Website Compliance in Nigeria: NDPA 2023 Requirements Explained
You’re a Nigerian business owner, and you get an email from a potential client asking about your data protection practices. You forward it to your web developer, who replies, “What’s NDPA?”
If this sounds familiar, you’re not alone. Website compliance in Nigeria is still evolving, and most business websites lack basic NDPA compliance: missing privacy policies, contact forms with no data processing notices, and broken cookie consent mechanisms.
This isn’t just for tech companies. If your website collects names, emails, or phone numbers, NDPA applies to you. That includes SMEs, professional services firms, ecommerce businesses, agencies, and startups. (For broader regulatory considerations affecting Nigerian startups, see our regulatory challenges guide.)
This article covers the specific requirements: privacy policies, cookie consent, form compliance, third-party tools, enforcement reality, and a practical audit checklist. For backend data storage and security, see our SharePoint NDPA compliance guide.
Understanding NDPA’s Website Implications
NDPA regulates how you collect, use, store, and share personal data. For websites, that means any point where you gather information about visitors or customers.
What counts as personal data:
The obvious: names, email addresses, phone numbers, and addresses. But also IP addresses, device IDs, browsing behavior, and business contact information. That procurement manager’s work email? That’s personal data. NDPA applies to B2B just as much as B2C. For a broader understanding of how NDPA affects Nigerian businesses, read our complete guide to NDPA for businesses.
Why website compliance matters:
Your website is where you first collect data. Every contact form, newsletter signup, or job application creates a compliance obligation. Violations are visible too—NDPC doesn’t need a technical audit to spot them.
Third-party tools like Google Analytics, Facebook Pixel, or WhatsApp widgets create additional obligations.
Why regulators look at websites first:
Websites are easy to inspect. NDPC can identify violations just by clicking through your site. Complaints often start here too. Someone requests data deletion, you ignore them, and they file a complaint. The regulator’s first action? Visit your website to assess your data protection practices.
Common misconceptions:
“We just have a contact form.” The moment someone submits their email, you’re processing personal data. The collection itself triggers compliance obligations under NDPA.
“We’re B2B, so this doesn’t apply.” Business contacts are individuals. NDPA protects individuals’ data regardless of whether the context is B2B or B2C.
“Our website is hosted abroad.” Server location doesn’t matter. If you serve Nigerian users, NDPA applies regardless of where your infrastructure is located.
Enforcement reality:
NDPC has issued fines and compliance letters to companies across sectors. Current enforcement focuses on data breaches, companies ignoring user complaints, and organizations handling sensitive data. However, SMEs are also receiving compliance assessment letters. For detailed case studies, see our Nigerian data breach analysis.
Enforcement is largely complaint-driven. A single unresolved complaint can trigger regulatory scrutiny of your entire website. The cost of fixing obvious gaps now is lower than remediation under regulatory pressure.
For a broader NDPA context beyond websites, see our comprehensive guide to navigating NDPA 2023.
Required Website Elements
Privacy Policy Requirements
Your privacy policy explains what data you collect and what you do with it. Here’s what must be in it:
Essential contents:
- Who you are (business name, contact details)
- What data you collect and why (be specific: “We collect emails through contact forms to respond to inquiries”)
- Legal basis for processing (consent, contract, or legitimate interest)
- How long you keep data
- Who you share it with (name actual services: Mailchimp, Google Analytics, Paystack)
- User rights under NDPA and how to exercise them
- How to file complaints with NDPC
Common mistakes to avoid:
- Using US/EU templates without adapting to Nigerian requirements
- Vague language like “we may share with partners” (name them specifically)
- Not updating when you add new tools
- Burying it in unreadable footer text
Example of specific tool disclosure: If you use Google Analytics, Meta Pixel, WhatsApp widget, and Paystack, list them all. If you later remove Meta Pixel, update your privacy policy immediately.
Display it prominently in your footer on every page. Also link it near every form and on your cookie banner (“Learn more” or “Privacy Policy”). Don’t make users hunt for it. Use plain language, date it, and keep it up to date.
Cookie Consent
Essential cookies (login status, shopping cart) don’t need consent. Analytics, advertising, and marketing cookies do.
Requirements:
- Get consent before setting non-essential cookies
- Allow users to reject, not just accept
- Explain what each cookie type does clearly
- Ensure it works on mobile (most Nigerian traffic)
Bad vs. good cookie banners:
- Bad: “By using this site, you agree to cookies. [OK]” (no choice, bundled consent)
- Good: “We use cookies to improve your experience. [Accept all] [Reject non-essential] [Manage preferences]” (clear choice)
For WordPress users: Use plugins like CookieYes or Complianz. Configure cookie categories (essential, analytics, marketing), set them to block scripts until consent is granted, and test thoroughly on mobile devices before going live. For broader WordPress security considerations, see our WordPress security guide for Nigerian businesses.
Data Processing Notices
Every form needs a short notice explaining why you’re collecting data and how you’ll use it.
Example for contact form: “We’ll use your email and phone number to respond to your inquiry. We won’t share your information with third parties or use it for marketing unless you opt in separately. See our [Privacy Policy] for full details.”
Example for newsletter: “By subscribing, you agree to receive our weekly newsletter with business technology insights and occasional product updates. You can unsubscribe anytime. We use Mailchimp to send emails. See our [Privacy Policy] for details.”
Data Protection Contact
Most SMEs don’t need a dedicated Data Protection Officer. You can designate an internal contact and create a privacy email address (privacy@yourcompany.com). Include this in your privacy policy so users know how to reach you with data requests or questions.
Forms and Lead Capture Compliance
Lawful Basis for Processing
NDPA requires a valid, lawful basis for processing personal data. This simply means you must have a clear, documented reason for collecting and using someone’s information.
Three main bases apply to most Nigerian businesses:
Consent – for marketing, newsletters, and non-essential communications. Pre-checked boxes don’t count. Users must actively opt in.
Contract – for service delivery and orders. Processing is necessary to fulfill their request or complete the purchase.
Legitimate interest – when you have a genuine business need, balanced against user rights. This is more nuanced and requires careful justification. Important: Legitimate interest does not cover unsolicited marketing or adding people to sales mailing lists. If it’s marketing, you need explicit consent.
Quick reference table:
| Form Type | Purpose | Lawful Basis | Need Consent? |
|---|---|---|---|
| Newsletter signup | Marketing | Consent | Yes |
| Product order | Fulfill purchase | Contract | No (for order processing) |
| Quote request | Provide pricing | Contract | No (for quote) |
| Contact form | Answer question | Legitimate interest | No (for response), Yes (for marketing) |
| Job application | Recruitment | Consent/Legitimate interest | Depends on use |
Document your lawful basis decisions. You should be able to explain why you chose consent, contract, or legitimate interest for each processing type.
Minimal Data Collection
Collect only what you need. Every field should have a justifiable purpose.
Make only essential fields required. Mark optional fields clearly. Explain why you’re asking for information. If you just need to send a quote, why ask for company size or revenue?
Examples of overcollection:
- Contact form asking for revenue and employee count when you’re just answering a question
- Newsletter signup asking for job title and industry when email alone is sufficient
- Quote request with “How did you hear about us?” (make optional or skip it entirely)
User Rights Implementation
Users can request access to their data, request corrections, request deletion, and opt out. Your website needs to enable these rights.
Create a dedicated email for data requests (privacy@yourcompany.com). Document your process internally. NDPA gives you 30 days to respond.
Verify identity before fulfilling requests. For simple email requests, confirming that the email matches might suffice. For sensitive data or deletion requests, you may be required to provide additional verification.
Include clear instructions in your privacy policy for exercising rights.
Newsletter and Marketing Consents
Requirements:
- Separate consent for marketing (can’t bundle with service terms)
- Clear about what you’ll send and how often
- Easy unsubscribe in every email
- Don’t add people without explicit consent
What you cannot do:
- Use pre-checked boxes
- Add people from business cards or purchased lists without consent
- Continue emailing after they unsubscribe
Good consent example: “☐ Yes, send me your monthly newsletter with business technology insights. You can unsubscribe anytime.”
For WordPress forms: Add a consent checkbox only when marketing consent is needed. For basic contact forms (quote requests, inquiries), you don’t need a marketing checkbox—just a data processing notice explaining you’ll use the info to respond.
Keep records of when and how people consented. When someone unsubscribes, remove them immediately and document it.
Third-Party Tools and Plugins
Every plugin, widget, or tracking tool you add creates compliance obligations. This is a commonly overlooked aspect of website compliance in Nigeria. You remain responsible even when third parties process the data.
Why This Matters
You must disclose all third-party tools in your privacy policy. Vague statements like “we use analytics tools” don’t work. Name them specifically: Google Analytics, Facebook Pixel, Mailchimp.
Many tools collect more than you realize. That chat widget might capture IP addresses, device info, browsing patterns, and conversation logs.
Some tools require consent before loading. Analytics and advertising tools typically need user consent before setting cookies or collecting data.
Common Tools and What to Know
Google Analytics: Collects IP addresses, browsing behavior, and device information. Configure with IP anonymization. Decide whether you need consent (safest approach) or can claim legitimate interest. If you rely on legitimate interest for analytics, document why you need it, configure it with privacy in mind, and still offer users an easy opt-out mechanism. When in doubt, consent is the safer route. Disclose in privacy policy.
Facebook Pixel: Tracks browsing for advertising. Requires consent before loading. Shares data with Meta. Block it until users consent through your cookie tool.
WhatsApp Chat Widgets: Depends on implementation. Direct WhatsApp links have minimal data implications. Full widgets that log conversations require disclosure and, in some cases, consent.
Email Marketing Platforms (Mailchimp, etc.): They’re data processors. Get a data processing agreement (DPA) with them. Most reputable platforms offer standard DPAs in their settings.
Payment Gateways (Paystack, Flutterwave): Handle sensitive financial data. Choose compliant providers. Clearly disclose which payment data you collect and which the gateway handles. You should never store card details on your own systems.
CRM Systems (Zoho, HubSpot): Require DPAs. Remember that users can request the deletion of CRM records under NDPA.
Data Processing Agreements (DPAs)
Any service that processes personal data on your behalf requires a DPA. This includes email platforms, CRM systems, analytics tools, and chat software.
Most SaaS platforms have standard DPAs you can accept in their settings or download from their legal pages. If a service refuses to provide a DPA or has poor data protection practices, reconsider using it.
Audit Your Tools
List every service integrated with your site. For each, confirm:
- Is it in your privacy policy?
- Do you have a DPA if needed?
- Does it require consent before loading?
- Is it actually necessary?
Simple audit method: Open your site in an incognito browser window. When the cookie banner appears, don’t accept anything. Then open your browser’s developer tools (or use a cookie scanner) to see which scripts and cookies are fired. If analytics pixels or tracking tools load before consent, that’s a violation you need to fix.
Remove tools you’re not using. Before adding new tools, consider compliance implications first.
Penalties and Enforcement Reality
What the Law Says
NDPA 2023 allows fines up to ₦10 million or 2% of annual revenue (whichever is higher) for serious violations. NDPC can issue compliance notices before penalties are imposed, giving you time to address issues.
Violations that can trigger penalties:
- Processing personal data without a valid lawful basis
- No privacy policy or an inadequate policy
- Ignoring user rights requests
- Unreported data breaches
- Refusing to cooperate with NDPC
Current Enforcement
NDPC enforcement is real but still maturing. Focus areas include high-profile breaches, companies that ignore user complaints, and sensitive sectors such as fintech and healthtech. Website compliance in Nigeria has become a regulatory priority as more businesses move online.
SMEs are receiving compliance assessment letters. Industry associations are hosting NDPC guidance sessions. Public enforcement cases are creating awareness that the regulations have teeth.
The Complaints-Driven Risk
Most businesses encounter NDPA enforcement through user complaints. Here’s how it typically happens:
Someone exercises their data rights (e.g., by submitting a deletion request or accessing their data). You ignore it or refuse without valid reasons. They file a complaint with NDPC. NDPC will investigate and may identify additional violations on your website.
A single unresolved complaint can trigger full regulatory scrutiny. Handle data rights requests promptly and professionally. Make the process straightforward. Document everything.
Beyond Financial Penalties
Other compliance costs:
- Reputational damage if NDPC publicly announces penalties
- Loss of corporate clients who require vendor compliance
- Higher remediation costs when fixing problems under regulatory pressure
- Time and distraction dealing with investigations
Good faith matters:
Regulators distinguish between businesses trying to comply and those that ignore their obligations. Good faith means maintaining basic measures, even if imperfect, properly handling user requests, fixing gaps when discovered, and documenting compliance efforts.
Poor compliance looks like: failing to address obvious violations, ignoring user requests, continuing violations after notification, and obstructing regulators.
The Bottom Line
Don’t wait for enforcement to address obvious problems. Proactive compliance is more cost-effective than fixing issues under regulatory pressure. Understand your risk level (sensitive sectors and large user bases face more scrutiny). Treat user rights requests seriously—this is how most SMEs first encounter enforcement. The regulatory environment will tighten, not loosen.
Website Compliance in Nigeria: Practical Checklist
Immediate Priorities (This Week)
Privacy Policy:
☐ Do you have one accessible from every page?
☐ Does it list all data collection points and third-party tools?
☐ Does it explain user rights with contact information?
☐ Is it specific to your business, not a generic template?
Contact Forms:
☐ Do forms have data processing notices?
☐ Are you collecting only necessary information?
☐ Is the lawful basis clear to users?
Cookie Consent:
☐ Do you use non-essential cookies?
☐ Can users reject or customize, not just accept?
☐ Does it work on mobile?
Medium-Term Fixes (This Month)
Third-Party Tools:
☐ List all plugins, tracking tools, and widgets
☐ Update privacy policy to include them all
☐ Get data processing agreements where needed
☐ Remove unnecessary tools
User Rights Process:
☐ Create privacy email (privacy@yourcompany.com)
☐ Document your process for handling requests
☐ Set up a system to respond within 30 days
☐ Train staff on handling requests
Documentation:
☐ Document lawful basis for each data collection
☐ Review marketing consent mechanisms
☐ Clean up any presumed consents
Ongoing Maintenance
☐ Quarterly privacy policy review
☐ Check for new tools added without updates
☐ Test cookie consent on different devices
☐ Monitor NDPC guidance and updates
When You Need Professional Help
Consider professional help if you:
- Process sensitive data (health, financial, children’s)
- Have complex third-party integrations
- Are planning major website changes
- Received an NDPC inquiry
- Need your privacy policy legally reviewed
For comprehensive compliance strategies beyond just website requirements, see our guide on data protection compliance strategies for Nigerian businesses.
Conclusion
Website compliance in Nigeria is no longer optional under NDPA. Start with fundamentals: privacy policy, cookie consent, and data processing notices on forms. Then move to deeper compliance: audit third-party tools, document legal basis, and establish user rights processes.
Your next steps:
Use this checklist to audit your website this week. Fix critical gaps (privacy policy, obvious form violations) within two weeks. Schedule medium-term fixes over the next month. Set quarterly compliance reviews.
This isn’t just about avoiding penalties. It’s about building trust with customers and positioning your business as professional and mature. Companies that proactively address compliance will gain a competitive advantage as Nigeria’s data protection environment continues to evolve.
Start today. The effort you invest now protects your business and serves your customers’ interests.
Need help getting started? We can run a quick NDPA website compliance audit and send you a prioritized fix list you can implement internally or hand to your developer. Schedule your IT consultation or get a free initial assessment.
