Pakistan's Data Protection Landscape in 2026
Pakistan does not yet have a comprehensive data protection statute. The Personal Data Protection Bill (PDPB) has been circulating in various drafts since 2018, with the most recent version - the Personal Data Protection Bill 2023 - approved by the federal cabinet but still awaiting parliamentary passage as of early 2026.
That gap matters for website operators. Without a dedicated law, cookie consent obligations in Pakistan remain indirect, drawn from scattered provisions in the Prevention of Electronic Crimes Act 2016 (PECA) and constitutional privacy rights under Article 14 of the Constitution of Pakistan. For sites that also serve visitors in the EU, UK, or other regulated jurisdictions, the requirements of those laws apply regardless of where the business is based.
The practical result: compliance-minded site owners should not wait for the PDPB to pass before addressing how their websites collect and process personal data through cookies.
The Prevention of Electronic Crimes Act 2016 (PECA)
PECA is Pakistan's primary cybercrime legislation. It was not designed as a data protection framework, but several provisions touch on personal data handling.
Section 3 criminalises unauthorised access to information systems. Section 4 addresses unauthorised copying or transmission of data, carrying penalties of up to six months imprisonment or a fine of up to PKR 100,000. Section 37 prohibits the disclosure of personal information obtained during the provision of services under a lawful contract without the data subject's consent, where such disclosure causes or is likely to cause harm.
These provisions create a baseline. If your website collects personal data through cookies and shares that data with third parties without user awareness, you could fall foul of PECA - particularly Section 37.
Enforcement sits with the Federal Investigation Agency (FIA), specifically its Cyber Crime Wing. Complaints about unauthorised data access or transmission are handled through this channel.
The Personal Data Protection Bill 2023
The PDPB 2023, drafted by the Ministry of Information Technology and Telecommunication (MoITT), represents Pakistan's most developed attempt at standalone data protection legislation. While not yet enacted, its provisions signal the direction of future regulation.
Key Provisions Relevant to Cookies
The bill requires data controllers to obtain consent before processing personal data. It defines consent broadly, requiring it to be free, specific, informed, and unambiguous - language closely mirroring the GDPR. Data controllers must provide clear notices about what data is collected, the purpose of collection, retention periods, and third-party sharing.
The PDPB also introduces rights for data subjects: access, correction, erasure, and the right to prevent processing likely to cause damage. A proposed National Commission for Personal Data Protection (NCPDP) would oversee enforcement, with powers to investigate violations, conduct audits, and impose fines of up to USD 2 million or 1% of annual gross revenue in Pakistan, whichever is higher.
Sensitive data receives heightened protection, including categories such as health data, biometric data, and financial information. The bill also proposes mandatory parental consent for processing children's data.
Government Exemptions
A significant caveat: the PDPB exempts processing by federal, provincial, and local government bodies and carves out broad exceptions for national security and public interest. This has drawn criticism from privacy advocates and international organisations.
Do Pakistani Websites Need Cookie Consent?
Under current law, there is no explicit cookie consent requirement in Pakistan equivalent to Article 5(3) of the ePrivacy Directive in Europe. PECA does not mention cookies specifically.
That said, three situations create practical consent obligations:
PECA Section 37 - if cookies collect personal information that is later disclosed to third parties without user consent, and that disclosure causes harm, liability can arise.
The PDPB (when enacted) - will require consent for processing personal data, which includes data collected via cookies such as
_ga,_fbp, or any cookie that stores a unique identifier tied to a user.Extraterritorial laws - if your Pakistani website has visitors from the EU, UK, Brazil, Canada, or US states with privacy laws, those jurisdictions' rules apply to those users. The GDPR's territorial scope covers any site that offers goods or services to EU residents or monitors their behaviour.
How Pakistan Compares to GDPR
The table below highlights the main differences between Pakistan's current and proposed framework and the EU's GDPR.
| Requirement | Pakistan (Current) | Pakistan (PDPB 2023) | EU GDPR |
|---|---|---|---|
| Dedicated data protection law | No | Pending | Yes |
| Explicit cookie consent rule | No | Implied through consent provisions | Yes (ePrivacy Directive) |
| Consent standard | Not defined for cookies | Free, specific, informed, unambiguous | Free, specific, informed, unambiguous |
| Data protection authority | FIA (limited scope) | NCPDP (proposed) | National DPAs (e.g., CNIL, ICO) |
| Maximum fines | PKR 100,000 under PECA | USD 2 million or 1% revenue | EUR 20 million or 4% revenue |
| Data subject rights | Limited | Access, correction, erasure, objection | Full suite under Articles 15-22 |
| Government exemptions | Yes (broad) | Yes (broad) | Limited, proportionate |
| Cross-border transfer rules | None | Restrictive with localisation requirements | Adequacy decisions, SCCs, BCRs |
The PDPB borrows heavily from GDPR principles but weakens them in practice through its government exemptions and lower penalty ceiling.
Practical Compliance Checklist for Pakistani Websites
Even without a fully enacted law, applying good data protection practices now reduces risk and positions your site for compliance once the PDPB passes.
Step 1: Audit Your Cookies
Run a cookie scan to identify every cookie your site sets. Pay attention to third-party cookies from analytics platforms, advertising networks, and embedded content. Tools like Kukie.io's cookie scanner detect and categorise cookies automatically.
Step 2: Implement a Cookie Banner
Display a clear cookie banner that explains what cookies your site uses and why. Offer visitors the ability to accept or reject non-essential cookies before those cookies are set. This approach satisfies the PDPB's anticipated consent requirements and already meets the standards of extraterritorial laws like the GDPR and CCPA.
Step 3: Draft a Cookie Policy
Publish a cookie policy that lists each cookie by name, its purpose, duration, and whether it is first-party or third-party. This transparency aligns with the PDPB's notice requirements and PECA's expectation that users are informed about data collection.
Step 4: Block Non-Essential Cookies Before Consent
Ensure analytics and marketing cookies - such as _ga, _gid, _fbp, and fr - do not fire until the user grants consent. Conditional script loading handles this technically.
Step 5: Keep Records
Store consent records that capture what each user agreed to, when, and which version of your policy was active. This evidence protects your organisation if a complaint is raised with the FIA or, once established, the NCPDP.
The Role of the Ministry of IT and MoITT
The Ministry of Information Technology and Telecommunication (MoITT) is the federal body responsible for Pakistan's data protection policy. It drafted the PDPB 2023, coordinated stakeholder consultations, and will oversee the establishment of the NCPDP if the bill passes.
The MoITT also administers PECA-related policy and works with the FIA on cybercrime enforcement. For website operators, MoITT publications and draft rules are the primary source for understanding upcoming obligations.
Amendments to PECA in 2025 inserted Section 26A, criminalising the intentional spread of false information with penalties of up to three years imprisonment and fines up to PKR 2 million. While not directly about cookies, this signals an increasingly active regulatory environment around digital conduct in Pakistan.
What Happens If Your Site Serves International Visitors
A website hosted in Pakistan that attracts visitors from the EU, UK, or other regulated markets must comply with those jurisdictions' cookie consent laws. The GDPR applies when a site targets EU residents. The UK GDPR and PECR apply to UK visitors. Brazil's LGPD and Canada's PIPEDA have their own extraterritorial reach.
Geo-targeted consent banners solve this. By detecting the visitor's location and applying the correct consent rules for their jurisdiction, your site remains compliant without showing unnecessary prompts to visitors in unregulated regions.
Frequently Asked Questions
Does Pakistan have a cookie consent law?
Pakistan does not have a specific cookie consent law. The Personal Data Protection Bill 2023 includes consent provisions that would apply to cookie-based data collection, but it has not yet been enacted. PECA 2016 provides limited protections around unauthorised data disclosure.
What is the Personal Data Protection Bill 2023 in Pakistan?
The PDPB 2023 is draft legislation prepared by the Ministry of IT and Telecommunication. It would create a National Commission for Personal Data Protection, require informed consent for data processing, and introduce fines of up to USD 2 million for violations. It is still pending parliamentary approval.
Can Pakistani websites be fined for not having a cookie banner?
Under current Pakistani law, there is no specific fine for lacking a cookie banner. If your site serves EU or UK visitors, those jurisdictions can impose fines under the GDPR or UK GDPR for non-compliance with cookie consent rules.
Do I need cookie consent if my website only targets Pakistan?
Strictly under current law, no explicit cookie consent requirement exists. Implementing one is still recommended as a best practice. The PDPB, once passed, will require consent for processing personal data collected through cookies.
What is PECA 2016 and how does it affect website cookies?
The Prevention of Electronic Crimes Act 2016 is Pakistan's cybercrime law. It does not address cookies directly, but Section 37 prohibits disclosing personal information obtained during service provision without consent where such disclosure causes harm.
Which authority enforces data protection in Pakistan?
Currently, the Federal Investigation Agency's Cyber Crime Wing handles complaints under PECA 2016. The proposed PDPB 2023 would establish a National Commission for Personal Data Protection as the dedicated supervisory authority.
Prepare Your Website for Pakistan's Data Protection Rules
Pakistan's data protection framework is incomplete but moving forward. Putting cookie consent mechanisms in place now means your site will be ready when the PDPB becomes law - and already compliant for any international visitors covered by the GDPR, CCPA, or other regulations.
