Madagascar's Data Protection Framework: Law 2014-038
Madagascar adopted Law No. 2014-038 on 16 December 2014, with the law coming into force upon publication in the Official Gazette on 20 July 2015. The legislation was modelled on the EU Data Protection Directive (95/46/EC), with input from Francophone data protection authorities through the Association francophone des autorites de protection des donnees personnelles (AFAPDP).
The law establishes rules for collecting, processing, storing, and transferring personal data. It applies to any entity processing the personal data of individuals located in Madagascar, regardless of where the data controller is based.
A key detail for website owners: the law does not contain specific provisions on cookies, local storage objects, or similar tracking technologies. That gap does not mean your site is exempt from regulation. Any cookie that collects personal data - an identifier stored in _ga, a session token in PHPSESSID, or a marketing pixel like _fbp - falls under the general data processing rules of Law 2014-038.
Legal Bases for Processing Personal Data
Law 2014-038 follows a consent-first model. Before processing personal data, you must obtain prior consent from the data subject or rely on one of the alternative legal bases the law recognises.
The six lawful bases are:
Prior consent of the data subject
Compliance with a legal obligation
Protection of the data subject's life or vital interests
Execution of a public service mission
Performance of a contract or pre-contractual measures
Legitimate interest of the data controller, balanced against the rights of the individual
This structure closely mirrors the consent requirements found in GDPR-aligned frameworks. For most websites, dropping analytics or advertising cookies before obtaining consent would require reliance on the consent basis, since the other grounds rarely apply to marketing-driven data collection.
How This Compares to GDPR and Other African Laws
Madagascar's law predates the GDPR by several years, drawing instead from the 1995 EU Data Protection Directive. The similarities are clear: purpose limitation, data minimisation, and a consent-first approach all feature prominently. The differences are equally notable.
| Requirement | Madagascar (Law 2014-038) | EU GDPR | South Africa (POPIA) | Kenya (DPA 2019) |
|---|---|---|---|---|
| Primary legislation | Law 2014-038 (2015) | Regulation 2016/679 | POPIA (2020) | Data Protection Act (2019) |
| Supervisory authority | CMIL (not fully operational) | National DPAs | Information Regulator | ODPC |
| Cookie-specific rules | No | Yes (ePrivacy Directive) | No (general processing rules) | No (general processing rules) |
| Consent required | Prior consent (default basis) | Freely given, specific, informed | Voluntary, specific, informed | Free, informed consent |
| Maximum financial penalty | 5% of prior year pre-tax turnover | 4% of global turnover or EUR 20m | ZAR 10 million | KES 5 million |
| Criminal sanctions | 6 months to 2 years imprisonment | Varies by member state | Up to 10 years imprisonment | Not specified |
For a broader view of African data protection, see the country guides for Kenya, Mozambique, and South Africa (POPIA).
The CMIL: Madagascar's Data Protection Authority
Law 2014-038 created the Commission Malagasy de l'Informatique et des Libertes (CMIL) as the supervisory authority responsible for enforcement. On paper, the CMIL has significant powers: it can conduct on-site inspections, request documents, perform online verifications, and issue sanctions.
The practical reality is different. The CMIL has not been fully operational since the law took effect. In December 2023, Decree No. 2023-1541 was issued to define the CMIL's attributions and functioning, signalling that the Malagasy government intends to activate the authority. Until all members are appointed and the body is resourced, enforcement remains limited.
This does not mean you should treat compliance as optional. Regulatory authorities across Africa have moved from dormancy to active enforcement rapidly - Nigeria's NDPR is a recent example.
Penalties for Non-Compliance
The sanctions under Law 2014-038 are more severe than many website owners expect from a developing regulatory framework.
Financial penalties can reach up to 5% of prior year pre-tax turnover. For comparison, the GDPR caps fines at 4% of global annual turnover. The law also provides for criminal sanctions: unauthorised processing of personal data can result in six months to two years of imprisonment. Courts may order the erasure of unlawfully processed data, and the CMIL can withdraw processing authorisations entirely.
These penalties apply once the CMIL becomes fully operational and begins enforcement proceedings.
Consent Requirements for Cookies on Malagasy Websites
Although Law 2014-038 does not mention cookies explicitly, the consent provisions apply to any processing of personal data. If your website sets cookies that collect or store personal data - and most analytics and marketing cookies do - you need a lawful basis.
Strictly necessary cookies, such as PHPSESSID for session management or pll_language for language preferences, can likely be justified under the contract performance or legitimate interest bases. Analytics cookies like _ga or advertising cookies like _fbp almost certainly require prior consent.
A cookie banner that asks visitors for consent before non-essential cookies are set is the most practical approach. The banner should clearly explain what data is collected and why, giving visitors a genuine choice to accept or refuse.
Running a cookie scan on your website is the first step to understanding which cookies you set and whether any of them process personal data.
Cross-Border Data Transfers
Law 2014-038 restricts transfers of personal data to countries that do not provide a sufficient level of protection for privacy and fundamental rights. Transfers are permitted only where the data subject has given informed consent, the transfer is necessary for contract performance, the transfer serves the public interest, or the transfer is needed for legal defence.
The recipient of transferred data cannot retransfer it to a third party without approval from both the original data controller and the CMIL. If your website uses third-party analytics or advertising services hosted outside Madagascar, these transfer provisions are directly relevant.
Compliance Checklist for Your Website
Preparing your website for Malagasy data protection requirements does not need to be complicated. Follow these steps to build a solid foundation.
Audit your cookies - Use an automated cookie scanner to identify every cookie your site sets, including third-party cookies from analytics and advertising scripts.
Classify cookies by purpose - Group cookies into categories: strictly necessary, functional, analytics, and marketing.
Implement a consent mechanism - Display a cookie banner that collects prior consent before setting non-essential cookies. Ensure the banner offers a clear accept and refuse option.
Draft a cookie policy - Publish a transparent cookie policy explaining which cookies you use, what data they collect, and how long they persist.
Review cross-border transfers - Check whether your third-party services transfer data outside Madagascar and confirm a lawful transfer mechanism is in place.
Document processing activities - Maintain records of what personal data you collect, why, and on what legal basis.
Monitor CMIL developments - Track the operationalisation of the CMIL and any implementing decrees that may introduce cookie-specific rules.
Data Subject Rights Under Law 2014-038
Individuals in Madagascar have the right to opt out of marketing uses of their personal data without providing a reason. The law also requires that personal data be processed fairly and lawfully, kept accurate and up to date, and retained only for as long as necessary.
Your website should provide a mechanism for visitors to withdraw consent and request information about the data you hold. A well-configured consent management platform with geo-detection can help you apply Madagascar-specific rules to visitors from the country while maintaining different settings for other jurisdictions.
Frequently Asked Questions
Does Madagascar have a specific cookie law?
No. Law 2014-038 does not contain specific provisions on cookies, local storage, or similar tracking technologies. Cookies that collect personal data fall under the general data processing rules of the law, which require prior consent or another valid legal basis.
Is cookie consent required for websites targeting Madagascar?
Yes, if your cookies collect personal data. Law 2014-038 requires prior consent as the default basis for processing personal data. Analytics and marketing cookies almost always collect personal identifiers, so consent is the appropriate legal basis.
What is the CMIL and is it active?
The CMIL (Commission Malagasy de l'Informatique et des Libertes) is the data protection authority created by Law 2014-038. It is not yet fully operational, though Decree No. 2023-1541 (December 2023) defined its attributions, signalling progress toward full activation.
What are the penalties for data protection violations in Madagascar?
Financial penalties can reach 5% of prior year pre-tax turnover. Criminal sanctions include six months to two years of imprisonment for unauthorised processing. Courts can also order the erasure of unlawfully collected data.
How does Madagascar's data protection law compare to the GDPR?
Both laws share a consent-first approach and recognise similar legal bases for processing. The GDPR caps fines at 4% of global turnover, while Madagascar's law sets a 5% cap on prior year pre-tax turnover. A major difference is enforcement: the GDPR has active supervisory authorities, while Madagascar's CMIL is not yet fully operational.
Can I transfer personal data from Madagascar to another country?
Only if the receiving country provides a sufficient level of protection for privacy rights, or if you have the data subject's informed consent, a contractual necessity, or a public interest justification. The recipient cannot retransfer data without approval from the original controller and the CMIL.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
