The verdict in three sentences
A Senegalese site is not subject to GDPR by default: it falls under law 2008-12 and the CDP. This requires prior consent for non-essential cookies, a declaration of processing and a defined retention period. Pasting a GDPR banner copied from Europe isn't enough — and having none at all exposes you to penalties.
Law 2008-12 / CDP vs GDPR: what changes
The principles look alike, but the authority, formalities and legal references differ. A compliant banner cites the right law and the right regulator.
| Criterion | Law 2008-12 / CDP (Senegal) | GDPR (EU) |
|---|---|---|
| Supervisory authority | CDP | CNIL and peers |
| Reference text | Law 2008-12 | Regulation 2016/679 |
| Consent for non-essential cookies | required | required |
| Prior declaration / registration | yes, CDP register | internal register |
| Data protection officer (DPO) | recommended case by case | mandatory case by case |
| Scope | processing in Senegal | EU residents |
Cookie banner compliance checklist
A compliant banner isn't just a visual: it's technical behavior (deposit nothing before the click) and documentation.
| Element | CDP requirement | Status to verify |
|---|---|---|
| Consent before cookie deposit | mandatory | block third-party scripts |
| Granular choice (accept/refuse) | mandatory | 2 equivalent buttons |
| Accessible privacy policy | mandatory | linked dedicated page |
| Cookie retention period | defined (often 6 to 13 months) | documented |
| Declaration of processing to CDP | mandatory | receipt kept |
| Processing register | recommended | kept up to date |
| Right of access / deletion | mandatory | contact provided |
Mini case study
Aïssatou runs an online store in Dakar with 8,000 visitors/month and Meta and Google ad pixels. Her site deposits tracking cookies before any consent and has no CDP declaration. Compliance — a banner blocking third-party scripts, a privacy page, registry declaration — costs an order of magnitude of 250,000 FCFA. Against the risk of penalty and lost trust, the decision is easy: the compliance cost is under 0.3 % of her annual revenue.
FAQ
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Does GDPR apply to my Senegalese site?
Not by default: your reference is law 2008-12 and the CDP. GDPR only concerns you if you process data of European Union residents.
Do I really have to declare my site to the CDP?
Yes, personal-data processing must in principle be declared/registered with the CDP, and the receipt kept. It's a formality separate from the banner alone.
Is a cookie banner enough to be compliant?
No: the banner must technically block non-essential cookies before the click, offer a refusal as easy as acceptance, and come with a privacy policy and a declaration.
How long should cookies be kept?
The common order of magnitude is 6 to 13 months for measurement and advertising cookies. This period must be documented and respected.
How much does compliance cost?
Expect an order of magnitude of 150,000 to 400,000 FCFA depending on site complexity. It's nothing compared to a penalty or reputation loss.
Let's talk about your project. We bring your site into compliance with law 2008-12 and the CDP: compliant banner, privacy policy and declaration. WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
