Cameroon's Data Protection Framework: From Law 2010/012 to Law 2024/017
Cameroon passed its first privacy-related legislation in 2010. Law No. 2010/012 of 21 December 2010 addressed cybersecurity and cybercrime, including some provisions on electronic communications and personal data. That law was limited in scope and lacked a dedicated supervisory authority with real enforcement teeth.
On 23 December 2024, Cameroon became one of the latest African nations to adopt a comprehensive data protection law. Law No. 2024/017 Relating to Personal Data Protection brought Cameroon in line with international standards. The law covers data processing principles, consent requirements, data subject rights, cross-border transfers, and penalties for non-compliance.
An 18-month grace period means enforcement begins in June 2026. If your website collects data from visitors in Cameroon, the time to prepare is now.
Who Does Law 2024/017 Apply To?
The law applies to any person or organisation that processes personal data belonging to individuals established in, residing in, or transiting through Cameroon. This extraterritorial reach mirrors the approach taken by the GDPR and means that a website hosted outside Cameroon but targeting Cameroonian users must still comply.
Personal data under the law includes any information that can identify a natural person, directly or indirectly. Cookies that store device identifiers, IP addresses, or browsing behaviour fall squarely within this definition.
Cookie Consent Requirements Under the New Law
Law 2024/017 mandates that consent for personal data processing must be explicit, informed, and provided on an opt-in basis. Unlike some frameworks that allow a legitimate interest exception, Cameroon's law does not permit legitimate interest as a blanket alternative to consent for data collection through cookies or similar tracking technologies.
This means your cookie consent banner must meet several conditions:
Consent must be collected before any non-essential cookies are set
Visitors must receive clear information about what data is collected and why
Withdrawing consent must be as straightforward as granting it
Pre-ticked boxes or implied consent through continued browsing do not qualify
Strictly necessary cookies - such as PHPSESSID for session management or pll_language for language preferences - may be exempt, as they are required for the basic functioning of a website. Analytics cookies like _ga and marketing cookies like _fbp require prior consent.
The Personal Data Protection Authority
Law 2024/017 establishes a new supervisory body: the Personal Data Protection Authority (Autorite de protection des donnees a caractere personnel, or APDP). This authority replaces the older National Commission for Personal Data Protection and receives broader powers.
The APDP is responsible for:
Regulating data protection practices across Cameroon
Investigating complaints from data subjects
Conducting audits and inspections
Issuing binding decisions and sanctions
Approving cross-border data transfers
As of early 2026, the APDP is still being operationalised. Organisations should not treat this as a reason to delay compliance - the enforcement deadline of June 2026 is firm.
Penalties for Non-Compliance
The sanctions regime under Law 2024/017 is severe by regional standards. Sections 54 to 71 of the law set out a range of administrative, civil, and criminal penalties.
| Violation Type | Penalty |
|---|---|
| Processing without valid consent | Administrative fines up to 1 billion CFA francs (approx. EUR 1.5 million) |
| Failure to secure personal data | Criminal fines and up to 10 years imprisonment |
| Unauthorised cross-border data transfer | Joint liability for sender and recipient; administrative and criminal sanctions |
| Obstructing APDP investigations | Criminal penalties including imprisonment |
| Failure to notify data breaches | Administrative sanctions from the APDP |
Personal liability for executives is a notable feature. Directors and officers can face individual fines and prison sentences, not just the organisation itself.
How Cameroon Compares to the GDPR and Other African Laws
Cameroon's law draws heavily from European models but includes some distinct provisions. The table below highlights the key differences.
| Feature | Cameroon (Law 2024/017) | GDPR (EU) | Nigeria (NDPR/NDPA) |
|---|---|---|---|
| Consent basis | Opt-in; no legitimate interest exception for consent | Opt-in; legitimate interest available | Opt-in; legitimate interest available |
| Supervisory authority | APDP (being established) | National DPAs (established) | NDPC (operational) |
| Maximum fine | 1 billion CFA francs | EUR 20 million or 4% global turnover | 2% annual gross revenue or NGN 10 million |
| Criminal penalties | Up to 10 years imprisonment | Varies by member state | Limited |
| Cross-border transfers | Requires APDP approval | Adequacy decisions or SCCs | Requires adequate safeguards |
| Grace period | 18 months (until June 2026) | 2 years (completed May 2018) | Already enforceable |
Compared to neighbouring countries, Cameroon's criminal penalties are among the strictest in Africa. Ghana's Data Protection Act 2012 and Kenya's Data Protection Act 2019 also include criminal provisions, but Cameroon's 10-year imprisonment ceiling stands out.
Compliance Checklist for Website Operators
If your website receives traffic from Cameroon, take these steps before the June 2026 deadline:
Audit your cookies - Run a cookie scan to identify every cookie and tracker on your site, including third-party scripts from analytics and advertising platforms.
Categorise cookies properly - Separate cookies into strictly necessary, functional, analytics, and marketing categories. Only strictly necessary cookies may load without consent.
Implement an opt-in consent banner - Your banner must block non-essential cookies until the visitor actively consents. A simple dismiss button or "continue browsing" does not count as valid consent.
Provide clear disclosure - Your cookie policy should list each cookie by name, its purpose, its provider, and its retention period.
Enable easy withdrawal - Visitors must be able to change or revoke their consent at any time without navigating through multiple menus.
Secure cross-border transfers - If you transfer personal data outside Cameroon, ensure you have the necessary APDP approval or contractual safeguards in place.
Keep consent records - Maintain logs of when and how consent was obtained. This evidence is critical if the APDP investigates a complaint.
Cross-Border Data Transfers
Law 2024/017 imposes strict rules on transferring personal data outside Cameroon. Both the sender and the recipient can be held jointly liable for violations, which creates shared risk for international businesses using cloud services or analytics platforms hosted abroad.
Transfers require either prior authorisation from the APDP or adequate contractual safeguards. Organisations already familiar with GDPR Standard Contractual Clauses will recognise the concept, though Cameroon's specific requirements may differ in detail once the APDP publishes its implementing guidelines.
For websites relying on tools like Google Analytics, Meta Pixel, or other services that send data to servers outside Cameroon, obtaining valid consent before these scripts fire is the first line of defence. A consent management platform with geo-detection can apply Cameroon-specific rules to visitors from that jurisdiction.
Frequently Asked Questions
Does Cameroon require cookie consent for all websites?
Law 2024/017 requires consent for processing personal data of individuals in Cameroon. Since non-essential cookies collect personal data such as device identifiers and browsing behaviour, websites targeting Cameroonian users need cookie consent. Strictly necessary cookies for basic site functionality are the exception.
When does Cameroon's data protection law become enforceable?
Law 2024/017 was enacted on 23 December 2024 with an 18-month grace period. Enforcement begins in June 2026, after which sanctions apply to non-compliant organisations.
What is the maximum fine under Cameroon's data protection law?
Administrative fines can reach 1 billion CFA francs, which is approximately EUR 1.5 million. Criminal penalties include imprisonment of up to 10 years for serious violations, and executives may face personal liability.
Can I transfer personal data from Cameroon to another country?
Cross-border transfers are permitted but require prior authorisation from the Personal Data Protection Authority (APDP) or adequate contractual safeguards. Both the sender and recipient are jointly liable for any violations during the transfer.
How does Cameroon's law compare to the GDPR?
Cameroon's law shares many features with the GDPR, including opt-in consent, data subject rights, and breach notification. A key difference is that Cameroon does not recognise legitimate interest as an exception to the consent requirement, and it includes criminal penalties of up to 10 years imprisonment.
Do I need a cookie banner if my website is not hosted in Cameroon?
Yes. The law has extraterritorial scope and applies to any processing of data belonging to persons in Cameroon, regardless of where the website or server is located.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Cameroon's new data protection law.
