The PDPL and How It Applies to Cookies
Saudi Arabia's Personal Data Protection Law (PDPL) came into force on 14 September 2023, with a one-year grace period that ended in September 2024. The law is now fully enforceable, and the Saudi Data and Artificial Intelligence Authority (SDAIA) has already begun issuing penalties.
The PDPL does not mention cookies by name. It does not need to. Cookies that collect or process personal data - IP addresses, device identifiers, browsing behaviour, location data - fall squarely within its scope. If your website sets tracking or advertising cookies for visitors in Saudi Arabia, you need cookie consent before those cookies load.
This matters even if your business is based outside the Kingdom. The PDPL has extraterritorial reach, applying to any organisation that processes the personal data of individuals residing in Saudi Arabia.
Who Enforces the PDPL: SDAIA and NDMO
SDAIA acts as the competent authority for the first two years after the PDPL took effect. After that period, enforcement responsibility may transfer to the National Data Management Office (NDMO). In practice, SDAIA's specialised committees have already been active. Over the past year, SDAIA issued 48 enforcement decisions against organisations found in violation of the PDPL, covering unlawful data collection, insufficient security controls, and sending marketing messages without prior consent.
The message is clear: enforcement is real, not theoretical.
Consent Under the PDPL: Article 5 Rules
Article 5 of the PDPL establishes consent as the primary legal basis for processing personal data. Unlike the GDPR, which offers six co-equal legal bases, the PDPL treats consent as the rule and other bases as narrow exceptions. This distinction has direct consequences for cookie compliance.
For consent to be valid under the PDPL, it must be:
Freely given, without coercion or bundling
Specific to the stated purpose of processing
Informed, meaning the data subject understands what data is collected and why
Revocable at any time through a mechanism at least as easy as the one used to give consent
Article 6 lists limited exceptions where consent is not required - for example, when processing is necessary for a previous agreement or when required by another law. None of these exceptions cover analytics or advertising cookies. If you set _ga, _fbp, or similar tracking cookies, you need consent first.
What Cookie Consent Looks Like in Practice
A compliant cookie banner for Saudi visitors should do four things.
First, it must block non-essential cookies until the visitor actively consents. Pre-ticked boxes or implied consent through continued browsing do not satisfy the PDPL's requirements. Second, it must clearly explain what categories of cookies your site uses and their purposes. Third, it must allow visitors to reject non-essential cookies while still accessing the site - cookie walls that force acceptance are not compatible with freely given consent. Fourth, it must provide an equally simple way to withdraw consent later.
Strictly necessary cookies - such as PHPSESSID for session management or pll_language for language preferences - do not require consent because they are needed for the website to function.
Recording and Storing Consent
The PDPL requires you to demonstrate compliance during audits. This means keeping records of when each visitor consented, what they consented to, and which version of your cookie policy was active at the time. A consent management platform that logs these details automatically removes much of the administrative burden.
Penalties for Non-Compliance
The PDPL sets out a tiered penalty structure depending on the severity of the violation.
| Violation Type | Maximum Fine | Other Penalties |
|---|---|---|
| General PDPL violations | SAR 5 million (approx. USD 1.3 million) | Warning notice |
| Disclosing or publishing sensitive personal data | SAR 3 million (approx. USD 800,000) | Up to 2 years imprisonment |
| Transferring data outside Saudi Arabia unlawfully | SAR 5 million (approx. USD 1.3 million) | Warning notice, data processing ban |
Fines can be doubled for repeat offences. SDAIA can also order the destruction of unlawfully collected data and publish the violation decision publicly.
PDPL vs GDPR: Key Differences for Cookie Compliance
If you already comply with the GDPR, you have a head start - but the PDPL is not identical. The table below highlights differences that affect cookie handling.
| Aspect | GDPR (EU) | PDPL (Saudi Arabia) |
|---|---|---|
| Legal bases for processing | Six co-equal bases (Article 6) | Consent as primary basis; exceptions are narrow (Article 5-6) |
| Cookie-specific rules | ePrivacy Directive (Article 5(3)) covers cookies directly | No separate cookie law; PDPL general rules apply |
| Supervisory authority | National DPAs in each member state | SDAIA (transitioning to NDMO) |
| Maximum fine | EUR 20 million or 4% global turnover | SAR 5 million (approx. USD 1.3 million) |
| Extraterritorial scope | Yes | Yes |
| Data Protection Officer | Required in specific cases | Required for entities processing sensitive data or large volumes |
The biggest practical difference is the absence of a separate ePrivacy-style instrument in Saudi Arabia. The PDPL's general consent requirement covers cookies, but there is less granular guidance on cookie categories compared to what European DPAs provide. When in doubt, apply the stricter standard.
Compliance Checklist for Saudi Arabia
Use this checklist to audit your site's cookie practices against PDPL requirements.
Audit your cookies - Run a cookie scan to identify every cookie your site sets, including those placed by third-party scripts
Categorise cookies - Separate strictly necessary cookies from analytics, marketing, and functional cookies using a clear categorisation framework
Implement prior consent - Block non-essential cookies until visitors give explicit consent through your cookie banner
Provide clear information - Your cookie policy should list each cookie by name, purpose, provider, and retention period
Enable easy withdrawal - Visitors must be able to change their preferences at any time without difficulty
Log consent records - Store timestamped proof of each consent decision for audit purposes
Review cross-border transfers - If cookie data is processed outside Saudi Arabia, ensure you meet the PDPL's transfer requirements
Use geo-detection - Show PDPL-compliant banners to Saudi visitors while using appropriate rules for visitors from other jurisdictions
Cookies and the Wider Middle Eastern Privacy Picture
Saudi Arabia's PDPL is part of a broader shift across the Middle East towards formal data protection regulation. Egypt enacted its Personal Data Protection Law in 2020, though implementing regulations are still developing. Iran regulates data through ICT-sector rules rather than a comprehensive privacy law. Iraq lacks dedicated data protection legislation but has constitutional privacy provisions. Israel has had privacy protection legislation since 1981, with significant amendments strengthening data subject rights.
For websites serving audiences across the region, a geo-targeted consent strategy is the most practical approach. Configure different consent rules based on visitor location rather than applying a single global standard.
The Turkish KVKK is another regional law worth comparing, given Turkey's geographic proximity and trade links with Gulf states.
Frequently Asked Questions
Does Saudi Arabia's PDPL require cookie consent?
Yes. The PDPL requires consent before processing personal data, which includes data collected through tracking and advertising cookies. Strictly necessary cookies for basic site functionality are exempt.
What is the fine for PDPL non-compliance in Saudi Arabia?
General violations carry fines up to SAR 5 million (approximately USD 1.3 million). Disclosing sensitive personal data can result in fines up to SAR 3 million and up to two years imprisonment.
Does the PDPL apply to websites outside Saudi Arabia?
Yes. The PDPL has extraterritorial scope and applies to any organisation processing personal data of individuals residing in Saudi Arabia, regardless of where the organisation is based.
How is PDPL consent different from GDPR consent?
The PDPL treats consent as the primary legal basis for processing, with other bases as narrow exceptions. The GDPR offers six co-equal legal bases. Both require consent to be freely given, specific, informed, and revocable.
Who enforces the PDPL in Saudi Arabia?
The Saudi Data and Artificial Intelligence Authority (SDAIA) currently enforces the PDPL. Enforcement may transfer to the National Data Management Office (NDMO) after an initial transition period.
Do I need a cookie banner for Saudi Arabian visitors?
If your site sets non-essential cookies and receives visitors from Saudi Arabia, you need a cookie banner that obtains explicit consent before those cookies load. A geo-detection tool can display the correct banner based on visitor location.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
