Uganda's Data Protection and Privacy Act 2019
Uganda enacted the Data Protection and Privacy Act (DPPA) on 3 March 2019, becoming one of the first East African nations to establish a comprehensive data protection framework. The Act is supplemented by the Data Protection and Privacy Regulations of 2021, which provide operational detail on registration, cross-border transfers, and enforcement procedures.
The Personal Data Protection Office (PDPO), housed within the National Information Technology Authority - Uganda (NITA-U), serves as the supervisory authority. The PDPO maintains a public register of data collectors and processors, investigates complaints, and issues enforcement orders.
If your website sets cookies that collect personal data from visitors in Uganda, the DPPA applies to you - regardless of where your organisation is based. The PDPO confirmed this extraterritorial reach in its landmark 2025 ruling against Google, ordering the company to register as a data controller within 30 days.
How the DPPA Defines Consent for Cookies
Section 7 of the DPPA states that personal data shall not be collected or processed without the prior consent of the data subject. The Act defines consent as a "freely given, specific, informed and unambiguous indication" of agreement, delivered through a statement or clear affirmative action. This definition mirrors the standard set by the GDPR.
Cookies that collect personal data - such as _ga, _fbp, or advertising tracking pixels - fall squarely within this requirement. A visitor landing on your site must give prior consent before these cookies are set.
Strictly necessary cookies, such as PHPSESSID for session management, may be exempt where the processing is required for the performance of a contract or a legitimate function of the website. The DPPA does not use the term "strictly necessary" explicitly, but its exemptions in Section 7(2) cover scenarios where processing is needed for contract performance or compliance with a legal obligation.
Conditions for Valid Consent
The DPPA sets out specific conditions. Consent must be informed, meaning the data subject knows what data is being collected and why. It must be specific to each purpose - bundled consent covering multiple unrelated purposes is not valid. The data subject retains the right to withdraw consent at any time, and processing must stop upon withdrawal.
For website operators, this translates into a cookie consent banner that clearly explains which cookies your site uses, what data they collect, and how that data is processed.
Registration Requirements for Website Operators
Section 29 of the DPPA requires every data collector and data processor to register with the PDPO before processing personal data. This applies to organisations operating websites that set cookies collecting personal data from Ugandan users.
Registration involves submitting details about your data processing activities, the categories of personal data handled, and information about any cross-border data transfers. Failure to register is a criminal offence under the Act.
The PDPO's enforcement action against Google in July 2025 centred on this registration requirement. Google was found to be collecting and processing Ugandan citizens' personal data without being registered, breaching Section 29.
Cross-Border Data Transfers
Section 19 of the DPPA restricts the transfer of personal data outside Uganda. A data controller may only transfer personal data to a foreign country if adequate safeguards exist to protect the data. The PDPO assesses adequacy based on the receiving country's data protection laws, the nature of the data, and the security measures in place.
This matters for cookies because analytics and advertising platforms routinely transfer data to servers in other jurisdictions. If your site uses _ga (Google Analytics) or _fbp (Meta Pixel), the data collected from Ugandan visitors may be transferred to the United States or other countries. You must ensure adequate safeguards are documented and, where applicable, disclosed in your cookie policy.
Penalties and Enforcement
The DPPA imposes both criminal penalties and administrative fines. The severity depends on the nature of the offence.
| Offence | Fine | Imprisonment |
|---|---|---|
| Failure to register with PDPO | Up to UGX 120,000 (approx. USD 31) | Up to 3 months |
| Unlawful data destruction or alteration | Up to UGX 4,800,000 (approx. USD 1,247) | Up to 10 years |
| Selling personal data | Up to UGX 4,800,000 (approx. USD 1,247) | Up to 10 years |
| Corporate liability (serious offences) | Up to 2% of annual gross turnover | N/A |
The individual fines may appear modest compared to GDPR penalties, but the 2% corporate turnover provision and the possibility of imprisonment make non-compliance a serious risk.
Enforcement is accelerating. In July 2025, the PDPO issued its first criminal conviction under the DPPA against the director of a microfinance company operating a loan app. The same month, Google was ordered to register and demonstrate compliance with cross-border transfer rules.
DPPA Compared to GDPR and Other African Laws
Uganda's DPPA shares significant overlap with the GDPR in its consent requirements, data subject rights, and processing principles. Both laws require freely given, specific, informed, and unambiguous consent. Both grant data subjects the right to access, rectify, and delete their personal data.
Key differences exist. The GDPR imposes fines of up to 4% of global annual turnover or EUR 20 million, while Uganda caps corporate fines at 2% of gross turnover with no fixed monetary ceiling. The DPPA includes criminal penalties - imprisonment of up to 10 years for certain offences - which the GDPR does not.
Among East African neighbours, Kenya's Data Protection Act 2019 and Tanzania's data protection framework follow similar GDPR-inspired models. Nigeria's NDPR and Ghana's Data Protection Act 2012 represent West African counterparts with comparable consent-based approaches.
Compliance Checklist for Your Website
Audit Your Cookies
Run a cookie scan to identify every cookie your site sets. Categorise each one as strictly necessary, functional, analytics, or advertising. Document the purpose, duration, and any third parties involved.
Implement a Consent Banner
Display a cookie consent banner that loads before non-essential cookies are set. The banner must explain what cookies you use and allow visitors to accept or reject each category. Pre-ticked boxes do not constitute valid consent under the DPPA's definition of "clear affirmative action."
Block Cookies Before Consent
Non-essential cookies and tracking scripts must not fire until the visitor provides consent. This requires script blocking - loading analytics and advertising tags only after an affirmative choice is recorded.
Maintain a Cookie Policy
Publish a cookie policy that lists each cookie by name, its purpose, its duration, and whether data is transferred outside Uganda. Link to this policy from your consent banner.
Register with the PDPO
If you collect personal data from Ugandan users through cookies, register with the Personal Data Protection Office. Provide details of your data protection officer and your cross-border transfer safeguards.
Document Cross-Border Transfers
If cookie data is sent to servers outside Uganda, document the safeguards you rely on. This may include contractual clauses with third-party processors or reliance on the receiving country's adequacy status.
Frequently Asked Questions
Does Uganda have a specific cookie law?
Uganda does not have a standalone cookie law. Cookies are regulated under the Data Protection and Privacy Act 2019, which requires prior consent for any collection or processing of personal data, including data gathered through cookies.
Do I need consent for all cookies under the DPPA?
Consent is required for cookies that collect or process personal data. Strictly necessary cookies that are essential for your website to function - such as session cookies - may fall under exemptions in Section 7(2) of the DPPA, which permits processing for contract performance or legal obligations.
What happens if I do not register with Uganda's PDPO?
Failure to register is a criminal offence under Section 29 of the DPPA. It carries a fine of up to UGX 120,000 and imprisonment of up to three months. The PDPO has actively enforced this requirement, as demonstrated in its 2025 action against Google.
Does Uganda's data protection law apply to foreign websites?
Yes. The PDPO has confirmed that the DPPA applies to any entity that handles the personal data of Ugandan citizens, regardless of where the entity is based. If your website sets cookies collecting data from Ugandan visitors, compliance is expected.
How does Uganda's DPPA compare to the GDPR?
Both laws require freely given, specific, informed, and unambiguous consent. The GDPR imposes higher maximum fines (up to 4% of global turnover or EUR 20 million), while the DPPA caps corporate fines at 2% of gross turnover but includes criminal penalties of up to 10 years imprisonment.
Can I transfer cookie data outside Uganda?
Section 19 of the DPPA permits cross-border transfers only where adequate safeguards exist. You must document these safeguards and may need to demonstrate them to the PDPO upon request.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
