Iran's Privacy Framework: No Single Law, Multiple Sources
Iran does not have a comprehensive, standalone data protection law comparable to the GDPR or similar frameworks found in the EU. Personal data protection rules are instead scattered across several pieces of legislation, executive orders, and constitutional principles.
The most relevant instruments for website operators are the Electronic Commerce Law of 2003 (sometimes referenced as 2004, the year it took effect), the Computer Crimes Law of 2009, and the non-binding Charter of Citizens' Rights issued in December 2016. Each addresses aspects of data handling, but none provides the kind of cookie-specific regulation familiar in European jurisdictions.
A draft Personal Data Protection and Safeguarding Act has been under discussion since 2019, though it has not yet been enacted. Until that bill passes, the Electronic Commerce Law remains the primary statute with provisions on personal data consent.
The Electronic Commerce Law: Articles 58 and 59
Articles 58 through 61 of the Electronic Commerce Law form the core of Iran's data protection provisions. They apply specifically to electronic transactions and online data processing.
Article 58 prohibits the storage, processing, or distribution of data messages that reveal ethnic origins, religious beliefs, moral characteristics, or information about a person's physical, psychological, or sexual condition - unless the individual provides explicit consent. Violations carry a sentence of one to three years' imprisonment.
This makes Article 58 roughly analogous to the concept of "special categories" of personal data under the GDPR, though its scope is narrower and tied only to electronic commerce contexts.
Article 59 sets out conditions for processing general personal data. It requires the data subject's consent and stipulates that the purposes of data collection must be specified and clearly described. Data may only be collected to the extent necessary for those stated purposes. This principle of purpose limitation mirrors international data protection norms, though it lacks the detailed implementation guidance found in EU regulations.
What This Means for Cookies
The Electronic Commerce Law does not mention cookies by name. Cookies such as _ga, _fbp, or advertising trackers that collect personal data in the context of e-commerce transactions fall within the scope of Articles 58 and 59. The law's consent requirements apply when personal data is being stored or processed electronically.
Strictly technical cookies like PHPSESSID or pll_language that do not process personal data arguably fall outside these provisions. The ambiguity, however, means there is no authoritative guidance on where the line sits.
The Computer Crimes Law of 2009
The Computer Crimes Law addresses unauthorised access to data and computer systems. It criminalises the interception of confidential data transmitted through computer or telecommunications systems without authorisation.
While this law does not regulate cookies directly, it creates a legal risk for any data collection mechanism - including cookies - that intercepts or accesses personal information without proper grounds. Penalties include imprisonment and fines, though enforcement has focused primarily on content-related offences rather than commercial data collection practices.
Charter of Citizens' Rights and Constitutional Principles
Article 37 of the Charter of Citizens' Rights, issued by presidential decree in 2016, states that online privacy should be respected. The Charter also affirms citizens' rights to data protection and confidentiality of communications.
This document is non-binding. It has not been implemented through enforceable secondary legislation, and Iranian courts have not used it as a basis for data protection rulings. It does, however, signal a policy direction toward recognising digital privacy rights.
The Iranian Constitution (Article 25) protects the confidentiality of correspondence and communications, which some legal scholars interpret as extending to electronic communications. This constitutional provision has not been tested in the context of website cookies.
Regulatory Bodies and Enforcement
Iran does not have a dedicated data protection authority. Oversight responsibilities are divided among several bodies.
| Body | Role | Relevance to Cookies |
|---|---|---|
| Ministry of ICT | Telecommunications and internet policy | General oversight of online services |
| FATA (Cyber Police) | Cybercrime investigation and enforcement | Investigates unauthorised data access |
| Judiciary (Criminal Courts) | Prosecutes violations of the Electronic Commerce Law and Computer Crimes Law | Handles criminal complaints under Articles 58-59 |
| Supreme Council of Cyberspace | Sets national cyberspace policy | Broad policy direction, not direct enforcement |
FATA, formally known as the Police for the Sphere of the Production and Exchange of Information, was established in 2011. Its enforcement focus has centred on content regulation and cybercrime rather than commercial cookie compliance. No publicly reported enforcement actions have targeted website cookie practices specifically.
The absence of a specialist regulator means that cookie-related complaints have no clear administrative channel. Any action would need to proceed through the criminal courts under the Electronic Commerce Law.
How Iran's Rules Compare to the GDPR
The differences between Iran's framework and the GDPR are substantial.
| Aspect | Iran | GDPR/ePrivacy Directive |
|---|---|---|
| Dedicated privacy law | No (fragmented provisions) | Yes (comprehensive regulation) |
| Cookie-specific rules | None | Article 5(3) ePrivacy Directive |
| Consent requirement | Required for personal data in e-commerce (Art. 59) | Required for non-essential cookies |
| Data protection authority | None | Independent DPA in each member state |
| Cookie banner requirement | Not mandated | Effectively required |
| Fines for non-compliance | Criminal penalties (1-3 years imprisonment) | Administrative fines up to EUR 20 million or 4% turnover |
| Extraterritorial scope | Limited to domestic e-commerce | Applies to any site targeting EU residents |
One notable difference is enforcement mechanism. Iran relies on criminal prosecution rather than administrative fines, which creates a higher threshold for action but theoretically more severe consequences. In practice, enforcement against websites for data collection violations is extremely rare.
Practical Compliance Checklist for Website Operators
If your website targets users in Iran or processes data from Iranian visitors, the following steps help reduce legal risk.
Audit your cookies - identify every cookie your site sets, including third-party trackers. A cookie scanning tool can automate this process and categorise cookies by purpose.
Obtain consent for personal data collection - Articles 58 and 59 of the Electronic Commerce Law require consent before processing personal data electronically. A cookie banner that collects opt-in consent for analytics and marketing cookies addresses this requirement.
State clear purposes - Article 59 requires that data collection purposes be specified and clearly described. Your cookie policy should explain what each cookie category does and why data is collected.
Minimise data collection - collect only what is necessary for the stated purpose. This aligns with the data minimisation principle in Article 59.
Handle sensitive data with extra care - if any cookies or trackers collect data related to health, religion, or ethnicity (Article 58 categories), explicit consent is mandatory.
Consider GDPR alignment - if your site also targets users in the EU, aligning your cookie consent practices with GDPR standards will simultaneously satisfy Iran's less prescriptive requirements.
Document your compliance - keep records of consent mechanisms and cookie categorisation decisions. In the absence of clear regulatory guidance, documented good-faith efforts demonstrate responsible data handling.
The Draft Data Protection Bill
Iran's Ministry of Communication and Information Technology drafted a Personal Data Protection and Safeguarding Bill that has been under legislative review. The draft bill proposes establishing a dedicated supervisory authority and introduces broader data subject rights including the right to access, rectification, and deletion of personal data.
If enacted, this bill would significantly change the compliance landscape. It would likely introduce more specific requirements around cookie consent and online tracking. Website operators serving Iranian audiences should monitor this legislative development.
Until the bill passes, the Electronic Commerce Law's Articles 58-59 remain the primary reference point for cookie consent obligations in Iran.
Frequently Asked Questions
Does Iran have a cookie law?
Iran does not have a law specifically addressing cookies. The Electronic Commerce Law of 2003 contains general provisions on personal data consent (Articles 58-59) that apply to electronic data processing, which can include cookie-based data collection.
Do I need a cookie banner for Iranian visitors?
There is no explicit legal requirement for a cookie banner under Iranian law. Obtaining consent before processing personal data is required by Article 59 of the Electronic Commerce Law, and a cookie consent banner is a practical way to meet that obligation.
What are the penalties for violating data protection rules in Iran?
Violations of Article 58 of the Electronic Commerce Law carry criminal penalties of one to three years' imprisonment. There are no administrative fines similar to GDPR penalties. Enforcement against cookie practices specifically has not been publicly reported.
Is there a data protection authority in Iran?
Iran does not have a dedicated data protection authority. Oversight is split between the Ministry of ICT, FATA (Cyber Police), and the judiciary. The draft Personal Data Protection Bill proposes establishing a supervisory authority, but it has not yet been enacted.
Does Iranian data protection law apply to foreign websites?
The Electronic Commerce Law primarily applies to electronic transactions within Iran. It does not have the broad extraterritorial reach of the GDPR. Foreign websites with no presence in Iran face minimal practical enforcement risk, though compliance is advisable if you actively target Iranian consumers.
How does Iran's approach to cookies compare to the GDPR?
Iran's framework is far less developed. There are no cookie-specific rules, no dedicated regulator, and no administrative fine system. The GDPR, combined with the ePrivacy Directive, provides detailed cookie consent requirements that Iran's laws do not match.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
