Data lawyers and experts have raised alarm over the alleged lack of privacy policies and cookie notices on the homepages of some government agencies, including the Independent National Electoral Commission (INEC), months after President Bola Tinubu directed all ministries and agencies to comply with provisions of the Nigeria Data Protection Act 2023.
Some argue that this is a legal requirement binding on government institutions, demonstrating their commitment to protecting users’ personal data.
Checks by Nairametrics showed that the INEC website has no cookie pop-up (cookies are small text files stored on a user’s device by a website to remember information about their activity) and no privacy policy on its homepage, as of the time of this article.
This also applies to several government institutions’ websites checked by Nairametrics.
In this exclusive interview with Nairametrics, prominent data lawyers and experts shared their views on the legal requirements for website owners.
What Nigerian Data Lawyers/Experts Are Saying
- In an exclusive interview with Nairametrics, Barrister Oladipupo Ige, Director of Policy, Data Privacy Lawyers Association (DPLAN), stated that the General Application and Implementation Directive (GAID Article 7), connected with the Nigeria Data Protection Commission (NDPC) Act, requires all data controllers and processors to provide privacy and cookie notices on the homepage of their websites.
- According to him, the cookie notice should give data subjects the opportunity to decline or accept the notice and must be displayed in such a way that it significantly obstructs the middle, left, or right side of the homepage of a website.
- The lawyer added that relevant laws state that displaying the cookie notice at the bottom of a web page, where it may be ignored or go unnoticed by a data subject, is tantamount to a lack of transparency in data processing.
- He said the absence of privacy policies and cookie notices popping up shows that government agencies need to introspect on their compliance with the law.
“No system is perfect, but cookie notices and privacy policies are the minimum. All agencies should review and comply accordingly to promote data protection practices within the country,” he added.
- He advised that if authorities want to create an environment where data privacy practices are respected, implementation and enforcement should start with government agencies.
- He urged the NDPC, which has direct links with MDAs, to impress upon them the necessity to comply so their processing activities can be transparent and in line with the law.
- Digital Rights Lawyer, Consultant, and Researcher Solomon Okedara told Nairametrics that while government institutions in Nigeria are among the largest data controllers and process personal data via their websites, Section 24 of the Nigeria Data Protection Act (NDPA) 2023 mandates government institutions maintaining a website or mobile app to understand their statutory responsibility to provide users of their websites clear and transparent information on how personal data is collected, stored, used, and protected.
- He said government institutions should understand that a privacy policy is a legal requirement demonstrating a commitment to protecting users’ personal data.
“They help enhance user experience by saving preferences, tracking browsing behavior, and enabling features like login sessions or personalized content,” he added.
- He opined that the lack of privacy and cookie policies on government websites is not a mere irregularity but a clear contravention of extant legislation and regulation.
- He urged the NDPC to go beyond compiling lists of private data controllers for investigation and shine a spotlight on government institutions.
- Barrister Olalekan Bosede told Nairametrics that while the Nigeria Data Protection Act 2023 governs and regulates the processing of personal data in Nigeria, privacy policies and cookie notices on websites are among the required transparent measures for data processors or controllers to demonstrate compliance with the law.
“In that sense, there is an obligation on government agencies to have transparent privacy policies and cookie notices conspicuously displayed on their websites. It is a duty dictated by law,” the lawyer added.
- He stressed that government websites are legally required to publish clear privacy policies and disclose cookie use in line with Section 24 of the NDPA 2023, which compels a general duty of transparency and accountability on the part of data controllers and processors regarding the processing of personal data.
What to Know
Article 7 of the GAID partly provides as follows:
“In order to comply with the provisions of the NDP Act, a data controller or data processor is, among others, expected to:
(k) Publish its organizational privacy policies on its platforms to sensitize data subjects on data processing activities as well as rights and duties in connection therewith.
(l) Provide privacy and cookie notices at the homepage of its website. The cookie notice should give a data subject the opportunity to decline or accept it. A cookie notice must be displayed in such a way that it significantly obstructs the middle, left, or right side of the homepage of a website. Displaying a cookie notice at the bottom of a webpage where it may be ignored or go unnoticed by a data subject is tantamount to lack of transparency in data processing.”
Backstory
- Recall that President Bola Ahmed Tinubu, in July 2025, directed all Ministries, Extra-Ministerial Departments, and Agencies to comply with the Nigeria Data Protection Act, 2023.
- The President described data as the “new oil,” whose value increases and needs to be refined and responsibly shared.
- He directed relevant authorities to capture information rigorously and safeguard it under the NDPA.
