Compliance

What is NDPA and does your website comply?

April 2026 | 6 min read

If you run a business in Nigeria and you have a website, you need to know about the Nigeria Data Protection Act (NDPA) 2023. It is the law that governs how you collect, store, and use your customers' personal information.

This is not optional. It is not just for tech companies. If your website has a contact form, a booking system, or even a WhatsApp button that collects phone numbers, the NDPA applies to you.

What is the NDPA in simple terms?

The NDPA is Nigeria's data protection law, signed in June 2023. Think of it as the Nigerian version of Europe's GDPR. It says: if you collect personal data from Nigerians, you must handle it responsibly.

Personal data means anything that can identify a person: name, phone number, email address, location, IP address, even a WhatsApp number.

What does your website need?

At minimum, your website must have these three things:

1. Cookie consent (NDPA Section 25)

If your website uses cookies (and it almost certainly does if you use Google Analytics, Facebook Pixel, or any tracking tool), you must tell visitors and get their consent before setting non-essential cookies.

This means a banner or popup that says something like: "This website uses cookies to improve your experience. By continuing, you agree to our cookie policy."

The rule: You cannot track visitors without telling them first. No sneaky analytics. No hidden pixels. Tell them, let them choose.

2. Privacy policy page (NDPA Sections 26-27)

You must have a privacy policy that explains:

What data you collect and why
How you store and protect it
Who you share it with (if anyone)
How long you keep it
How customers can request their data be deleted
A contact email for data protection questions

This must be a real page on your website, not a hidden PDF. It must be written in language your customers can understand. Not legal jargon. Plain English (or whatever language your customers speak).

3. Data subject rights (NDPA Section 34)

Your customers have the right to:

Know what data you have about them
Ask you to correct wrong information
Ask you to delete their data
Withdraw their consent at any time

You need a way for people to make these requests. A dedicated email address (like privacy@yourbusiness.com) is the simplest approach.

What happens if you don't comply?

The Nigeria Data Protection Commission (NDPC) can:

Issue compliance orders (fix it or else)
Fine you up to 2% of your annual revenue or N10 million, whichever is higher
Order you to stop processing data (meaning your website goes dark)

Even if enforcement is still catching up, non-compliance is a business risk. Customers are becoming more aware. Partners and investors check. And when enforcement does ramp up, you want to already be compliant.

How to check your website right now

Run your website through our free scanner. It checks for cookie consent mechanisms, privacy policy pages, and security headers. Takes 10 seconds.

Check your NDPA compliance

Free scan. Instant results. No signup.

Scan your website

If your site is missing cookie consent or a privacy page, fix it now. If you need help, Pejji builds NDPA-compliant websites from day one.