The Nigeria Data Protection Regulation (NDPR) requires websites and digital platforms that collect personal data to obtain clear, informed consent from users—especially for cookies that track behavior. Cookie consent banners must be explicit, provide users with choices, and comply with NDPR principles such as data minimization and transparency.
The NDPR is the Nigerian framework for data protection, established in 2019 by the National Information Technology Development Agency (NITDA). It aims to safeguard the rights of natural persons to data privacy, regulate the processing of personal data, and ensure organizations handle data responsibly and transparently.
Businesses must understand that the NDPR applies to any organization—whether based in Nigeria or abroad—that processes the personal data of Nigerian residents. It mandates data protection policies, user consent for data collection, employee training, and the appointment of a Data Protection Officer (DPO) where applicable. Compliance not only avoids penalties but also builds consumer trust.
Businesses operating online in Nigeria must implement technical and organizational measures to ensure data privacy and user consent.
To check your NDPR compliance:
Review data practices:
Assess whether your organization collects, stores, processes, or shares personal data of individuals in Nigeria
Update privacy policy:
Review your privacy policy, data processing practices, and cookie consent mechanisms
Audit:
Perform an audit or gap assessment to help identify non-compliant areas and guide remediation steps
Implement consent management:
Platforms like CookieHub provide an easy way to manage consumer consent for data processing.
All public and private organizations that process personal data of Nigerian citizens or residents must comply with the NDPR. This includes local companies, international businesses targeting Nigerian users, government agencies, educational institutions, and nonprofits.
Nigeria’s law gives residents a set of data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Request data in a structured, commonly used format
Request that decisions not be made solely on automated processing
Organizations must obtain consumer consent before processing data and consumers can withdraw consent
File complaints in the event of a data breach
Cookies that collect or store personal data—such as IP addresses, device identifiers, or browsing history—fall under NDPR regulations. Users must be informed about the type of cookies used, their purpose, and must be given the option to accept or decline non-essential cookies. Default cookie acceptance is not considered valid consent under the NDPR.
Non-compliance with the NDPR can lead to substantial penalties. Organizations may face fines of up to 2% of annual gross revenue or ₦10 million—whichever is greater—for serious breaches. Additional consequences may include public sanctions, reputational damage, or even suspension of data processing rights.
Implementing a few key data privacy best practices can help you comply with NDPR:
Conduct data and cookie audits:
Review current data practices to identify areas for aligning with the NDPR
Update privacy and cookie policies:
Revise privacy notices to clearly outline data practices, consumer rights, and how to exercise those rights
Implement consent management:
Manage cookie use and consent with a comprehensive consent management platform like CookieHub
Educate employees:
Give employees training on the importance of compliance with NDPR
Implement breach processes:
Ensure clear pathways for notifying consumers about data breaches
Assign a privacy officer:
Add a privacy officer to your organization to manage compliance
The NDPR applies to all transactions intended for the processing of personal data of Nigerian citizens and residents, whether by individuals or organizations within Nigeria or outside the country, provided the data subjects are in Nigeria.
Personal data refers to any information relating to an identified or identifiable natural person. This includes names, addresses, phone numbers, email addresses, and any other data that can be used to identify an individual.
Sensitive data includes information such as a person’s race, ethnic origin, political opinions, religious or philosophical beliefs, health status, genetic or biometric data, sexual orientation, or trade union membership.
The Nigeria Data Protection Commission (NDPC) is the regulatory authority responsible for enforcing and overseeing compliance with the NDPR.
The NDPR does not apply to purely personal or household activities with no connection to a professional or commercial purpose. Additionally, data processed for national security or public interest by authorized government agencies may be exempt under specific legal conditions.
You can find detailed information, official guidelines, and updates on the NDPR by visiting the Nigeria Data Protection Commission’s official website.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
