Nepal's Privacy Framework and How It Affects Your Website
Nepal enacted the Individual Privacy Act, 2075 (referred to internationally as the Privacy Act 2018) on 18 September 2018. The Act is the country's first standalone privacy statute, covering both physical privacy and informational privacy for individuals.
For website owners, the key provisions sit in the sections on personal information collection and consent. The Act requires any authorised person or entity to obtain prior consent from individuals before collecting their personal data and to state the purpose of that collection. Collected data may only be used for the stated purpose. These obligations apply to both public and private entities operating within Nepal's jurisdiction.
The Act does not specifically mention cookies, IP addresses, or online identifiers. That gap limits its direct application to website tracking technologies. But if your site collects personal information from Nepali users through forms, account registration, or analytics tools that capture identifiable data, the consent provisions apply.
What the Privacy Act 2018 Requires
The Act creates a general right to privacy covering a person's body, residence, property, documents, data, correspondence, and information in online mediums. Section 3 places obligations on entities that collect personal information.
Three requirements stand out for website operators:
Prior consent - You must obtain consent before collecting personal information from a user
Purpose limitation - Data may only be used for the specific purpose disclosed at the time of collection
Security obligations - Entities must arrange effective security measures against unauthorised access, use, alteration, disclosure, or publication of collected data
Sensitive information receives extra protection. Public entities may not process sensitive data unless required for medical treatment or emergency rescue, or unless the individual has made that information public voluntarily.
Penalties Under the Privacy Act
Section 31 of the Act outlines the penalty regime. Violations can result in imprisonment of up to three years, fines of up to NPR 30,000 (roughly USD 220), or both. Victims must file a complaint at the relevant District Court within three months of the violation.
These penalties are modest compared to the GDPR's potential fines of up to 4% of global annual turnover or EUR 20 million. The short filing window and court-based enforcement model also mean that practical enforcement has been limited so far.
No Dedicated Data Protection Authority (Yet)
A significant gap in Nepal's current framework is the absence of a dedicated data protection authority. The Privacy Act does not establish a regulator to investigate complaints, conduct audits, or issue administrative fines. Oversight falls loosely to the Ministry of Communication and Information Technology (MoCIT) and the Nepal Telecommunications Authority, but neither body has a specific mandate for privacy enforcement.
The Digital Privacy and Data Protection Act 2082
Nepal's government has passed the Digital Privacy and Data Protection Act, 2082, which aims to modernise the country's data protection regime. This newer statute proposes several changes that bring Nepal closer to international standards.
Key features of the proposed framework include:
A requirement for express, informed consent before collecting personal data
Data localisation provisions that may require certain sensitive data to be stored on servers within Nepal
Transparency obligations requiring organisations to disclose how data is collected, used, and shared
Establishment of a Data Protection Board as a dedicated regulatory body
The Data Protection Board would have authority to investigate complaints, conduct audits, and issue penalties for non-compliance. Until this board becomes fully operational, enforcement remains fragmented across multiple government agencies.
Do Cookies Require Consent in Nepal?
The short answer: there is no cookie-specific law in Nepal equivalent to the EU's ePrivacy Directive. The Privacy Act 2018 does not reference cookies, local storage, or device-based tracking technologies by name.
That said, if cookies on your website collect personal information from Nepali visitors, the general consent requirements of the Privacy Act apply. Cookies such as _ga, _fbp, or _gcl_au that track user behaviour and build profiles tied to identifiable individuals fall within the Act's scope. Strictly necessary cookies like PHPSESSID or pll_language that do not collect personal data sit outside these requirements.
The upcoming Digital Privacy and Data Protection Act 2082 does not contain exclusive cookie provisions either, but its broader consent and transparency requirements would apply to any cookie-based data collection involving personal information.
Nepal vs GDPR: How the Rules Compare
| Aspect | Nepal Privacy Act 2018 | EU GDPR |
|---|---|---|
| Cookie-specific rules | None | Yes (via ePrivacy Directive) |
| Consent requirement | Prior consent for personal data | Freely given, specific, informed, unambiguous consent |
| Data protection authority | None (proposed under 2082 Act) | Independent DPA in each member state |
| Maximum fine | NPR 30,000 (approx. USD 220) or 3 years' imprisonment | EUR 20 million or 4% of global turnover |
| Breach notification | Not specified | 72 hours (Article 33) |
| Data subject rights | Right to rectification (Section 28) | Access, rectification, erasure, portability, restriction, objection |
| Territorial scope | Entities within Nepal | Any entity processing EU residents' data |
| Data localisation | Proposed under 2082 Act | Adequacy decisions and SCCs for transfers |
The GDPR's extraterritorial reach means that if your Nepal-based website targets or monitors EU visitors, you must comply with GDPR requirements regardless of Nepali law.
Compliance Checklist for Websites Targeting Nepal
Even without cookie-specific legislation, adopting a consent-first approach protects your site against current and future Nepali privacy rules. Here is a practical checklist:
Audit your cookies - Run a cookie audit to identify every cookie your site sets, including those from third-party scripts like analytics, advertising pixels, and social media embeds
Categorise cookies properly - Group cookies into standard categories: strictly necessary, functional, analytics, and marketing
Display a cookie banner - Show a clear cookie banner that explains what data you collect and why, with genuine opt-in controls for non-essential cookies
Publish a cookie policy - Maintain a detailed cookie policy listing each cookie by name, purpose, duration, and provider
Block non-essential cookies before consent - Use script blocking to prevent non-essential cookies from firing until the visitor grants permission
Honour consent choices - Store and respect user preferences across sessions
Review third-party scripts - Check that embedded tools from Google Analytics, Meta, or other providers do not set tracking cookies before consent is given
Regional Context: Privacy Laws Across South and Southeast Asia
Nepal's privacy framework sits within a region where data protection legislation varies widely. India's DPDPA establishes a more detailed consent regime with a dedicated Data Protection Board. Bangladesh currently lacks a comprehensive data protection statute, putting it in a similar position to Nepal's pre-2018 status.
Across Southeast Asia, countries like Thailand and Indonesia have enacted modern data protection laws with clearer online consent requirements. Pakistan is still developing its framework. The trend across the region is toward stronger data protection rules, and Nepal's proposed 2082 Act fits this pattern.
If your website serves visitors across multiple Asian jurisdictions, a single consent management approach that meets the strictest applicable standard will save you from maintaining separate configurations per country.
Frequently Asked Questions
Does Nepal have a cookie consent law?
Nepal does not have a law that specifically addresses cookies. The Individual Privacy Act 2018 requires consent before collecting personal information, which can include data gathered through cookies, but there is no equivalent to the EU's ePrivacy Directive.
What happens if I collect personal data from Nepali users without consent?
Under the Privacy Act 2018, violations can result in imprisonment of up to three years, fines of up to NPR 30,000, or both. The affected individual must file a complaint at the District Court within three months.
Do I need a cookie banner for a website targeting Nepal?
While not strictly required by Nepali law for all cookies, a cookie banner is recommended if your site collects personal data through cookies. It also prepares your site for the stricter rules expected under the Digital Privacy and Data Protection Act 2082.
Does Nepal have a data protection authority?
Not currently. The Privacy Act 2018 did not establish a dedicated regulator. The proposed Digital Privacy and Data Protection Act 2082 plans to create a Data Protection Board, but it is not yet operational.
How does Nepal's privacy law compare to the GDPR?
Nepal's Privacy Act 2018 is significantly narrower than the GDPR. It lacks cookie-specific rules, has lower penalties, offers fewer data subject rights, and has no independent supervisory authority. The GDPR also applies extraterritorially, while Nepal's law is limited to entities within Nepal.
Should I comply with GDPR if my website is based in Nepal?
If your website targets or monitors individuals in the EU, you must comply with the GDPR regardless of where your business is based. Running a geo-targeted consent banner allows you to apply GDPR-level protections for European visitors while following local rules elsewhere.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
