Egypt's Personal Data Protection Law: The Basics
Egypt's Personal Data Protection Law (PDPL), officially Law No. 151 of 2020, is the country's first dedicated privacy statute. Published in the Official Gazette on 15 July 2020 and entering into force on 17 October 2020, the law sat largely dormant for five years while the government worked on its executive regulations.
Those regulations arrived on 1 November 2025, issued under Ministerial Decree No. 816 of 2025. A 12-month grace period gives organisations until 31 October 2026 to bring their data processing activities into full compliance.
The PDPL applies to any processing of personal data belonging to individuals in Egypt, regardless of where the data controller or processor is located. That means a website based in Europe or North America that collects data from Egyptian visitors falls within scope.
The Personal Data Protection Centre (PDPC)
The PDPL establishes the Personal Data Protection Centre (PDPC) as the supervisory authority. It operates under the Ministry of Communications and Information Technology and holds responsibility for licensing, monitoring, investigating complaints, and enforcing the law.
The PDPC has the power to inspect data controllers, issue warnings, restrict processing activities, and impose administrative fines. It also manages a licensing regime: data controllers and processors must obtain licences or permits before carrying out certain activities, including cross-border data transfers and electronic direct marketing.
As of early 2026, the PDPC has not yet published public enforcement decisions or formal guidance documents on cookies specifically. Practical enforcement is expected to ramp up as the October 2026 compliance deadline approaches.
How the PDPL Applies to Cookies and Tracking Technologies
The PDPL does not contain a standalone "cookie law" in the way the EU's ePrivacy Directive does. Instead, cookies fall under the law's general rules on personal data processing.
Cookies and similar tracking technologies - including SDKs, device identifiers, and pixels - are treated as personal data processing whenever they can identify or be linked to an individual. A cookie like _ga that assigns a unique client ID, or _fbp that tracks browsing behaviour for advertising, clearly falls into this category.
Strictly necessary cookies that are essential for basic website functionality (session cookies like PHPSESSID, or language preference cookies like pll_language) may not require consent where they do not process personal data in a way that identifies individuals. The executive regulations do not create a blanket exemption, so the safest approach is to document and categorise every cookie your site sets.
Consent Requirements Under Egyptian Law
Article 2 of the PDPL requires that personal data processing be based on the data subject's explicit, prior consent. The executive regulations reinforce this with specific criteria for valid consent:
Freely given - the data subject must have a genuine choice, with no bundling of consent with access to a service
Specific - consent must relate to a defined purpose, not a blanket agreement
Informed - the individual must know what data is collected, why, and by whom
Unambiguous - consent must be given through a clear affirmative action
Dark patterns and misleading consent interfaces are explicitly addressed. Consent obtained through deceptive design is invalid under the regulations. Pre-ticked checkboxes, confusing toggle states, or banners that make rejection harder than acceptance would all undermine the validity of consent.
Data subjects also have the right to withdraw consent at any time. Your cookie banner must provide a mechanism for visitors to change their preferences after their initial choice.
Penalties and Fines
The PDPL carries both administrative and criminal penalties. The fine structure varies depending on the type of violation:
| Violation | Fine (EGP) | Additional Penalties |
|---|---|---|
| Processing personal data without consent, causing harm | 200,000 - 2,000,000 | Imprisonment of at least 6 months |
| Unauthorised disclosure of personal data | 100,000 - 1,000,000 | Possible imprisonment |
| Unlicensed or unauthorised processing activities | 500,000 - 5,000,000 | Administrative sanctions |
| Failure to comply with PDPC orders | 300,000 - 3,000,000 | Licence suspension or revocation |
At current exchange rates, the maximum fine of EGP 5,000,000 is roughly equivalent to USD 100,000. While modest compared to GDPR fines, the criminal liability provisions set Egypt's law apart from many other data protection frameworks.
How Egypt's PDPL Compares to GDPR
The PDPL borrows heavily from GDPR principles, but several differences are worth noting for website operators who already comply with European rules.
| Aspect | Egypt PDPL | EU GDPR |
|---|---|---|
| Consent standard | Explicit, prior consent required | Explicit consent for special categories; legitimate interest available for some processing |
| Supervisory authority | PDPC (under Ministry of ICT) | Independent DPAs in each member state |
| Licensing requirement | Mandatory licences for controllers and processors | No licensing; registration with DPA in some states |
| Criminal penalties | Imprisonment for certain violations | Administrative fines only (criminal penalties vary by member state) |
| Maximum fine | EGP 5,000,000 (approx. USD 100,000) | EUR 20,000,000 or 4% of global turnover |
| Cross-border transfers | Requires PDPC licence | Adequacy decisions, SCCs, BCRs |
| Cookie-specific rules | No standalone cookie regulation | ePrivacy Directive supplements GDPR |
The licensing requirement is the most significant practical difference. If your organisation processes data of Egyptian residents, you may need to register with and obtain a licence from the PDPC - a step that has no direct equivalent under GDPR.
Practical Compliance Checklist for Cookie Consent
With the October 2026 enforcement deadline approaching, here is what you should do if your website serves visitors in Egypt:
Audit Your Cookies
Run a full cookie scan to identify every cookie and tracker on your site. Classify each one by purpose: strictly necessary, functional, analytics, or marketing. You cannot obtain meaningful consent if you do not know what your site actually sets.
Implement a Consent Mechanism
Deploy a consent management platform that blocks non-essential cookies until the visitor makes an active choice. The banner should clearly list cookie categories, explain what each category does, and offer equally prominent accept and reject options.
Ensure Withdrawal Is Easy
Egyptian law requires that consent be revocable. Add a persistent link or icon (often a small shield or cookie icon) that lets visitors reopen the consent dialogue at any time.
Draft a Cookie Policy
Your cookie policy should list every cookie by name, state its purpose, identify the provider, and specify its expiry. The policy must be available in a language the data subject understands - for an Egyptian audience, Arabic is strongly advisable.
Consider Licensing Obligations
Check whether your organisation's activities trigger the PDPC licensing requirement. Cross-border data transfers and direct marketing activities both require separate permits.
Document Consent Records
Keep records of when, how, and what each visitor consented to. This is essential for demonstrating compliance if the PDPC investigates.
Regional Context: Cookie Consent Across Africa and the Middle East
Egypt is part of a growing wave of African and Middle Eastern countries adopting formal data protection legislation. Nigeria's NDPR has been in force since 2019, Kenya's Data Protection Act since 2019, and Saudi Arabia's PDPL took effect in 2023.
If your website attracts traffic from multiple countries in the region, a geo-targeted approach to consent is the most practical solution. Showing a compliant banner to Egyptian visitors while applying different rules for visitors from Morocco or Turkey avoids both over-blocking and under-compliance.
Kukie.io supports region-based rules that detect a visitor's location and apply the appropriate consent configuration automatically.
Frequently Asked Questions
Does Egypt require cookie consent?
Yes. Under Law No. 151 of 2020 and its executive regulations, any processing of personal data - including through cookies and tracking technologies - requires the data subject's explicit, prior consent. Strictly necessary cookies may be exempt if they do not identify individuals.
When does Egypt's data protection law take full effect?
The executive regulations were issued on 1 November 2025 with a 12-month grace period. Full enforcement by the Personal Data Protection Centre begins on 31 October 2026.
What is the maximum fine under Egypt's PDPL?
Administrative fines range from EGP 100,000 to EGP 5,000,000 depending on the violation. Certain offences also carry criminal penalties, including imprisonment of at least six months.
Does Egypt's privacy law apply to websites outside Egypt?
Yes. The PDPL applies to any entity processing personal data of individuals in Egypt, regardless of where the entity is based. A website hosted in Europe that collects cookies from Egyptian visitors is within scope.
How does Egypt's PDPL compare to GDPR?
Both require explicit consent for data processing and grant data subjects rights of access, correction, and erasure. Key differences include Egypt's mandatory licensing regime for data controllers and criminal penalties for certain violations.
Do I need a cookie banner for Egyptian visitors?
Yes. A cookie banner that blocks non-essential cookies until the visitor gives consent is the most practical way to meet the PDPL's requirements. The banner should offer clear accept and reject options with no dark patterns.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
