Your website drops cookies the moment a visitor arrives: Google Analytics, Facebook pixel, embedded YouTube video. Most Senegalese SMEs ignore it, but collecting data without consent exposes you. Senegalese personal data protection law, overseen by the Personal Data Protection Commission, sets rules. And if you have clients in Europe, GDPR also applies.
This guide explains simply what an SME needs to put in place: a proper consent banner, a clear cookie policy and sound data management. No frightening legalese, just concrete actions to be compliant and inspire trust.
Understanding cookies and why they are a problem
A cookie is a small file placed on the visitor browser. Some are essential to the site working, like keeping a basket filled. Others serve to measure audience or target advertising, and those collect personal data.
Essential cookies and tracking cookies
The distinction is central. Strictly necessary cookies, for example those maintaining a logged in session, do not require consent. In contrast, measurement cookies like Google Analytics, and advertising cookies like the Facebook pixel, require the visitor prior agreement. This category is what triggers the legal obligations.
The legal framework in Senegal
Senegal has a personal data protection law, supervised by the Personal Data Protection Commission, the CDP. This law imposes several principles: inform people, collect their consent for certain processing, secure the data and let people exercise their rights.
What the law expects of you
Concretely, you must clearly inform your visitors of the data collected and its purpose, obtain their consent for non essential cookies, secure that data, and let them access their data or have it deleted. For certain processing, a declaration to the CDP may be required. It is best to inquire depending on your activity.
GDPR for your European clients
If your site targets or serves clients in the European Union, GDPR applies, regardless of where your company is. GDPR is stricter: free and explicit consent, right to erasure, total transparency. For a Senegalese SME oriented toward export or the diaspora, respecting GDPR is not only an obligation, it is an argument of seriousness facing demanding clients.
The consent banner, the centerpiece
This is the most visible element of your compliance. Done poorly, it annoys or protects nothing. Done well, it informs and respects the visitor choice.
The rules of a good banner
A compliant banner must clearly inform about the cookies used. It must offer a real choice: accept, refuse, and ideally customize. The refuse button must be as accessible as the accept button, not hidden. And above all, no tracking cookie must fire before the visitor has accepted. A banner that loads Google Analytics on arrival, before any click, respects nothing.
The tools to set it up
Solutions like Cookiebot, Axeptio or dedicated WordPress extensions manage the banner and block cookies until consent is given. Some are free for small sites. The key is that they actually block the tags before acceptance, which is often configured via Google Tag Manager.
The link with Google Tag Manager
If you use GTM, configure your tracking tags to fire only after consent. Google consent mode lets GA4 work while respecting the visitor choice. This is the technical setup that makes your banner truly effective, and not just decorative.
The cookie and privacy policy
Beyond the banner, your site needs two documents accessible from the footer. A privacy policy explains what data you collect, why, how long you keep it and how the visitor exercises their rights. A cookie policy details the cookies used and their purpose. These pages reassure and prove your seriousness in case of a check.
Data management best practices
Collect only what is necessary
Do not ask for ten pieces of information in a form if three suffice. The less data you collect, the less you have to protect and justify. This is the minimization principle, simple and protective.
Secure and limit access
Customer data must be stored securely, with access limited to the people who need it. Couple this rule with a good backup strategy and MFA, topics we cover in our security guide.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Plan a retention period
Do not keep data indefinitely. Set a reasonable duration, for example deleting inactive prospects after two or three years. Keeping data forever increases risk without adding value.
Mini case: Sope Naby online store in Dakar
Sope Naby, an online fashion store in Dakar, also sold to the diaspora in France and Belgium. The site loaded Google Analytics, the Facebook pixel and Google Fonts on arrival, with no banner at all. A European customer, aware of GDPR, publicly flagged this lapse on social media, which dented trust.
We set up a compliant consent banner via GTM, which blocks all tracking cookies until acceptance. We wrote a clear privacy and cookie policy, accessible from the footer. Unexpected result: not only did the brand avoid legal risk, it communicated about its data seriousness. Diaspora customers, used to these standards, welcomed the move. Compliance became a sales argument, not just a constraint.
Common mistakes to avoid
The fake decorative banner
A banner saying "by continuing you accept cookies" with no refuse button, and that loads everything on arrival, protects nothing. It is worse than no banner, because it gives an illusion of compliance.
Ignoring the topic because you are in Senegal
The CDP law exists and applies. And as soon as a European client is involved, GDPR kicks in. Thinking compliance only concerns Europe is a costly mistake.
Copying another site policy
A privacy policy must reflect what you actually collect. Copying another company policy leads to a false document, which exposes you more than it protects you.
FAQ
Does my Senegalese site really need a cookie banner?
If your site uses Google Analytics, an advertising pixel or any tracking cookie, yes. Senegalese law requires informing and collecting consent for these non essential cookies.
Does GDPR apply to a Senegalese company?
Yes, as soon as you target or serve clients in the European Union. GDPR follows the data of European residents, regardless of where your company is located.
Is a cookie banner enough to be compliant?
No. The banner is one piece, but you also need a privacy policy, a cookie policy, and secure data management. Compliance is a whole, not a single button.
Can I use a free banner?
Yes, several tools offer free versions for small sites. What matters is not the price, but that the banner actually blocks tracking cookies before consent.
What does an SME risk by ignoring these rules?
In Senegal, sanctions from the CDP are possible. For GDPR, fines can be heavy. But the most immediate risk for an SME is the loss of trust from informed customers.
Does consent slow down my GA4 statistics?
You measure the visitors who accept, so part of the traffic. Google consent mode, however, lets you keep useful aggregated data while respecting refusals. It is a compromise between compliance and measurement.
Let's talk about your project. Kolonell sets up your compliant consent banner, writes your cookie and privacy policies and configures GTM to respect the law. Message us on WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
