Skip to main content
Back to Guides
Compliance6 min read

Cookie Consent in Emerging Markets: A 2026 Global Guide

Beyond the EU, the US, and Brazil, a wave of privacy laws in the Gulf, Africa, and Southeast Asia now reach cookies and online tracking. Here is where consent is required in Saudi Arabia, the UAE, Nigeria, Vietnam, Indonesia, and Thailand in 2026.

Global cookie compliance used to mean the EU, the UK, California, and maybe Brazil. That map is out of date. Since 2023, a cluster of privacy laws across the Gulf, Africa, and Southeast Asia has entered force or fully phased in, and most of them regulate consent for personal data collected through cookies and trackers. If your site draws traffic from these regions, a single GDPR-style banner is a starting point, not a guarantee of compliance.

This guide summarises six laws that matured in 2024 to 2026, their regulators, and what each expects around cookie consent. It complements our jurisdiction-focused guides on Brazil's LGPD, India's DPDP Act, and the penalties by country overview. Local-language statutes are the source of truth; verify specifics with counsel before you rely on them.

Saudi Arabia: PDPL (Enforceable Since September 2024)

Saudi Arabia's Personal Data Protection Law (PDPL) became fully enforceable on 14 September 2024, when the one-year transition period ended. It's overseen by the Saudi Data and Artificial Intelligence Authority (SDAIA).

The PDPL requires a lawful basis for processing, with consent that has to be clear and unambiguous, and it grants data subjects rights of access, correction, and deletion. For website tracking, that means opt-in style consent for non-essential cookies and a clear privacy notice. Penalties can reach SAR 5 million, with harsher criminal penalties for unlawful disclosure of sensitive data. See the DLA Piper Saudi Arabia overview.

United Arab Emirates: PDPL in Force, Regulations Still Pending

The UAE's federal Personal Data Protection Law, Federal Decree-Law No. 45 of 2021, has been in force since 2 January 2022. The catch: as of 2026 the executive regulations that would spell out operational detail have still not been published, and the UAE Data Office has issued interim guidance in the meantime.

The law sets GDPR-adjacent principles, consent as a legal basis, transparency, data-subject rights, so the safe posture is to treat non-essential cookies as consent-based now rather than waiting for the regulations. Note also that the financial free zones, DIFC and ADGM, run their own separate data-protection laws. Refer to the official UAE legislation portal for the decree-law text.

Nigeria: NDPA 2023 and the GAID Cookie Rule

Nigeria's Data Protection Act 2023 (NDPA) is Africa's most significant recent privacy statute, enforced by the Nigeria Data Protection Commission (NDPC). It defines consent as freely given, specific, informed, and unambiguous, given through an affirmative action.

Cookie specifics were sharpened by the NDPC's General Application and Implementation Directive (GAID) issued in 2025: under its Article 19, websites and apps must obtain opt-in consent before setting cookies or tracking tools, except strictly necessary ones, and withdrawing consent must be as easy as giving it. That puts Nigeria close to the EU model in practice. See the NDPC.

Vietnam: A New Law Replaces the 2023 Decree

Vietnam moved from decree-level rules to a full statute. The Law on Personal Data Protection (Law No. 91/2025/QH15) took effect on 1 January 2026, replacing Decree 13/2023 on Personal Data Protection. Elevating the framework to statutory law signals stricter, more durable enforcement.

Consent under the new law must be voluntary, specific, fully informed, and given for each purpose separately, and, importantly, silence or non-response does not count as consent, which rules out implied or bundled cookie consent. Ongoing processing lawfully started under the old decree can continue, but new activity must meet the new standard. See the DLA Piper Vietnam overview.

Indonesia: PDP Law Fully Enforced Since October 2024

Indonesia's Personal Data Protection Law (Law No. 27 of 2022) completed its two-year transition on 17 October 2024, so all organisations handling Indonesian personal data are now expected to comply in full.

The law requires controllers to have proof of consent before processing, to disclose the purpose and categories of data up front, and to honour a data subject's right to withdraw consent at any time. On withdrawal, processing must stop within 72 hours. It also introduces administrative sanctions for non-compliance. In practice, cookie tracking of Indonesian users needs demonstrable opt-in and an easy withdrawal path. See the DLA Piper Indonesia overview.

Thailand: PDPA and the Move to Active Enforcement

Thailand's Personal Data Protection Act (PDPA) became fully effective on 1 June 2022 after pandemic delays, and is enforced by the PDPC. In September 2022 the PDPC issued consent guidelines that call for opt-in consent, a clear "Reject all" option, purpose-specific choices, and logging of each consent; implied or bundled consent is invalid, so only strictly necessary cookies may load without consent.

Since 2024 the regulator has shifted from guidance to active enforcement, issuing its first administrative fines and ending the informal grace period. Statutory administrative fines run up to THB 5 million per violation, alongside possible civil and criminal liability. See the DLA Piper Thailand overview.

The Common Thread, and How to Handle It

Across all six laws the direction is the same: opt-in for non-essential cookies, a clear privacy notice, easy withdrawal, and proof that consent was obtained. The differences live in the edges, transition dates, whether implementing regulations exist yet, penalty ceilings, and local-language notice expectations.

You don't need six separate banners. You need a consent layer that can vary its behaviour by visitor location while keeping one auditable record, exactly the problem regional consent rules solve. Set a GDPR-grade baseline, which already satisfies most of these laws, then layer region-specific text and defaults on top. For the European neighbour with its own distinct model, see our guide to Switzerland's revised FADP.

How CookieBeam Helps

CookieBeam's regional engine lets one banner adapt its language, defaults, and button behaviour to the visitor's jurisdiction, so a Nigerian or Thai visitor sees an opt-in flow while the underlying consent record stays consistent and exportable. Combined with continuous scanning to keep your cookie inventory current, that gives you a defensible position as this patchwork of emerging-market laws keeps expanding. Treat the dates and figures here as a starting map, and confirm the current text with local counsel before you rely on any single point.

Emerging Markets Cookie Consent Laws 2026: Gulf, Africa, SE Asia | CookieBeam | CookieBeam