Months after President Bola Tinubu ordered all ministries, departments, and agencies (MDAs) to align with the Nigeria Data Protection Act (NDPA) 2023, a troubling gap remains: several government websites, including that of the Independent National Electoral Commission (INEC), lack visible privacy policies and cookie notices on their homepages.
Cookies—small text files stored on users’ devices—are not just technical tools. They are gateways to sensitive personal data, and under Nigerian law, websites must clearly disclose their use while offering users the option to accept or decline. Yet, checks by Nairametrics found INEC’s site still without a cookie pop-up or privacy policy, raising questions about compliance at the highest levels of governance.
Why It Matters
Legal experts argue that these omissions are not mere oversights but potential violations. Barrister Oladipupo Ige, Director of Policy at the Data Privacy Lawyers Association (DPLAN), explains that both the NDPA and its General Application and Implementation Directive (GAID, Article 7) require privacy policies and cookie notices to be prominently displayed—ideally at the center or side of a homepage, not hidden in footnotes. Anything less undermines transparency.
Digital rights lawyer Solomon Okedara reinforces the point, noting that Section 24 of the NDPA 2023 specifically binds government institutions, as some of the country’s largest data controllers, to inform users how personal information is collected, stored, and used. “This is not optional—it’s a statutory responsibility,” he stresses.
Barrister Olalekan Bosede adds that publishing privacy policies is not just about legal compliance but about public trust. Citizens need assurance that their sensitive information—ranging from voting data to identity records—is handled responsibly.
The Bigger Picture
Nigeria’s data protection journey is unfolding against a backdrop where data is described by President Tinubu as the “new oil.” In July 2025, he directed MDAs to rigorously safeguard personal data, recognizing its value and vulnerability in a digital-first economy. Yet, the gap between directives and execution reveals a lingering challenge: regulators often spotlight private-sector compliance but shy away from holding public institutions to the same standard.
Experts warn that this uneven enforcement risks eroding confidence in the government’s commitment to digital rights. If state agencies themselves sidestep transparency, the legitimacy of broader compliance efforts could collapse.
Ultimately, experts insist the Nigeria Data Protection Commission (NDPC) must lead by example—starting with government websites—before expecting private entities to follow suit.
