Why the legal compliance of your website is not optional
In 2026, the CDP (Senegal Commission for the Protection of Personal Data) has strengthened its audits. Penalties for non-compliance with Law 2008-12 of 25 January 2008 can reach 10 million FCFA for an SME and more for larger companies. Beyond the fine, a CDP audit often triggers a public posting on their website — lasting reputational damage. International companies with a Senegalese subsidiary or local presence are subject to the same regime.
The good news: compliance for an ordinary website is not complex. It fits into a 12-point checklist you should review this month.
Law 2008-12: what you must know in 2026
Law 2008-12 governs the processing of personal data in Senegal. It applies to any entity that collects or processes data on its website, whether:
- A contact form (name, email)
- A newsletter (subscriber emails)
- A user account (address, phone, password)
- A payment system (bank or mobile money details)
- Analytics cookies (Google Analytics, Meta Pixel)
12-point legal obligations checklist
1. Complete and accessible legal mentions
A /legal-mentions page accessible from the footer, containing:
- Full legal name of the business
- Legal form (SARL, SUARL, etc.)
- Registered office address
- Share capital
- NINEA and RCCM numbers
- Publishing director
- Site host (name, address, contact)
- Contact email and phone
2. Privacy policy
A /privacy page detailing:
- Which personal data is collected
- Collection purposes
- Retention duration
- Recipients (who accesses the data)
- User rights (access, rectification, deletion)
- DPO or data controller contact details
- Cross-border data transfers (if any)
3. Terms of use (ToU)
A /terms page framing:
- Access conditions
- Allowed/forbidden behaviours
- Intellectual property
- Publisher liability
- Applicable law (Senegalese law)
- Competent courts in case of dispute
4. Terms of sale (ToS) — for e-commerce
If you sell online (goods or services):
- Precise product/service description
- Prices TTC in FCFA
- Payment methods (Wave, OM, card, wire)
- Delivery methods and timeframes
- Return and refund conditions
- Legal warranties
5. Explicit consent form
For each data-collecting form:
- Unticked checkbox ("I accept the privacy policy")
- Visible link to the policy
- Clear information on data use
- Easy unsubscribe option for newsletters
6. Compliant cookies banner
If your site uses Google Analytics, Meta Pixel, or any tracker:
- Banner visible from the first visit
- Granular choice: accept / refuse / customise
- No third-party cookies dropped before consent
- Link to a detailed cookies policy
7. CDP declaration (if required)
Some processing activities must be declared to the CDP before use:
- Large-scale processing of sensitive data (health, political/religious opinions)
- Video surveillance
- Systematic geolocation
- Recruitment and HR management
Most SME showcase and e-commerce sites don't need a declaration. But check case by case.
8. HTTPS encryption
SSL certificate mandatory. Plain HTTP is sanctionable because it doesn't protect data in transit. A free Let's Encrypt certificate suffices for an SME. Kolonell activates HTTPS by default on every site.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
9. Hosting and cross-border transfers
If your data is hosted outside Senegal (e.g. AWS Dublin, Vercel US), you must:
- Clearly state this in the privacy policy
- Ensure the host offers an equivalent protection level
- Ideally use a GDPR-certified European host
10. Right to access and rectify
A user must be able, via a visible email address (e.g. privacy@yourdomain.com), to:
- Request which data you hold on them
- Correct erroneous data
- Request deletion ("right to be forgotten")
- Obtain their data in a portable format
Mandatory response within 30 days maximum.
11. Data security
Best-efforts obligation:
- Hashed passwords (bcrypt, never plain text)
- Regular backups
- Intrusion protection (firewall, WAF)
- Access logs preserved
- Data-breach recovery plan
In case of a breach: CDP notification within 72h mandatory.
12. Accessibility for people with disabilities
Senegalese law encourages (and will eventually require) web accessibility (WCAG 2.1 level AA): sufficient contrast, keyboard navigation, ARIA attributes, alt text on images. Good for users AND for SEO.
The 5 mistakes that can cost you dearly
Mistake 1: copying legal mentions from another site
Generic or foreign legal mentions don't protect. They must reflect your exact structure.
Mistake 2: no privacy policy
Site without privacy policy = non-compliant by default. Even a simple showcase site must have one.
Mistake 3: Google Analytics without a cookies banner
The GA tracker drops cookies on page load = non-compliance without consent.
Mistake 4: form without GDPR/consent checkbox
Illegal data collection = possible penalty.
Mistake 5: no newsletter unsubscribe
The duty to offer easy unsubscribe is strict. Visible link in every email.
Kolonell approach: compliance by design
Every Kolonell site ships compliant with Law 2008-12 by default:
- HTTPS enabled
- Legal mentions, privacy, and ToU pages pre-drafted (to adapt to your structure)
- Compliant cookies banner with granular choice
- Forms with explicit consent
- Internal CDP control checklist
For e-commerce: custom-drafted ToS and online payment compliance.
Take action
If your current site is more than 2 years old, chances it is fully CDP-compliant in 2026 are low. A 30-minute compliance audit identifies the 5-10 items to fix immediately.
Request a free compliance audit · WhatsApp
Mohamed Ba
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.