The DRC's Data Protection Framework: The Digital Code
The Democratic Republic of Congo passed Ordinance-Law N°23/010 on 13 March 2023, known as the Digital Code (Code du Numérique). Title III of this law establishes the country's first dedicated data protection regime, covering personal data collection, processing, storage, and transfer.
Before the Digital Code, the DRC relied on Article 32 of its Constitution, which protects the right to privacy and prohibits arbitrary interference with private life, correspondence, and communications. The new law goes much further by setting out specific obligations for anyone processing personal data.
The Digital Code entered into force on the date of its promulgation. Several implementing decrees are still pending, and practical enforcement remains limited as of early 2026.
Does the DRC Have Cookie-Specific Rules?
No. The Digital Code does not contain provisions specifically addressing cookies, tracking technologies, or online behavioural advertising. There is no equivalent to the EU's ePrivacy Directive or Article 5(3)-style rules requiring consent before placing non-essential cookies on a user's device.
This does not mean cookies fall outside the law entirely. Cookies that collect personal data - identification data, correspondence details, browsing behaviour tied to an individual - trigger the Digital Code's general consent requirements. Analytics cookies like _ga or advertising trackers like _fbp that process personal data of DRC-based users are caught by the law's broad definition of personal data processing.
Consent Requirements Under the Digital Code
The Digital Code mandates prior and explicit consent from the data subject before personal data can be collected or processed. This mirrors the GDPR's approach in several respects.
Consent must be freely given, and the individual must be informed of the purpose of processing before agreeing. The law also grants data subjects the right to withdraw consent at any time, and organisations must be able to demonstrate that withdrawal mechanism exists.
Exceptions apply where processing is necessary to fulfil a contractual obligation or a legal requirement. Strictly necessary cookies - such as PHPSESSID for session management - would likely fall under these exceptions, though no regulatory guidance has confirmed this interpretation.
Sensitive Data Gets Extra Protection
Processing sensitive data is prohibited as a general rule. This includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health information, or sex life. Exceptions exist for explicit consent, statistical analysis, and health-related processing.
If your website collects any sensitive data categories through cookies or forms targeting DRC users, the bar for lawful processing is significantly higher.
The Data Protection Authority: APD and ARPTIC
The Digital Code created the Autorité de Protection des Données (APD) as the dedicated supervisory body. A Prime Minister's decree is required to formalise the APD's structure, staffing, and operational powers. As of early 2026, this decree has not been issued, meaning the APD does not yet function as an independent regulator.
A Ministerial Decree dated 17 August 2024 temporarily transferred the APD's responsibilities to the ARPTIC (Autorité de Régulation des Postes, Télécommunications et Technologies de l'Information et de la Communication). ARPTIC now acts as the de facto data protection regulator, though legal practitioners have questioned whether this arrangement has a solid legal basis.
No enforcement actions related to cookie consent or data protection have been reported under either body.
Penalties for Non-Compliance
The Digital Code empowers the APD (currently ARPTIC) to impose administrative sanctions ranging from USD 3,000 to USD 70,000 for data protection breaches. The law also includes criminal penalties for certain offences related to electronic communications.
| Aspect | DRC Digital Code | EU GDPR |
|---|---|---|
| Primary law | Ordinance-Law N°23/010 (2023) | Regulation (EU) 2016/679 |
| Cookie-specific rules | None | ePrivacy Directive, Article 5(3) |
| Consent standard | Prior and explicit | Freely given, specific, informed, unambiguous |
| Data protection authority | APD (not yet operational); ARPTIC interim | National DPAs in each Member State |
| Maximum administrative fine | USD 70,000 | EUR 20 million or 4% of global turnover |
| Breach notification | Without delay to APD | 72 hours to supervisory authority |
| DPO requirement | Optional but recommended | Required in specific circumstances |
| Cross-border transfers | Requires equivalent protection or authorisation | Adequacy decisions, SCCs, BCRs |
Cross-Border Data Transfers
The Digital Code restricts transfers of personal data to countries that do not offer equivalent levels of data protection. Transfers require authorisation from the relevant authority, and the recipient country must demonstrate adequate safeguards.
The DRC ratified the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) in 2025, signalling a commitment to regional data protection standards. This ratification may influence how cross-border transfer rules are interpreted going forward.
Practical Compliance Checklist for Websites Targeting DRC Users
Given the absence of cookie-specific regulation and the APD's non-operational status, compliance in the DRC is best approached by treating the GDPR's cookie consent model as a baseline. This protects your website if the DRC tightens enforcement or adopts ePrivacy-style rules later.
Steps to Follow
Audit your cookies. Run a cookie scan to identify every cookie and tracker your site places on visitor devices. Classify each as strictly necessary, functional, analytics, or advertising.
Display a cookie banner. Show a clear cookie consent banner to DRC visitors. Block non-essential cookies until consent is given.
Obtain prior, explicit consent. The Digital Code requires consent before processing. Pre-ticked boxes or implied consent through continued browsing do not meet this standard.
Provide granular choices. Let visitors accept or reject cookie categories individually rather than offering only an all-or-nothing choice.
Enable easy withdrawal. Visitors must be able to change or withdraw their consent at any time without difficulty.
Maintain a cookie policy. Publish a cookie policy that lists every cookie by name, its purpose, its provider, and its retention period.
Keep consent records. Store proof of each visitor's consent decision to demonstrate compliance if questioned.
How DRC Rules Compare to Other African Countries
The DRC sits in the middle of a growing wave of African data protection legislation. Nigeria's NDPR has been in effect since 2019 and has seen active enforcement. Kenya's Data Protection Act 2019 established a functioning Data Commissioner. South Africa's POPIA is fully operational with an active Information Regulator.
By contrast, the DRC's Digital Code is newer and its supervisory body has not yet become fully operational. Websites operating across multiple African markets should consider adopting the strictest applicable standard across all target countries, which in practice means following a consent-first model.
Other African country guides in this series cover Ethiopia, Ghana, and Tanzania.
Frequently Asked Questions
Does the DRC have a cookie consent law?
The DRC does not have a cookie-specific law. The Digital Code (Law N°23/010 of 2023) covers personal data protection broadly, requiring prior and explicit consent for data processing, which applies to cookies that collect personal data.
Do I need a cookie banner for visitors from the DRC?
If your cookies collect personal data from DRC-based visitors, the Digital Code's consent requirements apply. A cookie banner that blocks non-essential cookies until consent is given is the safest approach.
What is the DRC's data protection authority?
The Digital Code created the Autorité de Protection des Données (APD), but it is not yet operational. Since August 2024, ARPTIC has temporarily taken over data protection oversight duties.
What are the fines for data protection breaches in the DRC?
Administrative sanctions under the Digital Code range from USD 3,000 to USD 70,000. Criminal penalties also apply for certain electronic communications offences.
Should I follow GDPR rules for DRC visitors?
Using the GDPR as a baseline is a sound strategy. The DRC's consent requirements are similar in principle, and adopting a GDPR-compliant approach ensures you are prepared if enforcement tightens or new regulations are introduced.
Can I transfer personal data out of the DRC?
Cross-border transfers require that the receiving country provides equivalent data protection standards. Authorisation from the data protection authority is needed, though practical enforcement of this rule is limited while the APD remains non-operational.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
