Nigeria Data Protection Act 2023 Cookie Consent Compliance Guide for Publishers in 2026

Nigeria operated for years under the Nigeria Data Protection Regulation 2019 (NDPR), a subsidiary regulation issued by NITDA that imposed GDPR-flavored obligations without the full statutory authority of a proper data protection law. The Nigeria Data Protection Act 2023 (NDPA) changed that. Passed by the National Assembly and signed in June 2023, the Act is Nigeria's first comprehensive data protection statute, and it established the Nigeria Data Protection Commission (NDPC) as a standalone supervisory authority with enforcement powers materially stronger than NITDA's under the older regime. For publishers, SaaS operators, and ad-tech vendors serving Nigerian traffic — a market that has expanded rapidly with the growth of fintech, e-commerce, and the broader West African digital economy — the NDPA reset the compliance bar. This guide walks through what the Act requires, how the NDPC has interpreted it for online tracking, and what the practical compliance work looks like in 2026.

The NDPA in Outline

The NDPA is structured around six core principles that map cleanly to the GDPR's Article 5: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and security. The Act applies to any data controller or processor that processes personal data of individuals located in Nigeria, with extraterritorial reach that mirrors GDPR Article 3. An offshore publisher serving Nigerian visitors falls squarely within scope regardless of where the publisher is established.

The Act's lawful bases under Section 25 are also familiar: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest. For online tracking the relevant bases are consent and — in narrow, well-documented circumstances — legitimate interest. The NDPC's 2025 General Application and Implementation Directive (GAID) clarified that the consent standard for non-essential cookies is functionally identical to the GDPR's: freely given, specific, informed, unambiguous, and capable of being withdrawn as easily as it was given.

The Move from NDPR to NDPA

Three changes between the old NDPR regime and the new NDPA matter most for online publishers.

Statutory enforcement powers

NITDA's authority under the NDPR rested on a subsidiary regulation, which limited the strength of remedies the agency could pursue. The NDPC operates under primary legislation and can issue compliance orders, impose administrative fines tied to a percentage of annual revenue, and pursue criminal referrals for willful violations. The shift from regulatory persuasion to statutory enforcement is the most consequential operational change.

Mandatory data protection officer obligations

The NDPA requires data controllers above specified processing thresholds to designate a Data Protection Officer (DPO) and to register with the NDPC. The thresholds capture most meaningful online publishers and SaaS operators serving Nigerian users.

Cross-border transfer framework

The NDPA codified cross-border transfer rules that NDPR had treated only loosely. Sections 41-43 require transfers to non-adequate jurisdictions to proceed under one of several enumerated mechanisms — adequacy designation, binding corporate rules, contractual safeguards, or specific derogations — with the NDPC publishing a list of approved instruments.

How the NDPA Treats Cookies and Online Tracking

The NDPA does not contain a cookie-specific provision; the consent and information obligations flow from the general framework. The NDPC's GAID and a series of public guidance notes published through 2024 and 2025 articulated specific expectations for online tracking.

Affirmative consent for non-essential cookies

The NDPC's position aligns with the EDPB Cookie Banner Taskforce and the equivalent positions from comparable African regulators (Kenya's ODPC, South Africa's Information Regulator). Scroll-as-consent, continued-use-as-consent, and pre-ticked boxes are explicit defects.

Granular category controls

Banners must separate strictly necessary cookies from analytics and from marketing, with each category independently controllable. Bundled accept-all without granularity is treated as a failure of the "specific" prong of the consent standard.

Documented lawful basis

Section 26 of the NDPA codifies accountability — controllers must be able to demonstrate their lawful basis for each processing activity on demand. For cookie deployments this translates to audit-grade consent logging: timestamp, banner version, the user's choice, and the lawful basis claimed for each category that fires.

Cross-border transfer disclosure

For cookies that route data to vendors outside Nigeria — most US-based ad-tech vendors, EU-based analytics platforms — the privacy notice must identify the transfer recipient and the safeguard under which the transfer proceeds. Generic language about "we use third parties" does not satisfy the NDPC's expectations.

The Nigeria Data Protection Commission's Enforcement Posture

The NDPC has been deliberately public-facing since it stood up in 2023. Its enforcement posture follows three observable patterns.

High-profile early cases

The NDPC has prioritized visible early cases against well-known operators to establish precedent and signal seriousness. Several fintech and telecom operators received compliance orders in 2024 and 2025 with public communications around the remediation.

Sectoral sweeps

Beyond complaint-driven cases, the NDPC has conducted sectoral reviews of fintech, healthcare, and e-commerce operators. The sweeps typically begin with a request for documentation (privacy notices, consent logs, vendor lists) and escalate based on what the documentation reveals.

Coordination with African and European regulators

The NDPC participates in the African Union's Continental Free Trade Area data flow workstream and maintains working relationships with the EDPB and major national DPAs. Cross-border investigations involving Nigerian and European traffic are increasingly handled through coordinated procedures.

A Practical Compliance Checklist

Six concrete questions to answer for any cookie banner serving Nigerian traffic.

Where Nigeria Fits in a Multi-Jurisdiction Stack

Nigeria is the largest digital market in Africa by user count, and the NDPA is increasingly the template that other African jurisdictions point to when modernizing their own frameworks. A compliance architecture built to European standards handles Nigerian compliance with the same kind of minor configuration adjustments that New Zealand requires: DPO designation where thresholds apply, NDPC-style transfer documentation, and English-language disclosures that respect Nigerian linguistic conventions. For publishers building toward pan-African operations, the NDPA sits alongside Kenya's DPA 2019, South Africa's POPIA, and Egypt's emerging framework as the four most operationally consequential African regimes. Getting Nigerian compliance right is meaningful in its own market and signals continental readiness for the rest.

← Blog Read All →