Sudan Has No Dedicated Data Protection Law
Sudan does not have a standalone data protection statute. Unlike neighbouring Kenya, which enacted its Data Protection Act in 2019, or Nigeria, which enforces the Nigeria Data Protection Regulation, Sudan relies on a patchwork of sectoral legislation and constitutional provisions to address privacy.
A Draft Data Protection Bill was proposed in 2018 to cover the collection, storage, processing, and sharing of personal information. That bill has not progressed into law. The ongoing political instability since 2019 has stalled most legislative reform, and no timeline exists for its revival.
For website owners, this means there is no single Sudanese law that explicitly requires a cookie banner or defines how cookies must be handled. That does not mean you can ignore privacy altogether.
Constitutional Privacy Protections
Article 37 of the Sudanese Constitution states that the privacy of all persons is inviolable, and that no person shall be subjected to interference with private life, family, home, or correspondence except in accordance with the law. This provision mirrors language found in the Universal Declaration of Human Rights and establishes a baseline right to privacy.
Cookies that collect personal identifiers - such as IP addresses, device fingerprints, or location data - may engage this constitutional right. While no court in Sudan has tested this principle against website tracking, the constitutional text sets a broad expectation of privacy that prudent website owners should respect.
The Cybercrime Act 2007 and Related Legislation
Three pieces of legislation form the closest thing Sudan has to data-related regulation:
Cybercrime Act 2007 - criminalises unauthorised access to computer systems and data interception
Electronic Transactions Act 2007 - governs electronic contracts and transactions; Article 28 punishes disclosure of encrypted data to unauthorised parties with up to ten years' imprisonment
Cybercrime Prevention (Amendment) Act 2020 - broadens the scope of cyber offences and tightens penalties
None of these laws mention cookies by name. They focus on criminal conduct - hacking, interception, and fraud - rather than on the everyday data collection that analytics or marketing cookies perform. Still, collecting data without any transparency could, in theory, be framed as unauthorised access to personal information under a broad reading of the Cybercrime Act.
What "Personal Data" Means in Practice
Sudanese law does not define "personal data" in the way that the GDPR does. There is no statutory list of identifiers, no distinction between personal and sensitive data, and no data protection authority to issue guidance. Website owners must rely on international standards when deciding what constitutes personal data on their sites.
The Malabo Convention and Its Relevance
Sudan signed the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on 15 March 2023. The convention entered into force on 8 June 2023 after receiving 15 ratifications.
Sudan has not ratified the convention. Signing indicates political intent but does not create binding legal obligations. If Sudan ratifies in the future, the Malabo Convention would require the country to adopt a legal framework covering the collection, processing, storage, and transfer of personal data - including data collected through cookies.
Neighbouring Egypt and Ethiopia face similar questions about Malabo ratification, though both have made more progress on standalone data protection legislation.
Why Cookie Consent Still Matters for Sudanese Websites
The absence of a local cookie law does not eliminate the need for a cookie banner. Three practical reasons apply.
Extraterritorial reach of foreign laws. If your website is accessible to visitors from the EU, the GDPR cookie consent requirements apply under Article 3(2) when you monitor or offer goods and services to those individuals. The same logic applies to the UK GDPR, Brazil's LGPD, and South Africa's POPIA.
Third-party service terms. Google requires websites using Google Analytics or Google Ads to obtain end-user consent before setting _ga, _gid, or advertising cookies. If you use Google Consent Mode v2, a functional consent mechanism is a prerequisite.
User trust. Sudanese internet users are increasingly aware of how their data is used. A transparent cookie notice builds trust, reduces bounce rates, and signals professionalism.
Sudan vs. GDPR: A Comparison
| Requirement | Sudan (Current) | EU (GDPR + ePrivacy) |
|---|---|---|
| Dedicated data protection law | None (draft proposed 2018) | GDPR (2018), ePrivacy Directive (2002) |
| Definition of personal data | Not defined in statute | Broad definition in Article 4(1) GDPR |
| Cookie consent required | No explicit requirement | Prior opt-in consent for non-essential cookies |
| Data protection authority | None | National DPAs in each member state |
| Data breach notification | No requirement | 72-hour notification to DPA under Article 33 |
| Cross-border transfer rules | None | Adequacy decisions, SCCs, BCRs |
| Fines for non-compliance | Criminal penalties under Cybercrime Act only | Up to 20 million EUR or 4% of global turnover |
| Malabo Convention status | Signed (2023), not ratified | Not applicable |
Compliance Checklist for Website Owners Targeting Sudan
Even without a Sudanese cookie law, the following steps protect your website and your visitors:
Audit your cookies. Run a cookie scan to identify every cookie and tracker on your site, including
_fbp,PHPSESSID, and any third-party scripts.Categorise cookies correctly. Separate strictly necessary cookies from analytics, functional, and marketing cookies.
Display a cookie banner. Use a consent banner that loads before non-essential cookies fire. This protects you under GDPR, LGPD, and POPIA if your site reaches visitors in those jurisdictions.
Publish a cookie policy. List every cookie by name, its purpose, its provider, and its expiry. Link to the policy from your banner.
Block scripts before consent. Ensure that
_ga, Meta Pixel, and other tracking scripts do not execute until the visitor has given consent.Respect refusals. If a visitor declines non-essential cookies, no tracking cookies should be set.
Use geo-detection. If your primary audience is in Sudan and you do not target the EU, you may choose a simpler notice-based approach for Sudanese visitors while enforcing strict opt-in for European visitors.
Review regularly. Monitor the progress of Sudan's Draft Data Protection Bill and the potential ratification of the Malabo Convention. When new legislation passes, update your consent mechanism promptly.
What Happens When Sudan Enacts a Data Protection Law
The 2018 Draft Data Protection Bill, if revived and passed, would likely introduce definitions for personal data, establish a regulatory authority, set rules for data processing and consent, and create penalties for non-compliance. Given the trend across Africa - with Kenya, Nigeria, Uganda, and Tanzania all enacting data protection laws in recent years - Sudan will eventually follow.
Ratification of the Malabo Convention would accelerate this process. The convention requires signatory states to establish independent data protection authorities and adopt legislation consistent with its principles.
Website owners who implement cookie consent now will have far less work to do when new Sudanese legislation arrives.
Frequently Asked Questions
Does Sudan require cookie consent on websites?
Sudan has no law that explicitly requires cookie consent. There is no dedicated data protection statute and no regulatory authority that enforces cookie rules. If your site also reaches visitors in the EU, UK, Brazil, or South Africa, those jurisdictions' laws still apply.
Is there a data protection authority in Sudan?
No. Sudan does not have a data protection authority. The 2018 Draft Data Protection Bill proposed establishing one, but the bill has not been enacted. Cybercrime matters fall under the general criminal justice system.
Does the GDPR apply to websites based in Sudan?
The GDPR can apply to any website, regardless of where it is based, if it offers goods or services to individuals in the EU or monitors their behaviour. A Sudanese website with EU visitors may need to comply with GDPR cookie consent requirements.
What is the Malabo Convention and has Sudan ratified it?
The Malabo Convention is the African Union Convention on Cyber Security and Personal Data Protection, adopted in 2014. Sudan signed it in March 2023 but has not ratified it. Ratification would require Sudan to adopt comprehensive data protection legislation.
What cookies need consent on a Sudanese website?
Under Sudanese law alone, no specific cookies require consent. Best practice - and the standard required by most international laws - is to obtain consent before setting analytics cookies like _ga, marketing cookies like _fbp, and any other non-essential tracking cookies.
Should I use a cookie banner if my website only targets Sudan?
A cookie banner is still recommended. It builds trust with visitors, satisfies the terms of third-party services like Google Analytics, and prepares your site for future Sudanese data protection legislation.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
