Egypt Personal Data Protection Law 151 of 2020 Cookie Consent Compliance Guide: 2026 Playbook for Publishers

Egypt's Personal Data Protection Law No. 151 of 2020 — usually referred to as the Egyptian PDPL — was issued on 15 July 2020 and entered into force on 14 October 2020. For most of the period since, the absence of executive regulations meant the Law sat as a statement of principles rather than an enforceable regime. That changed when the Personal Data Protection Centre — the regulator established under the Law, attached to the Ministry of Communications and Information Technology — published its operational framework, licensing requirements, and the executive regulations that the Law had left to be issued. By 2026 the regime is fully operational, the licensing track for data controllers and processors is active, and publishers operating in or targeting Egypt are subject to a domestic consent standard that is closer to the GDPR than to any older regional model. The implication for cookie consent is direct: a banner that worked in Egypt under the legacy regime is not sufficient now, and a banner that satisfies the GDPR will satisfy the PDPL only when the integration accounts for the points where the two frameworks diverge.

What the Egyptian PDPL actually requires

The Law applies to the processing of personal data of Egyptian residents regardless of where the controller or processor is established, and to controllers and processors established in Egypt regardless of where the data subjects are located. That extraterritorial reach mirrors GDPR Article 3 and means a publisher headquartered outside Egypt but with Egyptian readers, app installs, or paying customers is firmly within scope. Personal data is defined broadly as any data relating to an identified or identifiable natural person, with sensitive personal data — including health, biometric, genetic, mental-health, financial, religious-belief, political-opinion, and criminal-conviction data — subject to a higher consent threshold and additional safeguards.

The Law establishes lawful bases for processing, the standard slate of data-subject rights — access, rectification, erasure, restriction, objection, and portability — a controller-processor accountability framework, breach-notification obligations, cross-border-transfer controls, and an administrative-penalty regime with fines ranging from EGP 100,000 for minor violations up to EGP 5 million for serious or repeated breaches. Criminal sanctions apply to the most serious categories, including unlicensed cross-border transfer and processing of sensitive data without authorisation.

How the PDPL treats cookie consent specifically

Unlike the EU's ePrivacy Directive, the PDPL does not contain a separate provision on cookies. Cookies and analogous storage-and-access technologies fall within the general consent framework: any processing of personal data that relies on consent as its lawful basis must be obtained on the basis of an explicit, voluntary, specific, and documented expression of agreement from the data subject. The Personal Data Protection Centre, in its guidance issued during the staged commencement of the regulations, has confirmed that pre-ticked boxes, implicit consent inferred from continued browsing, and bundled consent banners do not satisfy the Law's standard. That brings Egypt firmly into line with the global trajectory and means the practical posture publishers already maintain for the EEA is the right starting point for Egyptian traffic.

The practical effect is that cookies and any analogous technologies which are not strictly necessary for delivering the service must not be set before the user has actively consented. Strictly-necessary cookies — session identifiers, cart contents, security tokens, load-balancing cookies — can be set without consent on the basis that the user has actively requested the service. Everything else — analytics, advertising, personalisation, A/B testing, session replay, and any third-party tag — requires prior consent.

How the PDPL diverges from the GDPR in practice

Three differences matter at the integration layer. First, the PDPL requires that consent for the processing of sensitive personal data be obtained in writing or via a documented electronic equivalent that the controller can produce on request — a higher evidentiary standard than the GDPR's explicit-consent requirement. Second, the PDPL imposes a licensing regime: controllers and processors must register with the Personal Data Protection Centre, and certain categories of processing — including cross-border transfer and direct marketing — require a separate operational licence. Third, the PDPL's cross-border-transfer rules require either an adequacy designation by the Centre, an approved contractual safeguard, or explicit consent from the data subject; transfers to jurisdictions without designations or safeguards are restricted regardless of the recipient's own compliance posture.

What a compliant cookie banner looks like under the PDPL

The technical requirements converge with what every modern CMP already produces, but the labelling, the documentation, and the consent log must reflect Egyptian specifics. The first-layer banner must present the user with a real choice — accept, reject, manage — where the reject option is at least as prominent as the accept option. Bundled consent is prohibited, so the second layer must allow per-category opt-in covering at minimum analytics, advertising, and any cross-border-transfer-dependent processing. Categories must default to off; the banner must not load tags until the user has affirmatively flipped them on.

The privacy notice surfaced from the banner must identify the controller, the controller's PDPL licence number if applicable, the categories of personal data collected, the lawful basis for each processing purpose, the data-retention period, the categories of recipients including any sub-processors located outside Egypt, the data subject's rights under the Law, and the Personal Data Protection Centre's contact details for complaints. A notice that meets the GDPR's Article 13 standard will substantially overlap, but the Egyptian-licence and Centre-contact lines must be added explicitly.

The integration pattern that passes a Personal Data Protection Centre review

The reference implementation has four moving parts. The first is a CMP that supports per-category, default-off opt-in and exposes the user's choice via a structured consent string the publisher can persist. The second is a tag-loading layer — a server-side tag manager or a CMP-native gate — that strictly enforces consent state before any non-essential cookie is set. The third is a consent log, stored server-side, that records for every consent event the user's choice per category, the timestamp, the banner version, and a truncated or hashed IP identifier such that the controller can produce the record on Centre request. The fourth is a withdrawal path at least as easy as the original grant — typically a persistent banner re-open link in the footer.

Validation, licensing, and audit posture for 2026

A defensible Egyptian deployment in 2026 must pass four technical checks. First, a clean browser session served from an Egyptian IP address must produce zero non-essential cookies before the banner has been actioned. Second, the reject-all path must result in the same posture as a no-action session — no analytics tags, no advertising tags, no session-replay scripts. Third, an accept-all flow must produce only the tags the user has consented to, and the consent log must contain a matching record. Fourth, a withdrawal flow must immediately stop further tag fires, expire the cookies set during the consented session, and trigger any downstream deletion or opt-out signals the recipient partners require.

Beyond the technical checks, the licensing and audit posture is what makes a deployment defensible. Controllers processing the personal data of Egyptian residents above the thresholds set by the executive regulations must be registered with the Personal Data Protection Centre, and the registration record — together with the consent log, the privacy notice, the data-protection-impact-assessment results for higher-risk processing, and any cross-border-transfer authorisations — forms the documentation the Centre may request during a compliance review. A correctly configured CMP with a server-side log, a tag-loading layer that enforces consent state, a privacy notice that names each cross-border-transfer destination, and the licensing paperwork on file is what turns the Egyptian PDPL from a regulatory unknown into a defensible part of a publisher's MENA-region consent posture.

← Blog Read All →