Sri Lanka PDPA Cookie Consent Compliance Guide: Act No. 9 of 2022 in Force for Publishers in 2026

Sri Lanka spent more than a decade in the legislative pipeline before its Personal Data Protection Act was finally enacted as Act No. 9 of 2022, certified by the Speaker on 19 March 2022. The Act adopts the broad architecture that has become the global standard since the GDPR — purpose limitation, lawful basis, data-subject rights, accountability, cross-border transfer controls, breach notification, and an independent regulator with administrative-penalty powers — but it embeds them in a regime tailored to South Asian commercial and constitutional realities. The Act commenced in stages from 17 March 2023, with the substantive obligations triggering 18 months later and the enforcement provisions phased in progressively through 2025 and into 2026. For publishers and any other entity that processes the personal data of individuals in Sri Lanka, the implication is direct: a cookie-consent posture that satisfied the previous patchwork of sectoral rules is no longer sufficient, and a posture that satisfies the GDPR will satisfy the PDPA only if the integration is configured for the specific points where the two regimes diverge.

What the Sri Lanka PDPA actually requires

The PDPA applies to the processing of personal data of data subjects who are in Sri Lanka, regardless of where the controller or processor is located, and to controllers and processors established in Sri Lanka regardless of where the data subjects are located. The extraterritorial reach mirrors GDPR Article 3 and means that a publisher with no Sri Lankan office but with Sri Lankan readers, app installs, or paying customers is squarely within scope. Personal data is defined broadly as any information relating to an identified or identifiable natural living person, with special-category data including biometric, genetic, financial, health, racial, ethnic, religious-belief, political-opinion, and criminal-record data treated under tighter rules.

The Act establishes seven core data-protection principles, six lawful bases for processing, the standard slate of data-subject rights — access, rectification, erasure, restriction, objection, and data portability where technically feasible — and a regulator, the Data Protection Authority of Sri Lanka, with the power to issue directives, impose administrative penalties up to LKR 10 million per breach, and refer serious matters for criminal prosecution.

How the PDPA treats cookie consent specifically

The PDPA does not contain a separate ePrivacy-style provision on cookies, in the way the EU's ePrivacy Directive does. Instead, it folds cookie processing into the general GDPR-style consent framework: any processing of personal data that relies on consent as its lawful basis must be obtained on the basis of a clear affirmative act by which the data subject signifies agreement, freely given, specific, informed, and unambiguous. The DPA has indicated, consistently with the global trend, that pre-ticked boxes, continued-browsing language, and bundled consent banners are not valid forms of consent under the Act.

The practical effect is the same posture that publishers operating in the EEA already maintain: cookies and any analogous storage-and-access technologies that are not strictly necessary for delivering the service must not be set before the user has actively consented to them. Strictly-necessary cookies — session identifiers, cart contents, security tokens, load-balancing cookies — can be set without consent because they fall under the legitimate-interest basis tied to the service the user has actively requested. Everything else, including analytics, advertising, personalisation, A/B testing, session replay, and any third-party tag, requires prior consent.

How the PDPA differs from the GDPR

Three differences matter for the integration layer. First, the PDPA's lawful-basis catalogue includes a public-interest and a legal-obligation basis that map closely to GDPR Article 6 but does not include the standalone legitimate-interest basis in the form European publishers rely on for ad-measurement processing. The PDPA's equivalent is narrower, requiring a documented balancing test that is filed with the controller's record of processing and made available to the DPA on request. Second, the PDPA's cross-border transfer rules require the DPA to designate destination jurisdictions, and transfers to undesignated jurisdictions require either explicit consent, contractual safeguards approved by the DPA, or one of the narrow derogations. Third, the PDPA's breach notification timeline is shorter for high-risk breaches and longer for low-risk breaches than the flat 72-hour GDPR rule — controllers must notify without undue delay and, where feasible, within a window that the DPA's guidance has tightened over the staged-commencement period.

What a compliant cookie banner looks like under the PDPA

The technical requirements converge with what every modern CMP already produces, but the labelling and the consent log must reflect Sri Lankan specifics. The first-layer banner must present the user with a real choice — accept, reject, manage — where the reject option is at least as prominent as the accept option. Bundled consent is prohibited, so the second layer must allow per-category opt-in covering at minimum analytics, advertising, and any cross-border-transfer-dependent processing. Categories must be defaulted to off; the banner must not load tags until the user has affirmatively flipped them on.

The privacy notice surfaced from the banner must identify the controller, the categories of personal data collected, the lawful basis for each processing purpose, the data-retention period, the categories of recipients including any sub-processors that operate from outside Sri Lanka, the data subject's rights under the PDPA, and the DPA's contact details for complaints. A notice that meets the GDPR's Article 13 standard will substantially overlap, but the DPA-contact and cross-border-transfer-jurisdiction lines must be added explicitly.

The integration pattern that passes a DPA review

The reference implementation has four moving parts. The first is a CMP that supports per-category, default-off opt-in and exposes the user's choice via a structured consent string that the publisher can persist in a consent log. The second is a tag-loading layer — typically a server-side tag manager or a CMP-native script gate — that strictly enforces consent state before allowing any non-essential cookie to be set. The third is a consent log, server-side, that records for every consent event the user's choice per category, the timestamp, the consent banner version, the IP address (truncated or hashed if the controller has decided this satisfies its data-minimisation analysis), and the categories that were granted versus refused. The fourth is a withdrawal path that is at least as easy as the original grant — a persistent banner re-open link in the footer is the pattern the DPA has tacitly endorsed by reference to international best practice.

Validation and audit posture for 2026

A defensible Sri Lankan deployment in 2026 must pass four checks. First, a clean browser session served from a Sri Lankan IP address must produce zero non-essential cookies before the banner has been actioned. Second, the reject-all path must result in the same posture as a no-action session — no analytics tags, no advertising tags, no session-replay scripts, only the strictly-necessary set. Third, an accept-all flow must produce the tags the user has consented to and the consent log must contain the corresponding record. Fourth, a withdrawal flow must immediately stop further tag fires, expire the cookies set during the consented session, and trigger any downstream deletion or opt-out signals that the recipient partners require.

The audit-trail requirement is where the PDPA is most distinctive in 2026. The DPA has issued guidance indicating that controllers should be able to produce, on request, the specific consent record that authorised any given processing activity. That means the consent log must be queryable by user identifier or session identifier, retained for a period that the controller has documented in its retention schedule, and exportable in a structured format. A correctly configured CMP with a server-side log, paired with a tag-loading layer that enforces consent state and a privacy notice that names each cross-border-transfer destination, is what turns the Sri Lankan PDPA from a regulatory unknown into a defensible part of a publisher's global consent posture.

← Blog Read All →