Iraq Has No Dedicated Data Protection Law
Iraq is one of the most populous countries in the Middle East without a standalone data protection statute. Unlike neighbours such as Saudi Arabia, which enacted its Personal Data Protection Law (PDPL) in 2022, or Turkey, which passed the KVKK in 2016, Iraq has not yet adopted legislation specifically governing the collection, processing, or storage of personal data.
That absence extends to cookies. There is no Iraqi equivalent of the EU's ePrivacy Directive or any sector-specific rule requiring websites to obtain consent before placing tracking technologies on a visitor's device.
This does not mean privacy is entirely unprotected. Several older laws touch on personal data in limited ways, and a draft bill has been under parliamentary consideration since 2021.
Constitutional and Existing Legal Protections
The Iraqi Constitution of 2005 provides the primary legal basis for privacy rights. Article 17(1) states that every individual has the right to personal privacy, provided it does not contradict the rights of others or public morals. Article 17(2) protects the sanctity of the home from entry or search without judicial authorisation.
These provisions are broad and were drafted before modern data processing practices became widespread. They offer a general principle rather than specific rules about cookies, consent mechanisms, or data controller obligations.
Beyond the constitution, fragmented protections exist in older statutes.
| Law | Year | Relevance to Data Privacy |
|---|---|---|
| Iraqi Constitution | 2005 | Article 17 - right to personal privacy |
| Iraqi Penal Code (No. 111) | 1969 | Articles 229 and 438 - penalties for violating personal secrets and private life |
| Iraqi Civil Code (No. 40) | 1951 | General tort provisions applicable to privacy violations |
| Banking Law | 2004 | Confidentiality of banking customer data |
| CPA Order 65 - Communications and Media Commission | 2004 | Regulatory authority over telecommunications and media, including data handling by operators |
None of these laws address cookies or online tracking. The Penal Code provisions were written decades before the internet reached Iraq and focus on physical intrusions into private life rather than digital data collection.
The Draft Personal Data Protection Law
A draft Personal Data Protection Law was introduced to the Iraqi Council of Representatives in 2021. The bill aims to regulate the collection, processing, and storage of personal data, drawing on concepts familiar from the GDPR framework.
Key provisions in the draft include individual rights to access, correct, and delete personal data. The bill also proposes establishing a dedicated regulatory authority to oversee compliance and handle complaints.
As of early 2026, the draft has not been enacted. Parliamentary progress has been slow, and the regulatory authority envisaged by the bill does not yet exist. The timeline for passage remains uncertain.
Website owners should monitor this legislation. Once enacted, it could introduce consent requirements that directly affect how cookies and tracking technologies are used on sites serving Iraqi visitors.
The Communications and Media Commission
The Communications and Media Commission (CMC), established under CPA Order 65 of 2004, is Iraq's telecommunications and media regulator. The CMC oversees licensing, content regulation, and technical standards for communications providers.
In 2024 and 2025, the CMC increased its focus on digital content regulation, issuing restrictions on certain online material under the Penal Code. The commission has also engaged with technology companies on data protection standards and digital sovereignty.
The CMC does not currently enforce cookie consent rules or publish guidance on website privacy practices. If the draft Personal Data Protection Law passes, the CMC or a newly created body could become the primary enforcement authority for online privacy matters.
Why Cookie Consent Still Matters for Iraqi Websites
The lack of a local cookie law does not eliminate the need for a cookie consent banner. Several practical and legal factors make consent management relevant for websites with Iraqi traffic.
Extraterritorial Reach of Foreign Laws
If your website serves visitors from the EU, the GDPR and ePrivacy Directive apply regardless of where your servers or business are located. Article 3(2) of the GDPR extends its reach to any organisation offering goods or services to individuals in the EU or monitoring their behaviour. An Iraqi business selling products to European customers must comply with EU cookie consent rules.
The same logic applies to other jurisdictions with extraterritorial provisions, including the UK GDPR, Brazil's LGPD, and Saudi Arabia's PDPL.
Regional Regulatory Trends
Iraq's neighbours are moving toward stricter data protection regimes. Saudi Arabia's PDPL took full effect in 2024. Egypt enacted its Personal Data Protection Law in 2020. Iran has ICT regulations that touch on data handling. When Iraq eventually passes its own law, websites that already have consent mechanisms in place will face a much smaller compliance burden.
Advertising Platform Requirements
Google's Consent Mode v2, rolled out in 2024, requires websites using Google Ads or Google Analytics to implement a certified consent management platform. This requirement applies globally, not just in jurisdictions with cookie laws. If your Iraqi website uses _ga, _gid, or _fbp cookies, you need a consent mechanism to maintain full advertising functionality.
How Iraq Compares to Other Middle Eastern Countries
Iraq sits in a cluster of Middle Eastern nations still developing their data protection frameworks. For a broader view, see the global compliance overview. The contrast with early adopters in the region is stark.
| Country | Data Protection Law | Cookie-Specific Rules | Enforcement Body |
|---|---|---|---|
| Iraq | Draft only (since 2021) | None | None (CMC has limited role) |
| Saudi Arabia | PDPL (2022, enforced 2024) | Consent for non-essential processing | SDAIA |
| Egypt | Law No. 151 (2020) | Consent for personal data collection | Data Protection Centre |
| Iran | No comprehensive law | None | ICT Ministry (limited) |
| Turkey | KVKK (2016) | Explicit consent required | KVKK Board |
Iraq's position is similar to Iran's - both lack comprehensive legislation and cookie-specific rules. The key difference is that Iraq has a draft law under consideration, which could accelerate progress once political conditions allow.
Compliance Checklist for Websites Targeting Iraq
Even without a local cookie law, a structured approach to privacy protects your visitors and your business.
Audit your cookies - Run a free cookie scan to identify every cookie your site sets, including third-party cookies from analytics, advertising, and social media widgets.
Implement a consent banner - Display a clear cookie banner that allows visitors to accept or reject non-essential cookies. This prepares you for Iraq's future law and satisfies requirements from the GDPR, LGPD, and other extraterritorial regimes.
Categorise your cookies - Group cookies into strictly necessary, functional, analytics, and advertising categories. Visitors should be able to make granular choices.
Publish a cookie policy - List every cookie by name (e.g.,
PHPSESSID,_ga,pll_language), its purpose, duration, and whether it is first-party or third-party. A cookie database can help identify unfamiliar trackers.Block scripts before consent - Non-essential cookies should not fire until the visitor has given affirmative consent. This is a technical requirement under the GDPR and a best practice everywhere.
Configure geo-detection - Use geo-targeting to apply stricter consent rules for visitors from regulated jurisdictions while maintaining a simpler notice for Iraqi visitors if you prefer.
Keep records - Store consent logs with timestamps. When Iraq's law passes, proof of consent may become a legal requirement.
Frequently Asked Questions
Does Iraq require cookie consent on websites?
Iraq does not currently have a law requiring cookie consent. There is no equivalent of the EU's ePrivacy Directive or any specific regulation governing the use of cookies or tracking technologies on websites.
Is there a data protection law in Iraq?
Iraq does not have an enacted data protection law. A draft Personal Data Protection Law was introduced to parliament in 2021, but it has not yet been passed. The Iraqi Constitution of 2005 provides a general right to privacy under Article 17.
Do I need a cookie banner for an Iraqi website?
While Iraqi law does not mandate a cookie banner, you may still need one if your site serves visitors from the EU, UK, Brazil, or other jurisdictions with cookie consent laws. Google Consent Mode v2 also requires consent signals for advertising tools.
Which authority enforces data protection in Iraq?
Iraq does not have a dedicated data protection authority. The Communications and Media Commission (CMC) regulates telecommunications but does not oversee website cookie practices. The draft data protection law proposes creating a new regulatory body.
Will Iraq adopt a GDPR-style law?
The draft Personal Data Protection Law draws on GDPR concepts, including individual rights and controller obligations. If enacted, it would move Iraq closer to international standards, though the timeline for passage remains uncertain.
Can Iraqi websites be fined under the GDPR?
If an Iraqi website offers goods or services to EU residents or monitors their behaviour, it falls under the GDPR's extraterritorial scope. Non-compliance could result in enforcement action by EU data protection authorities.
Prepare Your Website for Iraq's Privacy Future
Iraq's data protection framework is evolving. A draft law is on the table, regional neighbours are tightening their rules, and global advertising platforms already demand consent signals. Setting up cookie consent now avoids a scramble later.
Kukie.io detects and categorises the cookies on your site, displays a customisable consent banner, and logs visitor choices - so you are ready whether the law changes tomorrow or next year.
