NDPA 2023: Why Every Nigerian Website — Even Your Instagram Shop — Now Needs a Privacy Policy

Nigerian regulators have already imposed an estimated $220 million fine on Meta (Facebook's parent company) over data privacy and consumer protection violations affecting Nigerian users. The Nigeria Data Protection Commission has imposed a ₦766.2 million fine on Multichoice Nigeria. And in August 2025, the Commission launched compliance investigations into 1,368 organisations across banking, insurance, pension, and gaming sectors.

The Nigeria Data Protection Act 2023 (NDPA) is not theoretical. It is being enforced. And if you run any business that collects personal data from Nigerians — including a small e-commerce store, a freelance consultancy, an Instagram shop with a checkout link, or even a WhatsApp broadcast list — it applies to you.

What the NDPA is

Signed into law on 12 June 2023, the NDPA replaced the older Nigeria Data Protection Regulation 2019 and gave Nigeria its first proper, standalone data protection statute. It also created the Nigeria Data Protection Commission (NDPC) — a regulator with real fining power and a growing track record of using it.

The General Application and Implementation Directive (GAID) 2025 — effective from September 2025 — fleshes out the operational details: how to register, how to report breaches, when cross-border data transfers are allowed, when you must appoint a Data Protection Officer.

Who it applies to

The NDPA applies to:

• Any organisation in Nigeria that processes personal data, in any form, automated or not.

• Any organisation outside Nigeria that processes the personal data of people located in Nigeria.

"Processing" means almost anything you can do with data — collecting it, storing it, using it for marketing, analysing it, sharing it with a third party, deleting it.

That sweep is wide enough to cover:

• An online store using Paystack or Flutterwave (you store customer names, addresses, phone numbers, order history).

• A freelance designer collecting client briefs through Google Forms.

• A real estate agent maintaining a WhatsApp broadcast list of property buyers.

• A church or NGO with a member database.

• An Instagram seller who DMs customers and stores their contact details for repeat orders.

• A school maintaining records of students and parents.

• A diaspora-focused business in London or Toronto that signs up Nigerian users.

If you hold a list of people's data anywhere — in a CRM, a spreadsheet, a Mailchimp account, even a notebook — the NDPA covers you.

The four obligations every small business now has

1. Publish a privacy policy. It must be accessible (ideally linked on every page of your site, app, or storefront), written in plain language, and explain what personal data you collect, why you collect it, how long you keep it, who you share it with, and how a user can exercise their rights under the Act. This is the single most visible compliance step and the one regulators check first.

2. Collect lawful consent. Consent under the NDPA must be specific, informed, freely given, and revocable. Pre-ticked checkboxes are not consent. "By using this site you agree to everything" is not consent. You need a meaningful, recorded yes — and the user must be able to withdraw that yes as easily as they gave it.

3. Honour data subject rights. Users in Nigeria now have the legal right to access their data, correct it, withdraw consent, object to processing, and request deletion. Your privacy policy must explain how they exercise these rights — and you must have an internal process to actually fulfil requests within a reasonable time.

4. Report breaches. If personal data you hold is leaked, hacked, lost, or accidentally exposed, you must notify both affected users and the NDPC within the statutory window. Failing to report is itself a breach, and the Commission has signalled it will treat cover-ups much more severely than the original incident.

The fines you actually risk

The NDPA establishes a tiered penalty system overseen by the NDPC:

• Data Controllers and Processors of Major Importance — large platforms, financial institutions, telcos, anyone handling significant volumes of personal data: a fine of up to ₦10 million or 2% of annual gross revenue from the preceding year, whichever is higher.

• All other Data Controllers and Processors: a fine of up to ₦2 million or 2% of annual gross revenue from the preceding year, whichever is higher.

Read that carefully. The fine is not capped at ₦10 million for big companies — it is whichever is higher: ₦10 million or 2% of annual revenue. For a fintech turning over ₦5 billion, 2% is ₦100 million. For a small business turning over ₦50 million, 2% is ₦1 million. These are not theoretical numbers — Multichoice has already paid materially, and global investigations show Nigerian regulators are willing to enforce against the largest companies in the world.

There are also criminal penalties for wilful violations and for failing to comply with NDPC orders — including the possibility of imprisonment of up to one year for the responsible officers.

What you should do this week

1. Audit what data you collect. Walk through every form, sign-up, checkout, contact field, and broadcast list. List everything: names, emails, phone numbers, addresses, payment data, ID copies, location data, photos, anything else. You cannot protect data you have not mapped.

2. Publish a privacy policy on your website, store, and app. It is the single most important compliance artefact, the one regulators check first, and the one users are most likely to actually see.

3. Add a clear consent mechanism at every point where you collect data — sign-ups, checkouts, contact forms, newsletter pop-ups. Replace any pre-ticked boxes. Make it obvious what the user is agreeing to.

4. Document your processes for honouring access and deletion requests. Even a simple internal SOP saying "all data requests go to admin@yourbusiness.com and are answered within 30 days" is far better than nothing.

5. Appoint a Data Protection Officer (or designate an internal point-person). If you process large volumes of data or sensitive data (health, financial, biometric), a formal DPO is required. For most small businesses, an internal point-person who owns compliance is sufficient.

Why this is also a commercial advantage

A privacy policy is not just a legal box to tick. It is a trust signal that:

• International payment providers (Stripe, Wise, PayPal) require before approving you.

• App stores (Apple, Google) require before listing your app.

• B2B buyers and procurement teams check before signing a contract.

• Sophisticated consumers look for before entering their card details.

The businesses that treat NDPA compliance as a chore will keep getting outbid by competitors who treat it as a feature.

If you do not have a privacy policy yet

You can have a Nigerian-law-compliant privacy policy live on your site within ten minutes. LegalDoc's NDPA-aligned Privacy Policy generator builds one for you in a guided form — you answer questions about what data you collect, why you collect it, and who you share it with, and the tool outputs a finished policy you can paste straight into your website footer or app settings.

It is properly drafted, properly current, and properly priced in naira. The cost of compliance is a tiny fraction of the cost of explaining to the NDPC why you did not bother.

LegalDoc provides ready-to-use Nigerian legal templates drafted by qualified Nigerian lawyers. This article is general information based on the NDPA 2023 and GAID 2025 as published at time of writing, not legal advice. For complex data processing operations or cross-border transfers, you should consult a qualified data protection specialist.