Tanzania's Personal Data Protection Act 2022
Tanzania passed the Personal Data Protection Act (PDPA) on 27 November 2022, and it came into force on 1 May 2023. The law was supplemented by the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023, which took effect on 4 July 2023.
The PDPA applies to any person or organisation that collects or processes personal data within Tanzania or processes the data of individuals located in Tanzania. If your website attracts visitors from Tanzania and sets cookies that identify them, this law applies to you.
Unlike some African nations still drafting privacy legislation, Tanzania has a fully operational statute with implementing regulations already in place. The framework draws heavily on GDPR principles but includes distinct local requirements around registration, cross-border transfers, and enforcement.
The Personal Data Protection Commission
The PDPA established the Personal Data Protection Commission (PDPC) as the supervisory authority responsible for enforcement. Until the Commission is formally constituted, the Ministry of Information, Communication, and Information Technology handles its functions.
The PDPC has the power to investigate complaints, issue enforcement notices with a minimum 21-day compliance window, impose penalty notices, and direct compensation payments to affected data subjects. It also maintains a register of data controllers and processors operating in Tanzania.
A registration deadline of 30 April 2025 was set for all institutions processing personal data. Failure to register may trigger sanctions.
What the PDPA Says About Cookies
The PDPA contains a direct reference to cookies. The law states that a person cannot use cookies and third-party trackers to process personal data unless the data subject consents or the use is authorised under another written law and the individual was informed at the time of collection.
This means non-essential cookies - such as _ga, _fbp, or any advertising tracker - require prior consent from the visitor before being set. Strictly necessary cookies like PHPSESSID that do not process personal data for tracking purposes may fall outside this requirement, but the line is not always clear.
The PDPA does not differentiate between cookie categories the way the EU's ePrivacy Directive does. Instead, it treats cookies as one mechanism for personal data processing and applies the same consent rules that govern all other forms of collection.
Consent Requirements Under the PDPA
Consent under Tanzania's PDPA must be informed, freely given, specific, and revocable. Data controllers must notify the data subject about the purposes of collection and the intended recipients before processing begins.
The data subject must genuinely understand what they are consenting to. Pre-ticked boxes or implied consent through continued browsing would not meet this standard. The law also requires that withdrawal of consent be as straightforward as giving it.
For cookie banners, this translates to a clear opt-in mechanism. Visitors must be able to accept or reject non-essential cookies before those cookies are placed. A consent management platform that blocks scripts until consent is recorded helps meet this requirement.
Consent records should be retained. The PDPA requires data controllers to demonstrate that valid consent was obtained, making audit trails a practical necessity.
Penalties and Enforcement
The PDPA imposes both administrative and criminal penalties for non-compliance.
| Penalty Type | Applicable To | Maximum Amount |
|---|---|---|
| Administrative fine | Any contravention | TZS 100,000,000 (approx. USD 40,000) |
| Criminal fine (individual) | Unauthorised disclosure | TZS 100,000 - TZS 20,000,000 |
| Criminal fine (company) | Unauthorised disclosure | TZS 1,000,000 - TZS 5,000,000,000 |
| Imprisonment | Unauthorised disclosure | Up to 10 years |
| Compensation | Data subject claims | No statutory ceiling |
Corporate criminal fines can reach TZS 5 billion, which represents a serious financial risk for larger organisations. There is no cap on compensation awards to affected data subjects, adding further exposure.
Public enforcement actions have been limited so far, as the PDPC is still establishing its operational capacity. That is likely to change as the Commission matures and the registration deadline passes.
How Tanzania's PDPA Compares to the GDPR
The PDPA shares several core principles with the GDPR: lawfulness, fairness, transparency, purpose limitation, and data minimisation. Both frameworks require a legal basis for processing, grant data subjects access and correction rights, and mandate breach notification.
Key differences exist, though. The PDPA requires data controllers and processors to register with the PDPC and appoint a Data Protection Officer who must submit quarterly reports. The GDPR has no general registration requirement. Cross-border data transfers under the PDPA require a permit from the Commission, whereas the GDPR uses adequacy decisions and standard contractual clauses.
The PDPA's enforcement fines are significantly lower than GDPR maximums. The GDPR allows fines up to EUR 20 million or 4% of global turnover. Tanzania's administrative cap of TZS 100 million is modest by comparison, though criminal penalties add a dimension the GDPR lacks.
Comparison With Other African Data Protection Laws
Tanzania joins a growing group of African nations with dedicated data protection legislation. Kenya's Data Protection Act 2019 established the Office of the Data Protection Commissioner and imposes fines up to KES 5 million. Nigeria's NDPR framework applies a percentage-of-turnover model for penalties. Uganda's Data Protection Act 2019 similarly requires registration and prior consent for personal data processing.
Ghana's Data Protection Act 2012 was one of the earlier African data protection laws, and South Africa's POPIA remains the most mature framework on the continent. Tanzania's PDPA sits somewhere between these, with strong provisions on paper but enforcement still developing.
For website owners operating across East Africa, the common thread is clear: cookie consent is required in every jurisdiction with a data protection law.
Compliance Checklist for Website Owners
If your website serves visitors in Tanzania, these steps will help you align with the PDPA.
Audit your cookies - Identify every cookie and tracker your site sets. Tools like cookie scanning can automate this process and categorise each cookie by purpose.
Display a cookie banner - Present a clear, opt-in consent mechanism before non-essential cookies are placed. The banner must explain what data is collected and why.
Block scripts until consent - Analytics tags, marketing pixels, and social media widgets should not fire until the visitor actively consents.
Provide a withdrawal mechanism - Visitors must be able to change or revoke their consent at any time with the same ease as granting it.
Keep consent records - Store timestamped proof of each consent decision. The PDPA requires controllers to demonstrate valid consent if challenged.
Write a cookie policy - Detail which cookies your site uses, their purpose, duration, and whether third parties receive the data.
Register with the PDPC - If you are a data controller or processor operating in Tanzania, registration with the Commission is mandatory.
Appoint a DPO - The PDPA requires a Data Protection Officer who submits quarterly compliance reports.
Frequently Asked Questions
Does Tanzania have a data protection law?
Yes. The Personal Data Protection Act 2022 came into force on 1 May 2023 and is supplemented by implementing regulations effective from July 2023.
Do websites need cookie consent for Tanzanian visitors?
Yes. The PDPA specifically requires consent before using cookies and third-party trackers that process personal data, unless authorised by another law.
What are the fines for non-compliance with Tanzania's PDPA?
Administrative fines can reach TZS 100 million. Criminal penalties for unauthorised disclosure include fines up to TZS 5 billion for companies and imprisonment of up to 10 years for individuals.
Who enforces data protection in Tanzania?
The Personal Data Protection Commission (PDPC) is the designated supervisory authority. Until it is fully constituted, the Ministry of Information, Communication, and Information Technology handles enforcement functions.
Is Tanzania's PDPA similar to the GDPR?
The PDPA shares core GDPR principles such as lawfulness, transparency, and purpose limitation. Key differences include mandatory registration with the PDPC, quarterly DPO reporting, and a permit system for cross-border data transfers.
Do I need to register with Tanzania's PDPC?
If you collect or process personal data in Tanzania, registration with the PDPC is mandatory. The initial deadline was 30 April 2025, and non-registration may result in sanctions.
Take Control of Your Cookie Compliance
Tanzania's PDPA makes cookie consent a legal requirement, not a suggestion. If you are unsure which cookies your site sets or whether your banner meets the standard, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie so your visitors get a clear choice and you stay on the right side of the law.
