The verdict in three sentences
Law 2008-12 on personal data protection requires explicit, informed consent before collecting payment data (mobile money number, card data, identity). Four elements are mandatory: displayed CDP registration number, stated purpose, an opt-in checkbox for retention beyond 30 days, and the right to erasure. Non-compliance exposes you to a 2,000,000 to 10,000,000 FCFA penalty, and storing mobile money numbers without consent triggered 3 CDP actions in 2025.
The 4 pillars of compliant consent
The Personal Data Protection Commission (CDP) oversees data use in Senegal. Here is what your checkout must display.
| Mandatory element | What it means | Penalty if missing |
|---|---|---|
| Displayed CDP number | Visible registration receipt (footer/terms) | 2,000,000 to 10,000,000 FCFA |
| Stated purpose | Why you collect the data | Formal notice + fine |
| Retention opt-in | Checkbox to keep > 30 days | Data to be deleted |
| Right to erasure | Procedure to delete one's data | CDP injunction |
The most overlooked point: the opt-in checkbox must never be pre-ticked. Valid consent is free, specific and informed; a pre-ticked box is deemed invalid by the CDP.
Violation -> penalty -> fix mapping
Here is how the CDP handles the most frequent breaches on a merchant site, with the recommended technical fix (2026 estimate).
| Violation | Penalty range | Technical fix |
|---|---|---|
| No CDP number displayed | 2,000,000 to 5,000,000 FCFA | Receipt mention in footer |
| Mobile money number stored without consent | 3,000,000 to 10,000,000 FCFA | Opt-in + auto-purge at 30 days |
| Pre-ticked opt-in box | Formal notice | Box unticked by default |
| No erasure procedure | Injunction + penalty | "Delete my data" form |
| Undeclared transfer outside UEMOA | Fine + suspension | CDP declaration + processor clause |
In 2025, 3 CDP actions targeted merchants who kept mobile money numbers without a legal basis. The fix is simple: clear opt-in and automatic purge of unnecessary data after 30 days.
Mini case study
Awa runs an online fashion shop in Dakar. Her site stores every customer's Wave number "for after-sales", without consent or a displayed CDP number. Cumulative risk: missing receipt (up to 5,000,000 FCFA) plus non-consented storage (up to 10,000,000 FCFA). We set up: CDP receipt in the footer, an unticked opt-in box at checkout, and automatic purge of numbers after 30 days unless explicit consent. Compliance cost: about 150,000 FCFA of integration. Risk avoided: up to 15,000,000 FCFA in cumulative penalties. The benefit/cost ratio is clear.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
FAQ
Do I really have to display a CDP number on my site?
Yes if you collect personal data (which any e-commerce does). The CDP registration receipt must be visible, typically in the footer or terms. Its absence is penalised 2,000,000 to 10,000,000 FCFA.
Can I keep my customers' Wave numbers?
Only with explicit consent and for a stated purpose. Without a clear opt-in, the CDP considers storage illegal; automatically purge unnecessary numbers after 30 days.
Can the consent box be pre-ticked?
No. Valid consent must be free and active: the box must be unticked by default. A pre-ticked box is invalid in the CDP's eyes and can lead to a formal notice.
What do I do if a customer asks to delete their data?
Law 2008-12 enshrines a right to erasure. You must provide a simple procedure (form or dedicated email) and delete the data within a reasonable time, except for legal accounting retention.
Does the European GDPR apply to my Senegalese site?
GDPR applies as soon as you target EU customers (the diaspora). In that case your site must combine Law 2008-12 and GDPR requirements: cookie banners, processing records and transfer clauses.
Let's talk about your project. We bring your checkout into compliance with Law 2008-12 and the CDP: consent, receipt, automatic purge. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
