Ghana's Data Protection Act 2012 (Act 843) and Cookies
Ghana was among the first countries in West Africa to pass dedicated data protection legislation. The Data Protection Act 2012 (Act 843) established a legal framework for the collection, storage, and processing of personal data - and that framework applies to cookies set by your website when those cookies identify or track individual visitors.
Act 843 does not mention cookies by name. The law instead regulates "personal data", defined as any information about an identifiable individual. Cookies that store unique identifiers, track browsing behaviour, or link to user accounts fall squarely within this definition. Strictly necessary cookies that perform no tracking - such as PHPSESSID for session management - sit in a grey area, but analytics cookies like _ga and advertising cookies like _fbp clearly process personal data under the Act.
The Data Protection Commission (DPC) is the supervisory authority responsible for enforcing Act 843. It operates from Accra and maintains a public register of data controllers.
The Data Protection Commission and Enforcement
For years after Act 843 came into force, the DPC focused primarily on awareness campaigns and voluntary compliance. That era is ending. In January 2026, the DPC's Executive Director, Dr Arnold Kavaarpuo, formally announced that enforcement would begin in earnest, with unlawful data processing now carrying real legal and reputational consequences.
Throughout 2025, the DPC completed its largest nationwide awareness campaign, reaching an estimated 25 million people. It expanded the register of data controllers, conducted compliance audits across key sectors, and trained more than 800 data protection officers.
A new Data Protection Bill 2025 is also moving through parliament. If passed, it will repeal Act 843 and introduce significantly higher penalties, mandatory 72-hour breach notification, extraterritorial reach covering foreign entities that offer goods or services in Ghana, and an expanded definition of personal data explicitly covering IP addresses, cookies, and location data.
Consent Requirements Under Act 843
Section 17 of Act 843 sets out the conditions for lawful processing of personal data. Consent is the primary legal basis. For your cookie banner, this means visitors must give informed, voluntary agreement before non-essential cookies are placed on their devices.
Valid consent under Act 843 requires that the individual is told what data is collected, the purpose of collection, and whether the data will be shared with third parties. Pre-ticked checkboxes or implied consent through continued browsing do not meet this standard - a pattern consistent with GDPR cookie consent requirements.
Consent must be specific to each purpose. Bundling cookie consent with other terms of service is not acceptable.
What Cookies Require Consent?
The Act draws no explicit line between cookie categories, but the general data protection principles point to a clear division. Cookies that process personal data - analytics, advertising, social media embeds - require prior consent. Cookies that are strictly necessary for the technical operation of a requested service may be processed without consent under the "legitimate interest" exception in Section 17(b), though the DPC has not published specific guidance on this distinction.
If you are unsure which cookies your site sets, a free cookie scanner can identify and categorise them automatically.
Data Controller Registration
Section 27(1) of Act 843 requires every data controller intending to process personal data to register with the Data Protection Commission. This obligation applies to any organisation - Ghanaian or foreign - that collects personal data from individuals in Ghana, including through website cookies.
Registration must be renewed periodically, and renewal applications should be submitted at least three months before expiry. The DPC currently requires all registrants to appoint a certified data supervisor, even though this is not explicitly mandated by the Act itself. Failure to register before processing personal data is a criminal offence under Section 56.
Penalties and Fines
Act 843 imposes criminal penalties for non-compliance. The penalty structure is modest compared to regulations like the GDPR, but the consequences are real.
| Offence | Penalty Under Act 843 |
|---|---|
| Processing personal data without registration (Section 56) | Fine of up to 250 penalty units or up to 2 years imprisonment, or both |
| Failure to comply with an enforcement notice | Fine of up to 150 penalty units or up to 1 year imprisonment, or both |
| Unlawful disclosure of personal data | Fine or imprisonment of up to 4 years |
| Obstructing the Commission | Fine of up to 250 penalty units or up to 2 years imprisonment |
One penalty unit in Ghana is currently GHS 12, making the maximum fine for unregistered processing approximately GHS 3,000 (roughly USD 250). These figures are low by international standards. The proposed Data Protection Bill 2025 is expected to raise penalties substantially.
Ghana vs GDPR: Key Differences
If your website already complies with the GDPR, you are well positioned for Ghana - but the two frameworks are not identical.
| Aspect | Ghana (Act 843) | EU (GDPR) |
|---|---|---|
| Supervisory authority | Data Protection Commission | National DPAs (e.g. CNIL, ICO) |
| Consent standard | Informed, voluntary consent | Freely given, specific, informed, unambiguous |
| Data controller registration | Mandatory with DPC | Not required (record-keeping instead) |
| Breach notification | Not currently required (proposed in 2025 Bill) | 72 hours to supervisory authority |
| Right to be forgotten | Not explicitly provided | Article 17 GDPR |
| Maximum fine | 250 penalty units (approx. GHS 3,000) | EUR 20 million or 4% of global turnover |
| Extraterritorial scope | Limited (expanded in 2025 Bill) | Applies to any entity targeting EU residents |
The most notable gap is the absence of mandatory breach notification under Act 843. The 2025 Bill would close this gap by requiring notification within 72 hours - mirroring the GDPR approach.
Compliance Checklist for Website Owners
If your website has visitors from Ghana and sets cookies that process personal data, follow these steps to align with Act 843.
Registration and Documentation
Register as a data controller with the Ghana Data Protection Commission if you process personal data of Ghanaian residents
Appoint a certified data supervisor as required by the DPC
Maintain a record of all personal data processing activities, including cookies
Cookie Banner and Consent
Display a cookie banner to visitors from Ghana before setting non-essential cookies
Block analytics and advertising scripts until consent is granted
Provide a clear option to accept or decline each cookie category
Store proof of consent for audit purposes
Privacy Policy
Publish a cookie policy that lists every cookie, its purpose, its duration, and whether it shares data with third parties
Write the policy in plain, accessible language
Cookie Consent Across Africa
Ghana is part of a broader wave of African data protection legislation. Nigeria's NDPR took a regulation-first approach, while Kenya's Data Protection Act 2019 closely mirrors the GDPR. South Africa's POPIA is the most mature enforcement regime on the continent. Uganda and Tanzania have both enacted their own data protection laws in recent years.
For websites with a pan-African audience, a country-by-country approach to consent is the safest strategy. Using geo-detection to display region-specific banners means you can tailor consent flows to each jurisdiction without over-blocking visitors from countries with lighter requirements.
Frequently Asked Questions
Does Ghana require cookie consent?
Ghana's Data Protection Act 2012 (Act 843) requires consent before processing personal data. Cookies that track, identify, or profile visitors - such as analytics and advertising cookies - fall under this requirement. Strictly necessary cookies may be exempt.
What is the Data Protection Commission in Ghana?
The Data Protection Commission (DPC) is the independent statutory body established under Act 843 to regulate personal data processing in Ghana. It maintains a register of data controllers, conducts audits, and has the power to issue enforcement notices and penalties.
What are the fines for data protection violations in Ghana?
Under Act 843, fines reach up to 250 penalty units (approximately GHS 3,000 or USD 250) and imprisonment of up to 2 years for processing without registration. The proposed Data Protection Bill 2025 is expected to introduce significantly higher penalties.
Do foreign websites need to comply with Ghana's data protection law?
Act 843 requires data controller registration for any entity processing personal data in Ghana. The proposed 2025 Bill explicitly extends jurisdiction to foreign organisations offering goods or services to individuals in Ghana, requiring them to appoint a local representative.
How does Ghana's data protection law compare to the GDPR?
Both require consent for personal data processing, but Ghana mandates data controller registration with the DPC, which the GDPR does not. Ghana's current penalties are much lower, and the law lacks mandatory breach notification - gaps the proposed 2025 Bill aims to close.
Is there a new data protection law coming in Ghana?
The Data Protection Bill 2025 is currently before parliament. It would repeal Act 843 and introduce higher fines, 72-hour breach notification, extraterritorial scope, and an expanded definition of personal data covering cookies, IP addresses, and biometric data.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
