Every time you sign up for a food delivery app, apply for a loan through a fintech platform, or scroll through a social media feed tailored to your habits, you are handing over personal data. For a long time, Nigerian internet users did this with almost no legal protection. That changed in June 2023, when President Bola Tinubu signed the Nigeria Data Protection Act (NDPA) into law, establishing the country’s first standalone legal framework for data privacy.
What the Law Actually Covers
The NDPA governs how organisations collect, store, process, and share personal data belonging to Nigerian citizens. Personal data, under the Act, means any information that can identify you: your name, phone number, email address, biometric details, financial records, or browsing behaviour.
The law applies to any company processing Nigerian user data, whether that company is based in Lagos or London. This extraterritorial reach is significant. It means foreign platforms serving Nigerian users are legally obligated to comply.
Rights You Now Have
The NDPA grants ordinary users several enforceable rights that previously had no legal footing in Nigeria.
You have the right to know what data an organisation holds about you and why it was collected. You can request that inaccurate data be corrected, or that your data be deleted entirely under certain conditions. You can also withdraw consent for data processing, meaning a company cannot indefinitely use information you gave them for one purpose and quietly repurpose it for another.
Critically, organisations must now obtain your explicit, informed consent before collecting sensitive data. Burying permission inside a 40-page terms-of-service document no longer satisfies the legal standard.
Who Is Responsible for Enforcement
The Nigeria Data Protection Commission (NDPC), established under the Act, is the body responsible for enforcement. It can investigate complaints, audit organisations, and impose fines. Penalties for serious violations can reach up to two percent of an organisation’s annual gross revenue.
The NDPC also requires data-heavy organisations to appoint a Data Protection Officer and conduct impact assessments before deploying systems that process personal data at scale.
Where It Touches Your Daily Life
The practical impact is most visible in sectors Nigerians interact with daily.
Fintech platforms that collect your BVN, income details, and transaction history are now required to handle that data under stricter rules. Lending apps that once shared or sold user financial data without consequence face real liability. Healthtech companies holding patient records must implement stronger security standards. Even employers who collect employee data fall within the law’s scope.
For users, this means that when a platform asks for your data, the request should now come with a clear explanation of its purpose, how long it will be kept, and who it may be shared with.
The Gap Between Law and Reality
The NDPC has moved to establish a compliance framework, but enforcement is still maturing. Many smaller organisations remain unaware of their obligations. Consumer awareness is equally low; most Nigerian internet users do not yet know they have formal privacy rights, let alone how to exercise them.
This is not unusual for new legislation. It took the European Union several years after introducing its General Data Protection Regulation in 2018 before enforcement became consistent and consequential.
Nigeria’s data protection law sets the right foundation. Whether it delivers meaningful protection for everyday users depends on sustained enforcement, public education, and a regulatory body willing to act when violations occur. For now, knowing your rights is the first step.
