Bangladesh Finally Has a Data Protection Law
Bangladesh enacted the Personal Data Protection Ordinance (PDPO) in November 2025, marking the country's first comprehensive data protection legislation. Before the PDPO, Bangladesh had no standalone privacy law governing personal data. The Cyber Security Act 2023 (which replaced the Digital Security Act 2018) addressed identity information theft but said nothing about cookies, consent banners, or lawful processing of personal data.
The PDPO changes that. It establishes consent as the primary lawful basis for processing personal data, creates a National Data Governance Authority (NDGA) to enforce the rules, and introduces fines of up to 5% of annual turnover for serious violations.
If your website targets visitors in Bangladesh or processes personal data of Bangladeshi individuals, you need to understand what the PDPO requires.
What the PDPO 2025 Covers
The PDPO borrows heavily from European data protection models. It classifies organisations that determine the purpose and means of processing as "data fiduciaries" (equivalent to GDPR data controllers) and those processing on their behalf as "data processors."
Article 5 of the PDPO establishes that consent must be voluntary, specific, explicit, and revocable. This applies to any collection of personal data, which includes information gathered through cookies and similar tracking technologies. The ordinance also introduces stricter rules for sensitive personal data and cross-border transfers.
The law applies extraterritorially. Any processing related to Bangladeshi individuals falls within scope, regardless of where the processing takes place.
Cookie-Specific Rules Under the PDPO
The PDPO does not mention cookies by name. There is no equivalent of the EU's ePrivacy Directive that specifically regulates the storage of information on a user's device.
Cookies do, however, collect personal data. A tracking cookie like _ga or _fbp generates a unique identifier tied to a visitor's browsing behaviour, and that qualifies as personal data under the PDPO. Functional cookies such as PHPSESSID or pll_language that store session or preference data may also fall within scope if they can be linked to an identifiable individual.
Because the PDPO requires explicit consent before processing personal data, the safest approach is to treat non-essential cookies as requiring prior consent. Strictly necessary cookies (those required for the website to function) can be argued as falling under the contractual necessity exemption, but analytics and advertising cookies need a cookie banner with a clear opt-in mechanism.
The National Data Governance Authority
The NDGA will serve as Bangladesh's data protection authority. It will have powers to register and classify data fiduciaries, conduct audits, investigate complaints, and impose penalties.
The authority is not yet operational. Sections covering the Chief Data Officer appointment and the complaint, investigation, and penalty procedures will not activate until approximately May 2027 (18 months after the gazette notification). Until then, enforcement remains limited.
This does not mean you should wait. Organisations that build compliant data practices now will avoid the rush when enforcement begins. The GDPR taught a similar lesson - companies that prepared early faced far fewer disruptions.
Penalties and Enforcement
The PDPO introduces both criminal and administrative penalties.
| Violation Type | Penalty |
|---|---|
| General non-compliance | Administrative fine of 1-2% of annual turnover |
| Significant data fiduciary violations | Administrative fine of 2-5% of annual turnover |
| Unauthorised collection, use, or disclosure of personal data | Up to 7 years imprisonment and/or BDT 20,000,000 fine |
| Non-compliance with NDGA or court orders | Criminal liability for responsible officers |
Corporate bodies are not exempt. If an offence is committed by a company, directors, managers, or responsible officers face personal liability unless they can demonstrate due diligence.
How the PDPO Compares to GDPR
The PDPO shares structural similarities with the GDPR but differs in several key areas.
| Feature | Bangladesh PDPO 2025 | EU GDPR |
|---|---|---|
| Consent standard | Voluntary, specific, explicit, revocable | Freely given, specific, informed, unambiguous |
| Cookie-specific rules | None (general consent rules apply) | ePrivacy Directive addresses cookies directly |
| Maximum fine | Up to 5% of annual turnover | Up to 4% of global annual turnover or EUR 20 million |
| Criminal penalties | Up to 7 years imprisonment | Left to EU member states |
| Data protection authority | NDGA (not yet operational) | National DPAs in each member state |
| Extraterritorial scope | Yes | Yes |
| Right to erasure | Yes | Yes |
| Data breach notification | Required | 72 hours to DPA |
The PDPO's criminal penalties are notably harsher than the GDPR's approach, which focuses on administrative fines. The inclusion of imprisonment as a sanction reflects the Bangladeshi legislature's emphasis on deterrence. Broad exemptions for law enforcement and intelligence agencies have drawn criticism from privacy advocates, a gap the GDPR addresses more carefully through its restrictions on government surveillance.
Practical Compliance Checklist for Website Owners
Audit Your Cookies
Run a cookie scan to identify every cookie your website sets. Classify each one as strictly necessary, functional, analytics, or advertising. You cannot manage consent for cookies you do not know about.
Implement a Consent Banner
Display a cookie consent banner that loads before any non-essential cookies fire. The banner should offer granular choices - not just "accept all" - and allow visitors to decline tracking without penalty. Pre-ticked boxes do not constitute valid consent under the PDPO's explicit consent standard.
Maintain a Cookie Policy
Publish a cookie policy that lists every cookie by name, its purpose, duration, and whether it is first-party or third-party. Link to this policy from your consent banner.
Respect Consent Choices
Block analytics scripts like Google Analytics and advertising pixels like Meta Pixel until the visitor grants consent. Use a consent management platform that integrates with Google Consent Mode v2 to handle tag firing based on consent state.
Record and Store Consent
Keep a log of each visitor's consent decision, including what was consented to and when. The PDPO's requirement that consent be revocable means you must also provide a way for visitors to withdraw consent at any time.
Review Cross-Border Transfers
If you use third-party services that transfer data outside Bangladesh (most analytics and advertising tools do), assess whether those transfers comply with the PDPO's cross-border data transfer provisions.
Why GDPR Compliance Is a Strong Baseline
The NDGA has not yet issued cookie-specific guidance. Until it does, treating GDPR cookie consent requirements as your baseline is a practical strategy. The GDPR's consent standard is well-documented, widely understood, and at least as strict as the PDPO's requirements.
A website that already complies with GDPR consent rules - prior opt-in for non-essential cookies, granular category choices, easy withdrawal - will almost certainly satisfy the PDPO as well. The reverse is not guaranteed, particularly because the GDPR benefits from years of regulatory guidance and case law that the PDPO lacks.
If your site serves visitors across multiple jurisdictions, a geo-targeted cookie banner that applies the strictest applicable standard per region is the most efficient approach.
Frequently Asked Questions
Does Bangladesh have a cookie consent law?
Bangladesh does not have a cookie-specific law. The Personal Data Protection Ordinance 2025 requires explicit consent for processing personal data, which includes data collected through tracking cookies like _ga and _fbp.
When does the Bangladesh PDPO take effect?
The PDPO was enacted in November 2025. Some provisions are already in force, but enforcement mechanisms and the complaint and penalty procedures will not activate until approximately May 2027.
What are the penalties for non-compliance with the PDPO?
Administrative fines range from 1-2% of annual turnover for general violations to 2-5% for significant data fiduciaries. Criminal penalties include up to seven years of imprisonment and fines of up to BDT 20,000,000.
Do I need a cookie banner for a website targeting Bangladesh?
Yes. If your website uses non-essential cookies that collect personal data from Bangladeshi visitors, the PDPO's consent requirements mean you should display a cookie banner with an opt-in mechanism before those cookies fire.
Is the Bangladesh PDPO similar to GDPR?
The PDPO shares several features with the GDPR, including explicit consent requirements, extraterritorial scope, and data subject rights. Key differences include harsher criminal penalties and broader government exemptions in the PDPO.
What is the National Data Governance Authority?
The NDGA is Bangladesh's new data protection authority established under the PDPO. It will register data fiduciaries, conduct audits, and impose penalties. It is expected to become fully operational by mid-2027.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
