How Law 09-08 Governs Cookies in Morocco
Morocco enacted Law 09-08 on 18 February 2009 to protect individuals with regard to the processing of personal data. Its implementing decree, Decree 2-09-165, followed on 21 May 2009. The law created the Commission Nationale de Controle de la Protection des Donnees a Caractere Personnel (CNDP) as the country's supervisory authority.
Cookies are not addressed by a standalone Moroccan statute. Instead, the CNDP treats any cookie that collects or contains personal data - an IP address, a device identifier, or any value that can be linked to an identifiable person - as personal data processing subject to Law 09-08.
The CNDP's 2014 guidelines on website compliance confirmed this position. If your site drops cookies such as _ga, _fbp, or any tracker that stores a unique identifier, you are processing personal data under Moroccan law.
What the CNDP Requires for Cookie Consent
Under Law 09-08, processing personal data requires a lawful basis. For cookies, the CNDP's published guidance calls for prior consent from the data subject before non-essential cookies are set.
Your cookie banner must do three things:
Inform visitors about which cookies your site uses and why
Obtain consent before setting cookies that process personal data
Explain how visitors can refuse or withdraw consent
Strictly necessary cookies - those required for the basic functioning of a website, such as PHPSESSID or a shopping cart session cookie - do not require consent, because they do not serve a tracking or profiling purpose.
On 28 November 2025, the CNDP issued Decision D-939-2025, introducing a simplified notification form specifically for cookie-related data processing. This signals that the regulator is paying closer attention to cookie practices and expects controllers to formally declare their cookie processing activities.
CNDP Registration and Notification Obligations
Law 09-08 requires data controllers to file either a prior notification or a prior authorisation request with the CNDP before processing personal data, depending on the type and sensitivity of the data involved. Standard cookie processing typically falls under the notification requirement rather than the stricter authorisation route.
Decision D-939-2025 simplifies this for cookies. Controllers can now file a dedicated, shorter form to notify the CNDP of cookie-based processing on their websites.
Failing to register processing activities with the CNDP is itself a punishable offence under Law 09-08, separate from any consent violation.
Fines and Enforcement Under Law 09-08
The penalties written into Law 09-08 are significant on paper. Non-compliance can result in fines ranging from MAD 10,000 to MAD 600,000 (roughly EUR 900 to EUR 55,000) and imprisonment of between three months and four years.
In practice, the CNDP has historically favoured a graduated enforcement approach. To date, no publicised fines have been imposed specifically for cookie violations. The authority has instead relied on warning letters sent to organisations handling large volumes of personal or sensitive data. Recent years have seen an increase in warning activity, suggesting that the regulator is moving toward stricter oversight.
This should not breed complacency. The introduction of Decision D-939-2025 and the CNDP's growing institutional capacity indicate that formal enforcement actions, including fines, may follow.
Penalty Summary
| Violation | Fine (MAD) | Fine (approx. EUR) | Imprisonment |
|---|---|---|---|
| Processing without notification/authorisation | 10,000 - 300,000 | 900 - 27,500 | 3 months - 1 year |
| Processing without valid consent | 20,000 - 300,000 | 1,800 - 27,500 | 3 months - 1 year |
| Failure to respect data subject rights | 20,000 - 200,000 | 1,800 - 18,300 | 3 - 6 months |
| Serious or repeated violations | Up to 600,000 | Up to 55,000 | Up to 4 years |
Morocco's Law 09-08 Compared to the GDPR
Law 09-08 was modelled on the earlier EU Data Protection Directive (95/46/EC), not the GDPR. The two frameworks share core principles - lawfulness, purpose limitation, data minimisation, accuracy - but diverge in important ways.
Morocco is a signatory to Convention 108 and Convention 108+, which align it with European data protection standards. Being GDPR-compliant gets you close to Moroccan compliance, but the CNDP's registration and notification requirements have no direct GDPR equivalent.
| Aspect | Morocco Law 09-08 | EU GDPR |
|---|---|---|
| Year enacted | 2009 | 2016 (enforced 2018) |
| Supervisory authority | CNDP | National DPAs per member state |
| Registration requirement | Mandatory notification or authorisation with CNDP | No general registration (ROPA required internally) |
| Cookie-specific rules | No standalone cookie law; CNDP guidance applies | ePrivacy Directive + GDPR |
| Consent standard | Prior, informed consent | Freely given, specific, informed, unambiguous |
| Maximum fine | MAD 600,000 (approx. EUR 55,000) | EUR 20 million or 4% of global turnover |
| Criminal penalties | Yes (up to 4 years) | Varies by member state |
| Cross-border transfer rules | CNDP authorisation required | Adequacy decisions, SCCs, BCRs |
The CNDP has publicly signalled interest in aligning Moroccan law more closely with the GDPR, but no formal legislative reform has been adopted yet.
Compliance Checklist for Moroccan Cookie Consent
If your website targets visitors in Morocco or processes data using equipment located in Morocco, use this checklist:
Audit your cookies - Run a cookie scan to identify every cookie your site sets, including those from third-party scripts like
_ga,_fbp, and_gid.Categorise cookies - Sort them into strictly necessary, functional, analytics, and marketing categories.
Display a cookie banner - Show a clear, well-designed cookie banner before setting non-essential cookies. The banner must explain the purpose of each category and allow visitors to accept or refuse.
Block scripts before consent - Do not fire tracking scripts until the visitor has granted consent for that category.
Publish a cookie policy - Write a cookie policy listing each cookie by name, its purpose, duration, and category.
File CNDP notification - Submit the appropriate notification or authorisation form to the CNDP for your cookie-based processing. Use the simplified form introduced by Decision D-939-2025 where applicable.
Keep records - Store proof of consent (timestamps, consent strings) and maintain documentation of your processing activities.
Regional Context: Cookie Consent Across Africa and the Middle East
Morocco is one of the more developed data protection regimes on the African continent. The CNDP was established in 2009, well ahead of many neighbouring countries.
If you operate websites across multiple African or Middle Eastern markets, you should also review the cookie consent rules in Algeria, Egypt, Nigeria, Kenya, and Saudi Arabia. Each country has its own rules, registration requirements, and enforcement posture.
South Africa's POPIA is worth studying as a comparison point. The Protection of Personal Information Act takes a different approach to consent and has a more active enforcement record.
Frequently Asked Questions
Does Morocco have a specific cookie law?
No. Morocco does not have a standalone cookie statute. Cookies fall under Law 09-08 when they process personal data. The CNDP's 2014 guidelines and Decision D-939-2025 provide specific direction on cookie compliance.
Do I need consent to set cookies for Moroccan visitors?
Yes. The CNDP requires prior consent before setting cookies that collect personal data. Strictly necessary cookies for basic site functionality are exempt.
What fines can the CNDP impose for cookie violations?
Fines under Law 09-08 range from MAD 10,000 to MAD 600,000 (approximately EUR 900 to EUR 55,000). Criminal penalties of up to four years imprisonment also apply. No publicised fines have been issued specifically for cookies to date.
Do I need to register my cookie processing with the CNDP?
Yes. Law 09-08 requires a prior notification or authorisation filing with the CNDP for personal data processing. Decision D-939-2025 introduced a simplified form specifically for cookie processing.
Is Morocco GDPR-compliant?
Morocco's Law 09-08 shares principles with the GDPR but predates it. Morocco is a signatory to Convention 108+, aligning it with European standards. Full GDPR compliance does not automatically satisfy Moroccan requirements, particularly the CNDP registration obligation.
Does Law 09-08 apply to websites outside Morocco?
Law 09-08 applies when processing is carried out using equipment located in Morocco or when a controller is established in Morocco. Websites targeting Moroccan users may fall within scope if they use local infrastructure or collect data from Moroccan residents.
Set Up Cookie Consent for Moroccan Visitors
Moroccan data protection law requires prior consent for cookies that process personal data, backed by the CNDP's notification requirements. Getting this right means auditing your cookies, configuring a compliant banner, and filing the appropriate CNDP forms.
Kukie.io detects cookies on your site, categorises them automatically, and helps you display a consent banner that meets the requirements of Law 09-08 and other privacy regulations your visitors may be subject to.
