Skip to main content
Back to Guides
Compliance5 min read

Nigeria NDPA Cookie Consent: 2026 Guide

Nigeria's NDPC now says cookie banners belong at the top of the page, not the bottom, and wants opt-in before non-essential cookies. Here's what the 2023 Act and the 2025 GAID require, and what enforcement looks like.

Nigeria's data regulator has an unusually specific view on where your cookie banner should sit. Under the General Application and Implementation Directive (GAID) that took effect on 19 September 2025, the banner should appear in the first visible section of the page, and putting it at the bottom is explicitly discouraged. That's the level of detail the Nigeria Data Protection Commission (NDPC) is now working at, and it's backing it with real fines.

This guide covers the Nigeria Data Protection Act (NDPA) 2023, the cookie rules in the GAID, and what non-compliance costs in Africa's largest market.

The law and the regulator

The NDPA came into force on 12 June 2023, replacing the 2019 NDPR regulation with a full statute. It's enforced by the NDPC, which the Act establishes as an independent commission. The GAID, effective September 2025, is the operational rulebook that fills in the detail the Act leaves open, including classification thresholds, fees, and the cookie provisions.

The NDPA applies to data controllers and processors in Nigeria, and to those outside the country processing the personal data of people in Nigeria. It also introduces the concept of a data controller or processor of major importance, a designation that carries heavier obligations and, as you'll see, higher fines.

The GAID cookie rules

The cookie provisions in the GAID read like a tightening of expectations rather than a wholesale reinvention. The core requirements:

  • Opt-in for non-essential cookies. Consent is required before setting cookies or tracking tools, with an exception for cookies that enable core functions like security, stability or accessibility.
  • Banner placement. The consent request should sit in the first visible section of the page. Burying it at the bottom of the screen is discouraged.
  • Clear information. Cookie information has to be easy to understand, and you have to tell users the presence and purpose of the cookies you use.
  • A genuine choice. Consent under the NDPA has to be freely given, specific, informed and unambiguous, so a notice-only banner won't do for tracking cookies.

The Banner Placement Rule Is Unusual

Most privacy regimes stay silent on where a cookie banner physically sits. Nigeria's GAID is one of the few to address it directly, discouraging bottom-of-screen banners in favour of a prominent placement in the first visible section. If your current banner is a thin strip at the foot of the page, that's a specific point to revisit for Nigerian visitors.

Registration, audits and data subject rights

The NDPA doesn't stop at consent. A data controller or processor of major importance has to register with the NDPC and, in most cases, file an annual compliance audit. Those audits run through licensed Data Protection Compliance Organisations (DPCOs), a system Nigeria carried over and formalised from the old NDPR. If your site tracks a large Nigerian audience, budget for registration and an annual filing, on top of the banner itself.

The Act also gives Nigerians the familiar set of data subject rights: access to their data, correction, deletion, objection to processing, and the right to withdraw consent. Because cookie IDs and advertising profiles count as personal data when they identify someone, a preferences panel that lets visitors revisit and change their choices is part of meeting those rights, not an optional extra.

Penalties and enforcement

The NDPA scales penalties by how significant the organisation is. For a data controller or processor of major importance, a breach can draw a fine of the greater of NGN 10 million or 2% of annual gross revenue from the preceding year. For other organisations, the fine is the greater of NGN 2 million or 2% of annual gross revenue. An organisation is generally treated as of major importance if it processes the personal data of a large number of people or operates in sectors like finance, communications, health or insurance.

Enforcement is no longer theoretical. The NDPC moved from an advisory posture to active enforcement across 2024 and 2025, issued compliance notices to more than 1,300 organisations in August 2025, and fined MultiChoice Nigeria NGN 766.2 million for failing to obtain user consent and for unlawful cross-border transfers.

Where CookieBeam Fits

CookieBeam's regional rules let you serve Nigerian visitors an opt-in banner positioned prominently, while other regions use their own layout and behaviour. Non-essential tags stay blocked until consent, and per-purpose consent logging keeps a timestamped record of what each visitor agreed to. You choose the region, the categories and the placement; the banner does the rest.

How the NDPA differs from the old NDPR

If you set up consent under the 2019 NDPR and haven't revisited it, treat the NDPA as a reset rather than a continuation. The NDPR was a regulation issued by an agency; the NDPA is primary legislation passed by the National Assembly, which gives the NDPC firmer statutory footing to investigate and fine. The Act sharpened the definition of valid consent, added the data-controller-of-major-importance tier with its own registration and audit duties, and set the penalty structure now tied to gross revenue. The 2025 GAID then layered on the operational detail, including the cookie-banner placement rule. A banner that passed muster under the NDPR in 2021 is worth re-checking against the current requirements.

Related guides

Nigeria's NDPA sits alongside a growing set of African and other opt-in regimes. Compare it with South Africa's POPIA and Brazil's LGPD. For the full map, see cookie consent laws around the world and the mechanics in running one banner across a global audience.

Primary sources: Nigeria Data Protection Commission, ndpc.gov.ng; Nigeria Data Protection Act 2023; General Application and Implementation Directive (GAID) 2025, effective 19 September 2025.

Nigeria NDPA Cookie Consent 2026: NDPC & GAID Rules | CookieBeam | CookieBeam