What the PDPL Actually Is

The PDPL is Saudi Arabia's first comprehensive privacy law. It was issued by Royal Decree M/19 in 2021, amended in March 2023 to align it more closely with the global standard set by GDPR and similar regimes, and entered fully into force on 14 September 2024 after a one-year grace period. The law sits inside a wider Saudi data-governance stack that includes the National Data Governance Interim Regulations, the Cloud Computing Regulatory Framework, and SDAIA's freedom-of-information rules — but for publishers, the PDPL is the piece that governs cookies, ad tracking, analytics, and any other personal-data processing tied to a website or app.

The Implementing Regulations

The PDPL is short. The detail lives in two implementing regulations published by SDAIA in September 2023 and refined through 2024 and 2025: the Implementing Regulations (general) and the Personal Data Transfer Regulations (cross-border). Together these give publishers concrete answers on consent quality, retention, breach notification timelines, and the conditions for sending Saudi residents' data outside the Kingdom. Anyone still working from the 2021 text alone is reading an outdated map.

The Enforcement Timeline Publishers Should Know

SDAIA gave organisations until 14 September 2024 to come into full compliance. The first wave of audit letters went out in late 2024 to large controllers in finance, telecoms, and government services. Through 2025 the audit programme widened to include ad-funded media, e-commerce, and any platform processing more than a defined volume of Saudi residents' data. By 2026 SDAIA has signalled that small and mid-sized publishers are now in scope — particularly any operator whose Arabic-language content or ad spend signals a deliberate Saudi audience.

Who SDAIA Considers a Data Controller

The PDPL applies extraterritorially. You do not need a Saudi entity, a Saudi server, or a Saudi bank account to be a controller under the law. If your site or app processes the personal data of individuals residing in the Kingdom, you are in scope. For publishers this hook is triggered by the routine ad-tech data flow: IP addresses, device IDs, hashed emails, behavioural cookies, and the user identifiers that flow through programmatic auctions all count as personal data when they are tied to a Saudi resident.

The Local Representative Requirement

Foreign controllers without a presence in the Kingdom must appoint a local representative registered with SDAIA. The representative is a legal point of contact for data-subject requests and regulator correspondence. Smaller publishers often handle this through a privacy-services firm rather than incorporating locally — but the appointment is mandatory once you cross the threshold of regular Saudi processing.

Joint Controller Scenarios for Ad Tech

The supply chain that monetises a programmatic ad slot — your CMP, your ad server, the SSPs you call into, the DSPs that bid, the verification vendors, and the measurement partners — creates joint and several controller relationships under the PDPL just as it does under GDPR. Publishers cannot offload PDPL liability to a vendor. SDAIA expects the publisher to demonstrate that every downstream partner has its own lawful basis and contractual commitments that match what the publisher promised at the consent banner.

Cookie Consent Under the Implementing Regulations

The PDPL recognises consent as one lawful basis for processing personal data, and the Implementing Regulations spell out what valid consent looks like. The standard is high — closer to GDPR than to CCPA — and it covers cookies, pixels, SDKs, fingerprinting, and any other tracking technology that reads or writes data on a user's device.

What Counts as Valid Consent

Consent must be freely given, specific, informed, and explicit. Pre-ticked boxes, cookie walls that block content unless the user accepts, and ambiguous "by continuing to browse" notices all fail the standard. The user must take an unambiguous affirmative action — typically a click on an Accept button — and that action must be tied to a clear description of the processing purposes. Bundled consent that lumps analytics, advertising, and personalisation into a single yes-or-no is explicitly disallowed.

Granular Purpose Categories

SDAIA's guidance lists the purpose categories a publisher CMP should expose: strictly necessary, functional, analytics, advertising, personalisation, and any sensitive-data processing such as health or biometric inferences. Each category needs its own toggle, its own purpose description, and its own vendor list. The IAB Europe TCF v2.3 framework, suitably extended with PDPL-specific text in Arabic, is the most common path publishers use to satisfy the granularity requirement.

Withdrawal and Re-Consent

The right to withdraw consent must be as easy as the right to give it. A floating consent-preferences icon, a footer link, or an in-app settings panel all qualify; a buried email-only opt-out does not. Publishers should plan for periodic re-consent on material changes — a new ad partner, a new cookie purpose, a new SDK — and SDAIA expects the CMP audit log to record each re-consent event with a timestamp.

Cross-Border Transfers and Data Localization

The Personal Data Transfer Regulations are the part of the PDPL most likely to trip up publishers, because the moment a Saudi user's IP address enters a programmatic auction it has effectively been transferred to wherever the SSPs and DSPs operate. SDAIA does not treat this as a free flow.

The Adequacy List and Standard Contracts

A controller may transfer personal data outside the Kingdom under one of three primary mechanisms: a SDAIA-approved adequacy decision for the destination country, a SDAIA-approved standard contract, or a binding corporate rule set for intra-group transfers. The adequacy list as of 2026 includes a small number of GCC neighbours and a handful of European jurisdictions, but most ad-tech destinations — including the United States — sit outside it and require either a standard contract or a derogation.

The Data Transfer Impact Assessment

For high-risk transfers SDAIA requires a documented Data Transfer Impact Assessment (DTIA) before the transfer begins. This is the Saudi analogue of the EU's transfer impact assessment after Schrems II. Publishers should work with their CMP and ad-tech vendors to assemble template DTIAs that cover the recurring programmatic flows, and refresh them whenever a vendor changes processing locations.

Practical Compliance Steps for Publishers

The PDPL programme breaks into five operational tasks that map cleanly onto a publisher's existing CMP and ad stack. None of them are unfamiliar to anyone who has already implemented GDPR or LGPD compliance — the difference is in the detail of the Saudi text and the specific transfer rules.

CMP Configuration Checklist

Confirm that your consent banner shows in Arabic for KSA visitors and English for everyone else, that purpose categories are fully granular, that the reject-all path is one click and visually equal to accept-all, and that the consent string flows downstream through Google Consent Mode v2 or your TCF integration. Make sure your CMP records a PDPL-specific consent receipt with a timestamp, the policy version, and the user identifier so that audit responses can be assembled in minutes rather than days.

Consent Logs and Audit Trail

SDAIA's audit teams ask for consent evidence in a familiar form: who consented, to what, when, with what banner version, and what they were told at the moment of consent. Plan retention of these logs for at least two years and store them in a way that survives CMP vendor changes — exporting to a controller-owned data warehouse is the cleanest pattern.

Data Subject Rights Workflow

The PDPL grants access, correction, deletion, and portability rights, with response timelines of thirty days. A publisher with a single privacy@ inbox and no ticketing workflow will miss the deadline more often than they hit it. Stand up a documented intake-to-response process, train one named owner, and integrate the workflow with your CMP and ad-server consent records so that erasure requests propagate downstream.

The Bottom Line

Saudi Arabia's PDPL in 2026 is not a soft regime that publishers can deprioritise behind GDPR and CCPA. SDAIA has the funding, the audit capacity, and the political backing to enforce it, and the cross-border transfer rules in particular create real friction with the global ad-tech supply chain that publishers have to engineer around. The good news is that the PDPL borrows enough from GDPR that a publisher with a mature European compliance posture is most of the way there. Localise your consent banner into Arabic, layer the PDPL-specific purpose text on top of your existing TCF setup, document your transfer mechanisms, appoint a local representative if your Saudi traffic warrants it, and your KSA audience stays monetisable while the operators who waved off PDPL as a paper exercise spend 2026 reading audit letters.