Mozambique's Privacy Framework: Where Things Stand
Mozambique has no standalone data protection statute in force. The country's privacy obligations are currently scattered across the Constitution, the Civil Code, and sector-specific rules on telecommunications.
That is changing. In September 2025, the National Institute of Information and Communication Technologies (INTIC) published a draft Personal Data Protection Bill for public consultation. The Council of Ministers approved the proposal in early 2026 and forwarded it to the Assembly of the Republic for debate. If enacted, Mozambique will join a growing number of African nations with comprehensive data protection legislation - following the path already taken by Kenya, Tanzania, and Angola.
For website owners, the practical question is straightforward: what rules apply right now, and what should you expect once the bill becomes law?
Constitutional Protections Under Article 71
Article 71 of the Mozambican Constitution already contains surprisingly detailed data protection guarantees. It requires that legislation be adopted to protect personal data held in computer records, regulate access to databases, and govern how both public and private entities use digital information.
The Constitution also prohibits the recording and processing of individually identifiable information concerning political beliefs, religious convictions, trade union membership, and details of a person's private life - except where the data subject consents or a court authorises it. Every individual has a constitutional right to access data collected about them and to demand rectification.
These rights exist on paper. The implementing legislation that Article 71 calls for has never been passed, leaving a significant gap between constitutional promise and practical enforcement.
The Draft Personal Data Protection Bill
The proposed bill draws heavily on international standards, including the African Union's Malabo Convention (which Mozambique ratified in 2019) and the EU's GDPR. It covers the processing of personal data by any natural or legal person, public or private, that carries out data-related activities in Mozambique for economic or non-private purposes.
Core Principles
The bill establishes principles familiar to anyone who has worked with South Africa's POPIA or the GDPR: lawfulness, purpose limitation, data minimisation, accuracy, transparency, confidentiality, security, and proportionality. Personal data may only be processed on a valid legal basis, with consent being one of several options.
Sensitive Data Restrictions
Processing of sensitive personal data - including political opinions, religious beliefs, health information, sexual life, and criminal records - is prohibited unless the data subject gives express consent or a specific exemption applies.
Data Subject Rights
The bill grants individuals the right to access, rectify, and erase their personal data, to object to processing, and to receive information about how their data is used. These rights mirror those found in the GDPR and in Nigeria's NDPR.
What the Bill Means for Cookies
The draft legislation does not mention cookies by name. This is common in African data protection laws, which tend to address the broader category of personal data processing rather than singling out specific technologies.
Cookies that collect or store personal data - such as analytics trackers like _ga, advertising identifiers like _fbp, or session cookies that link to user accounts - would fall within the bill's scope once enacted. The consent requirement would apply to any cookie that processes personal data without another valid legal basis.
Strictly necessary cookies, such as PHPSESSID for session management, would likely qualify under a legitimate interest or contractual necessity basis, depending on the final wording of the law.
The Proposed Data Protection Authority (ANPD)
The bill establishes a National Authority for Personal Data Protection (Autoridade Nacional de Proteccao de Dados Pessoais, or ANPD). This body would be built on the existing Regulatory Authority for Information and Communication Technologies, transforming it into an independent institution with regulatory, supervisory, investigative, and sanctioning powers.
A separate National Personal Data Protection Council would handle political and strategic coordination, produce annual implementation reports, and liaise with the government on data protection policy.
Until the ANPD is operational, there is no dedicated regulator enforcing data protection rules in Mozambique. INTIC currently holds some competencies in this area but lacks formal enforcement powers for privacy matters.
Mozambique Compared to the GDPR and Regional Laws
| Aspect | Mozambique (Proposed Bill) | GDPR (EU) | POPIA (South Africa) |
|---|---|---|---|
| Status | Draft - awaiting parliamentary approval | In force since 2018 | Fully enforceable since 2021 |
| Scope | Processing by any entity in Mozambique for economic purposes | Processing of EU residents' data regardless of processor location | Processing of personal information within South Africa |
| Legal bases for processing | Consent, contractual necessity, legal obligation, public interest, legitimate interest | Six legal bases including consent and legitimate interest | Eight conditions for lawful processing |
| Cookie-specific rules | None - general data protection principles apply | ePrivacy Directive requires prior consent for non-essential cookies | No cookie-specific rules - general POPIA principles apply |
| Data protection authority | ANPD (proposed, not yet established) | National DPAs in each member state | Information Regulator |
| Penalties | To be determined in final legislation | Up to 4% of annual global turnover or EUR 20 million | Fines up to ZAR 10 million or imprisonment |
| International framework | Malabo Convention | EU treaties and Charter of Fundamental Rights | AU Convention signatory |
Compliance Checklist for Website Owners
Even without a dedicated data protection law, website owners serving Mozambican users should take practical steps now. Retrofitting compliance after a law passes is always more expensive and disruptive than building it in from the start.
Audit Your Cookies
Run a cookie scan to identify every cookie your site sets. Categorise them as strictly necessary, functional, analytics, or advertising. Tools like Kukie.io's scanner detect cookies automatically and classify them by purpose.
Implement a Consent Banner
A properly configured cookie consent banner that blocks non-essential cookies until a visitor opts in is the safest approach. This prepares your site for Mozambique's expected consent requirements and simultaneously addresses obligations under the GDPR, POPIA, and other frameworks your visitors may be subject to.
Draft a Clear Cookie Policy
List every cookie by name, purpose, duration, and provider. Explain the cookie categories your site uses. Make the policy accessible from your banner and footer.
Use Geo-Detection
If your site attracts visitors from multiple jurisdictions, geo-detection lets you apply the correct consent model per region. Visitors from Mozambique can receive a banner tailored to local requirements as they develop, while EU visitors see a GDPR-compliant prompt.
Keep Records
Store proof of each visitor's consent decision. If the ANPD follows the approach of established regulators, it will expect you to demonstrate that consent was freely given, specific, informed, and unambiguous.
Cross-Border Considerations
Mozambique's neighbours are at various stages of data protection maturity. South Africa's POPIA is fully enforced. Tanzania's Data Protection Act took effect in 2023. Kenya's Data Protection Act 2019 is well-established. Websites operating across southern and eastern Africa need to account for each country's distinct rules rather than assuming a single standard applies.
The proposed Mozambican bill aligns with the Malabo Convention, which should ease cross-border data flows with other AU member states that have ratified the same convention. Practical reciprocity arrangements, though, will depend on the ANPD's guidance once it is established.
Frequently Asked Questions
Does Mozambique have a data protection law?
Not yet. A Personal Data Protection Bill was approved by the Council of Ministers in early 2026 and is awaiting debate in the Assembly of the Republic. Constitutional protections under Article 71 exist but lack implementing legislation.
Do I need cookie consent for Mozambican visitors?
There is no cookie-specific law in Mozambique at present. Implementing a consent banner now is still recommended because the proposed bill will require a legal basis for processing personal data, and consent is the most practical basis for non-essential cookies.
What is the ANPD in Mozambique?
The Autoridade Nacional de Proteccao de Dados Pessoais (ANPD) is the proposed data protection authority. It would be built on the existing telecommunications regulator and would have powers to investigate complaints, issue regulations, and impose sanctions.
How does Mozambique's proposed law compare to South Africa's POPIA?
Both laws share principles of lawfulness, purpose limitation, and data minimisation. POPIA is already fully enforced with an active Information Regulator, while Mozambique's bill is still awaiting parliamentary approval and has no operational authority yet.
Are analytics cookies affected by the proposed bill?
Yes. Cookies like _ga that collect personal data such as IP addresses and browsing behaviour would fall under the bill's scope. You would need a valid legal basis - most likely consent - to set them on Mozambican visitors' devices.
What penalties does Mozambique's data protection bill propose?
The final penalty framework has not been published. The bill grants the ANPD sanctioning powers, but specific fine amounts will depend on the version approved by the Assembly of the Republic.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
