Nigerian Website Legal Requirements — NDPR, CAC Registration and Compliance

Running a website that collects data from Nigerian users — whether a contact form, an e-commerce checkout, or a newsletter signup — comes with legal obligations that many Nigerian businesses are unaware of. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023 create binding requirements. Non-compliance carries fines and reputational risk. This guide covers what your website legally needs.

The NDPR 2019 and NDPA 2023 — What They Require

The NDPR, issued by the National Information Technology Development Agency (NITDA), was Nigeria's first comprehensive data protection framework. The NDPA 2023 updated and expanded it, establishing the Nigeria Data Protection Commission (NDPC) as the supervisory authority. Together, they require Nigerian businesses operating websites to:

• Publish a privacy policy that explains what data you collect, why you collect it, how it is stored, and how users can request deletion or correction
• Obtain lawful consent before collecting personal data — pre-ticked boxes do not satisfy this requirement
• Appoint a Data Protection Officer (DPO) if your organisation processes large volumes of personal data — required for companies processing data of more than 1,000 individuals in six months
• Report data breaches to the NDPC within 72 hours of discovery
• Restrict cross-border data transfers to countries with adequate protection standards unless specific safeguards are in place

CAC Registration Display Requirements

The Corporate Affairs Commission Act requires Nigerian companies to display their registered business name and CAC registration number on all official communications — and this extends to websites. For e-commerce businesses and professional services, failing to display your CAC number creates legal exposure and, practically, reduces consumer trust. Your website footer and About page should carry your full registered business name and RC number.

FCCPC E-Commerce Rules for Nigerian Websites

The Federal Competition and Consumer Protection Commission (FCCPC) issued e-commerce guidelines that apply to Nigerian online sellers. Key obligations include:

• Displaying accurate pricing inclusive of all taxes and charges in naira
• Publishing clear refund and returns policies before the point of purchase
• Providing a functioning physical contact address — PO boxes alone are not sufficient
• Not using misleading descriptions, fake testimonials, or artificially inflated discount pricing

The Consumer Protection Council Act reinforces these obligations. Nigerian consumers have a statutory right to accurate information, and your website is the primary delivery channel for that information.

What Your Privacy Policy Must Cover

A Nigeria-compliant privacy policy is not a copy-paste from a US or UK template. It must specifically address Nigerian regulatory requirements:

• Identity and contact details of your business and your DPO (if applicable)
• Legal basis for each category of data processing (consent, contract, legitimate interest)
• Data retention periods
• User rights under the NDPA 2023: access, correction, deletion, portability, objection
• Details of any third parties who receive the data (including Google Analytics, email platforms, payment processors)
• Contact channel for data-related requests

Practical Steps for Your Website

QX137 builds every client website with a dedicated Privacy Policy page, a cookie consent mechanism, and contact form consent language. For Nigerian clients, we include NDPR/NDPA-aligned policy language and the appropriate NDPC contact details. Your legal counsel should review the final policy text — we provide the structure and technical implementation; your solicitor confirms legal accuracy for your specific business activities.