authorisation.
The ANPDP: Algeria's Data Protection Authority
Law 18-07 established the National Authority for the Protection of Personal Data (Autorite Nationale de Protection des Donnees a Caractere Personnel, or ANPDP). The authority is composed of 16 members serving a maximum of 10 years, funded independently from the state budget.
The ANPDP's mandate covers receiving processing declarations, issuing authorisations, handling complaints, conducting investigations, and imposing administrative sanctions. It also has subpoena powers and the authority to order the suspension of unlawful data processing activities.
Public enforcement actions from the ANPDP remain scarce. No published decisions, formal guidelines, or public fines have been reported as of early 2026. This does not mean the law is irrelevant. The 2025 amendments expanded the ANPDP's oversight powers, and organisations should expect enforcement activity to increase as the authority matures.
Penalties for Non-Compliance
Algerian data protection law includes both administrative and criminal sanctions. The penalty structure is notably different from the percentage-of-turnover model used under the GDPR.
| Violation | Fine (DZD) | Imprisonment |
|---|---|---|
| Processing without express consent | 100,000 - 300,000 | 1 - 3 years |
| Failure to follow formal procedures | 200,000 - 500,000 | 2 - 5 years |
| Non-compliance with data security rules | 200,000 - 500,000 | N/A |
| General violations | 20,000 - 1,000,000 | 2 months - 5 years |
At current exchange rates, fines range from roughly 150 USD to 7,500 USD. These amounts are modest compared to GDPR penalties, but the criminal sanctions - including potential imprisonment - add a dimension that European data protection law does not typically include.
How Algeria Compares to the GDPR
Algerian data protection law shares structural similarities with European regulation, but key differences exist.
| Feature | Algeria (Law 18-07) | EU (GDPR) |
|---|---|---|
| Express consent required | Yes | Yes |
| Cookie-specific rules | No | Yes (ePrivacy Directive) |
| DPO requirement | Yes (from 2025) | Yes (certain controllers) |
| Breach notification | 5 days to ANPDP | 72 hours to DPA |
| Criminal penalties | Yes (imprisonment possible) | Varies by Member State |
| Maximum fine | ~7,500 USD | Up to 20M EUR or 4% turnover |
| Cross-border transfer rules | Authorisation required | Adequacy or safeguards |
| Convention 108 signatory | No | Yes (EU Member States) |
Algeria has not signed the Council of Europe's Convention 108 or the African Union's Malabo Convention on Cyber Security and Personal Data Protection. International data transfers require ANPDP authorisation unless the data subject gives express consent, a bilateral agreement exists, or specified exceptions apply (contract performance, protection of life, public interest).
Compliance Checklist for Websites Targeting Algeria
Even without cookie-specific legislation, websites collecting data from Algerian visitors should follow practical steps grounded in the general consent framework.
Audit your cookies - run a cookie scan to identify every tracker on your site, including third-party scripts that set cookies like
_gaor_fbpImplement a consent mechanism - use a consent management platform that blocks non-essential cookies until the visitor grants permission
Write a clear privacy notice - disclose what data you collect, why, and who receives it, following the transparency requirements of Law 18-07
Publish a cookie policy - list all cookies by category, their purpose, duration, and whether they are first-party or third-party
Allow withdrawal - give visitors a way to revoke consent at any time, which is a legal requirement under the Algerian framework
Maintain records - the 2025 amendment requires detailed processing records; keep documentation of consent collected
Review cross-border transfers - if personal data leaves Algeria, confirm whether authorisation from the ANPDP is needed
Regional Context: North Africa and the Middle East
Algeria sits within a region where data protection laws are developing at different speeds. Morocco's Law 09-08, enacted in 2009, has a longer enforcement track record through its Commission Nationale (CNDP). Egypt's Personal Data Protection Law (Law No. 151 of 2020) introduced its own consent-based framework with dedicated provisions for electronic marketing.
Tunisia adopted its data protection law in 2004, making it one of the earliest in Africa. Across the continent, South Africa's POPIA has emerged as one of the most actively enforced frameworks, with its Information Regulator issuing fines and enforcement notices since 2021.
For website owners operating across multiple North African or Middle Eastern markets, a consent-first approach to cookie banners provides a practical baseline that satisfies the requirements of most jurisdictions in the region.
Frequently Asked Questions
Does Algeria require cookie consent on websites?
Algeria has no cookie-specific law, but Law 18-07 requires express consent before collecting personal data. Cookies that identify individuals or track behaviour fall under this general consent requirement.
What is the ANPDP and is it actively enforcing data protection?
The ANPDP (Autorite Nationale de Protection des Donnees a Caractere Personnel) is Algeria's data protection authority established under Law 18-07. As of early 2026, no public enforcement actions or fines have been reported, though the 2025 amendments expanded its oversight powers.
What are the penalties for data protection violations in Algeria?
Fines range from 20,000 to 1,000,000 DZD (roughly 150 to 7,500 USD). Criminal sanctions can include imprisonment of two months to five years depending on the offence.
Do I need a cookie banner for Algerian visitors?
If your website sets cookies that process personal data from Algerian users, displaying a cookie banner that collects express consent before those cookies activate is the safest approach under Law 18-07.
How does Algerian data protection law compare to the GDPR?
Both require express consent, data minimisation, and purpose limitation. Key differences include Algeria's lack of cookie-specific rules, lower financial penalties, inclusion of criminal sanctions, and a five-day breach notification period versus the GDPR's 72 hours.
Can I transfer personal data out of Algeria?
International transfers require ANPDP authorisation unless an exception applies, such as express consent from the data subject, a bilateral agreement, or contract performance. The recipient country must offer sufficient privacy protection.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
