Angola's Data Protection Law and How It Applies to Cookies
Angola enacted its Lei de Proteccao de Dados Pessoais (Personal Data Protection Law) as Law No. 22/11 on 17 June 2011. The law regulates how organisations collect, process, and store personal data belonging to individuals in Angola, covering both electronic and non-electronic formats.
There is no separate cookie-specific regulation in Angola. Cookies fall under the general data protection framework because tracking cookies like _ga, _fbp, and similar identifiers collect personal data as defined by Law 22/11. If your website sets cookies that identify or can be used to identify Angolan visitors, the law applies to you.
The law was modelled on Portuguese and EU data protection principles, giving it a familiar structure for anyone who has dealt with GDPR compliance.
Key Principles of Law 22/11
Law 22/11 establishes several core principles that govern all personal data processing, including data collected through cookies. These principles mirror many found in European frameworks.
| Principle | What It Means for Cookies |
|---|---|
| Transparency | Visitors must be told what cookies your site sets and why |
| Legality | You need a lawful basis (typically consent) before setting non-essential cookies |
| Proportionality | Only collect cookie data that is relevant to the stated purpose |
| Good faith | Do not use deceptive practices to obtain consent or obscure cookie behaviour |
| Respect for private life | Cookie data must not be used in ways that infringe on visitor privacy |
| Purpose limitation | Data from cookies must only be used for the purpose disclosed at collection |
These principles apply regardless of whether your organisation is based in Angola or abroad, provided you process data belonging to individuals located in the country.
Consent Requirements Under Angolan Law
Law 22/11 requires express consent from the data subject before processing personal data. Unlike some jurisdictions that allow implied consent for certain cookie types, the Angolan framework takes a stricter approach.
For website owners, this means you should present a cookie banner that gives Angolan visitors a genuine choice before analytics, advertising, or social media cookies are activated. Strictly necessary cookies - those required for basic site functionality like PHPSESSID or session tokens - may be set without consent, as they are essential for providing the service the visitor requested.
Consent must be freely given, specific, and informed. Pre-ticked boxes or bundled consent (where accepting cookies is a condition of using the site) would not satisfy the law's requirements. Your cookie consent mechanism should allow visitors to accept or reject different cookie categories independently.
Sensitive Data and Cookies
If any cookies on your site collect sensitive personal data - such as health-related information, religious beliefs, or political opinions - you face stricter obligations. Processing sensitive data requires a specific legal provision authorising it, plus prior authorisation from the APD. Most standard website cookies will not fall into this category, but health-sector websites or political platforms should audit their cookie inventory carefully.
The APD: Angola's Data Protection Authority
The Agencia de Proteccao de Dados (APD) is Angola's supervisory authority for data protection. Although Law 22/11 was enacted in 2011, the APD only became operational in October 2019. Since then, it has grown increasingly active in investigating and penalising non-compliant organisations.
The APD's powers include conducting inspections, ordering corrective measures, and imposing administrative fines. Understanding how data protection authorities operate can help you anticipate what the APD looks for during an investigation.
Recent Enforcement Actions
The APD has moved beyond theoretical enforcement. In mid-2024, it penalised five companies across different sectors. MAXAM, an explosives company, received a USD 150,000 fine for unlawfully transferring employee personal data to the United Kingdom without APD notification. Banco Comercial do Huambo was fined USD 75,000 for failing to implement adequate technical measures, which led to a cybersecurity breach.
In 2025, TAAG (Angola's national airline) was fined USD 170,000 for data protection violations related to passenger and employee data. These cases show that the APD is willing to target both private companies and state-owned enterprises.
Fines and Penalties
The penalty structure under Law 22/11 provides for administrative fines ranging from approximately USD 65,000 to USD 150,000, depending on the nature of the violation. Recent enforcement actions suggest the APD may impose cumulative fines for multiple breaches discovered in a single investigation, as seen in the TAAG case where the total reached USD 170,000.
Violations that can trigger fines include failure to notify the APD of data processing activities, processing personal data without valid consent, inadequate security measures, and unauthorised international data transfers.
Compared to GDPR fines, which can reach 4% of global annual turnover, Angola's fixed-range penalties are lower in absolute terms. But for small and medium businesses operating in the Angolan market, a USD 75,000 fine is far from trivial.
How Angola's Law 22/11 Compares to the GDPR
Both frameworks share common DNA - Law 22/11 drew on Portuguese and EU data protection traditions. But there are meaningful differences that affect how you approach compliance.
| Requirement | Angola (Law 22/11) | EU (GDPR) |
|---|---|---|
| Lawful basis for cookies | Express consent required | Consent under Art. 5(3) ePrivacy Directive |
| DPO appointment | Not required | Required in certain circumstances |
| Breach notification | No mandatory requirement | 72-hour notification to supervisory authority |
| DPA notification | Must notify APD before processing | No prior notification needed |
| International transfers | APD approval for inadequate countries | Adequacy decisions, SCCs, or BCRs |
| Maximum fines | Approx. USD 65,000-150,000 | Up to EUR 20 million or 4% of turnover |
| Right to erasure | Yes | Yes (Art. 17 GDPR) |
| Right of access | Yes | Yes (Art. 15 GDPR) |
A notable quirk of Angolan law is the requirement to notify the APD before beginning any data processing. Under GDPR, this prior-notification model was dropped in favour of accountability and record-keeping. If you process Angolan visitors' cookie data, you may need to file a notification with the APD.
International Data Transfers
Transferring personal data collected in Angola to servers outside the country requires careful attention. If the receiving country does not offer an adequate level of protection (equivalent to Angolan standards), the transfer requires prior approval from the APD.
This matters for cookies because analytics platforms, advertising networks, and third-party scripts routinely send data to servers in the United States, Ireland, or elsewhere. If your site uses _ga (Google Analytics) or _fbp (Meta Pixel), the data generated from Angolan visitors may be transferred internationally, potentially triggering the APD's transfer rules.
The MAXAM enforcement case in 2024 - where a USD 150,000 fine was issued specifically for unauthorised data transfers - demonstrates that this is not a theoretical concern.
Compliance Checklist for Website Owners
If your website receives visitors from Angola, follow these practical steps to align with Law 22/11.
Audit your cookies - Run a cookie scan to identify every cookie your site sets, including those from third-party scripts
Classify cookies by purpose - Group them into categories: strictly necessary, analytics, marketing, and functional. Use a clear country-by-country approach if you serve multiple markets
Implement a consent banner - Display a cookie banner that requests express consent before non-essential cookies are set. Ensure the banner blocks scripts until consent is granted
Write a clear cookie policy - List each cookie by name, purpose, duration, and whether it involves international data transfers. Follow a proper cookie policy template
Consider APD notification - If you are established in Angola or specifically target Angolan users, determine whether you need to notify the APD of your data processing activities
Review international transfers - Identify which cookies send data outside Angola and assess whether APD approval is required
Keep consent records - Maintain a log of when and how consent was obtained, as the APD may request this during an investigation
Cookie Consent Across Lusophone and African Markets
Angola is one of several African nations with active data protection legislation. If your website targets multiple African markets, consider the regulatory landscape in neighbouring and culturally linked jurisdictions. Mozambique's data protection rules share some similarities given the shared Portuguese legal heritage. Nigeria's NDPR framework takes a different approach but also requires consent for cookie-based tracking.
South Africa's POPIA legislation is the most mature data protection framework on the continent and provides a useful benchmark. A consent management platform that supports geo-detection can help you apply the correct consent rules based on each visitor's location.
Upcoming Changes: The Draft Revision of Law 22/11
The APD submitted a draft revision of Law 22/11 for public consultation between March and April 2025. While the final text has not yet been published, this signals that Angola is actively modernising its data protection framework. Website owners should monitor developments, as the revised law may introduce new requirements around breach notification, cookie-specific rules, or adjusted penalty structures.
Frequently Asked Questions
Does Angola have a specific cookie law?
No. Angola does not have a cookie-specific regulation. Cookies are governed by the general personal data protection framework under Law 22/11 of 2011, which requires express consent for processing personal data.
Do I need a cookie banner for Angolan visitors?
Yes. Because Law 22/11 requires express consent before processing personal data, you should display a cookie banner that blocks non-essential cookies until the visitor provides consent.
What fines can the APD impose for cookie violations?
The APD can impose administrative fines ranging from approximately USD 65,000 to USD 150,000. In some cases involving multiple violations, fines have reached USD 170,000, as seen in the 2025 TAAG enforcement action.
Is Angola's data protection law similar to the GDPR?
Law 22/11 shares common principles with the GDPR, including consent requirements and data subject rights. Key differences include no DPO requirement, no mandatory breach notification, and a prior-notification model requiring APD approval before processing begins.
Can I transfer cookie data from Angola to servers abroad?
International transfers to countries without adequate data protection require prior APD approval. Since most analytics and advertising cookies send data to foreign servers, you should assess whether your cookie-related transfers comply with this requirement.
Does Law 22/11 apply to websites based outside Angola?
The law applies to the processing of personal data of individuals in Angola, regardless of where the data controller is established. If your website collects cookie data from Angolan visitors, Law 22/11 is relevant to your operations.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
