Nigeria's Data Protection Framework: From NDPR to NDPA
Nigeria signed its first comprehensive data protection law on 12 June 2023. The Nigeria Data Protection Act (NDPA) replaced the earlier Nigeria Data Protection Regulation (NDPR) of 2019, elevating data privacy from a regulatory instrument to a full Act of Parliament.
The NDPA is enforced by the Nigeria Data Protection Commission (NDPC), an independent body headed by National Commissioner Dr Vincent Olatunji. The NDPC has the power to investigate complaints, conduct audits, issue compliance notices, and impose financial penalties. Its official website is ndpc.gov.ng.
For website owners, the practical rules around cookies and tracking technologies sit inside the NDPC's General Application and Implementation Directive (GAID) 2025, which became operational on 19 September 2025. The GAID spells out exactly how cookie banners must behave on sites that process data from Nigerian users.
Who Must Comply with the NDPA?
The NDPA applies to any organisation - Nigerian or foreign - that processes the personal data of individuals located in Nigeria. Section 2 of the Act sets out an extraterritorial scope similar to the GDPR's.
If your website uses analytics cookies, advertising pixels, or session trackers and receives traffic from Nigeria, the NDPA applies to you. The test is not where your servers sit but where your users are.
How the NDPA Defines Lawful Processing
The NDPA recognises six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. This mirrors the GDPR's approach under Article 6.
For cookies, though, consent is the primary lawful basis. The GAID 2025 makes clear that all non-essential cookies require opt-in consent before they are set on a visitor's device.
Strictly necessary cookies that enable core functions such as security, session management, or accessibility do not require consent, provided they do not process sensitive or financial data.
Cookie Banner Rules Under the GAID 2025
Article 19 of the GAID sets out specific requirements for cookie banners on websites and digital platforms serving Nigerian users. The rules are more prescriptive than many website owners expect.
Banner Placement and Visibility
The GAID states that a cookie banner must be conspicuous and appear in the first visible section of the page. The directive explicitly discourages placing banners at the bottom of the screen where visitors might overlook them. This is stricter than most European DPA guidance on cookie banner placement.
Required Information
Your banner must explain what cookies are used and why, identify the organisation deploying or managing the cookies, and describe how users can withdraw consent at any time.
Accept and Reject Options
The GAID requires that visitors be presented with a specific selection of "yes or no" (or "accept" / "reject") options. Pre-ticked boxes, implied consent through continued browsing, and silence or inactivity do not constitute valid consent. These provisions align with the EU's stance against dark patterns in cookie banners.
Consent Withdrawal
Section 35 of the NDPA gives data subjects the right to withdraw consent at any time. The process for withdrawal must be as easy as the process for giving consent.
NDPA vs GDPR: Key Differences for Cookie Compliance
Website owners already familiar with the GDPR's cookie rules will find the NDPA conceptually similar but with notable differences in detail.
| Requirement | GDPR / ePrivacy Directive | NDPA / GAID 2025 |
|---|---|---|
| Consent standard | Freely given, specific, informed, unambiguous | Freely given, informed, specific (same standard) |
| Banner placement | No fixed position mandated by most DPAs | Must be in the first visible section of the page |
| Reject option | Required (equal prominence per EDPB/CNIL) | Required - explicit "yes or no" selection |
| Strictly necessary exemption | Yes - no consent needed | Yes - but must not process sensitive or financial data |
| Maximum penalty | Up to 20 million EUR or 4% of global turnover | Up to 10 million NGN or 2% of annual gross revenue |
| Supervisory authority | National DPAs (CNIL, ICO, etc.) | NDPC (Nigeria Data Protection Commission) |
| Extraterritorial scope | Yes - applies to non-EU processors | Yes - applies to non-Nigerian processors |
The penalty ceiling is lower than the GDPR's, but enforcement is accelerating. The NDPC issued compliance notices to over 1,300 organisations in August 2025 and collected billions of naira in combined registration fees and fines throughout 2025.
Enforcement: What the NDPC Has Done So Far
The NDPC moved from an advisory posture to active enforcement in 2024 and 2025. Multichoice Nigeria was fined 766.2 million NGN for failing to obtain user consent and illegally transferring personal data outside the country. A separate action against Meta Platforms resulted in a $220 million fine.
In early 2025, the NDPC publicly stated it would begin issuing heavy penalties. By February 2026, the Commission confirmed it had collected 7.2 billion NGN from registrations, compliance revenue, and fines combined.
The August 2025 compliance notice gave 1,368 organisations a 21-day window to demonstrate compliance. Organisations that failed to respond faced investigation and potential sanctions. This signals that the NDPC is not limiting enforcement to large multinationals.
Practical Compliance Checklist for Your Website
Use this checklist to bring your site in line with the NDPA and GAID 2025 requirements.
Audit your cookies - run a cookie scan to identify every cookie and tracker on your site, including third-party scripts like
_ga,_fbp, and_gid.Categorise cookies correctly - separate strictly necessary cookies (e.g.
PHPSESSID) from analytics, marketing, and functional cookies. See the Kukie.io cookie categories guide for details.Display a compliant banner - place it in the first visible section of the page with clear accept and reject buttons.
Block non-essential cookies before consent - scripts like Google Analytics and Meta Pixel must not fire until the visitor opts in.
Provide a withdrawal mechanism - let visitors change their preferences at any time through a persistent settings link.
Publish a cookie notice - your cookie policy must state what cookies you use, their purpose, the deploying organisation, and how to withdraw consent.
Keep records - the NDPA places the burden of proof on data controllers to demonstrate that valid consent was obtained.
Register with the NDPC - data controllers of a major importance (processing data of more than a prescribed threshold of data subjects) must register with the Commission and file annual compliance audits.
How Nigeria Fits Into the African Privacy Landscape
Nigeria is not the only African country tightening its data protection rules. South Africa's POPIA, Kenya's Data Protection Act 2019, and Ghana's Data Protection Act 2012 all impose consent-based obligations on cookie use. If your website serves audiences across the continent, a single, well-configured consent management platform with geo-detection can handle varying requirements per jurisdiction.
Frequently Asked Questions
Does the NDPA apply to websites based outside Nigeria?
Yes. The NDPA has extraterritorial scope. Any organisation processing personal data of individuals in Nigeria must comply, regardless of where the organisation is incorporated or where its servers are located.
Are analytics cookies like Google Analytics exempt from consent in Nigeria?
No. Only strictly necessary cookies are exempt. Analytics cookies such as _ga and _gid require opt-in consent before they are placed on a visitor's device.
Where must I place my cookie banner under the GAID 2025?
The GAID requires the banner to appear in the first visible section of the web page. Placing it at the bottom of the screen is explicitly discouraged by the NDPC.
What fines can the NDPC impose for non-compliance?
Penalties can reach up to 10 million NGN or 2% of annual gross revenue, whichever is higher. The NDPC has already issued fines in the hundreds of millions of naira against major companies.
Do I need to register with the NDPC as a data controller?
Data controllers of major importance - those processing personal data above a prescribed threshold - must register with the NDPC and submit annual compliance audits. Smaller operators should still comply with the consent and transparency requirements of the NDPA.
Is the NDPA the same as the NDPR?
No. The NDPR was a regulation issued in 2019 by NITDA. The NDPA, signed into law on 12 June 2023, replaced the NDPR and elevated Nigeria's data protection framework to a full Act of Parliament with stronger enforcement provisions.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
