Cameroon’s 2024 Data Protection Law: Key Changes and What They Mean for Your Business
In an era where data drives economies and digital transformation is accelerating globally, Cameroon has taken a significant step to modernize its data protection framework. The newly enacted 2024 Data Protection Law replaces the 2010 legislation, aligning the country with international standards like the EU’s General Data Protection Regulation (GDPR) while addressing local challenges. This landmark law introduces stricter rules for data handlers, empowers citizens, and positions Cameroon as a leader in digital governance in Central Africa. Here’s a breakdown of the key changes and their implications for businesses, NGOs, and individuals.
- Expanded Definition of “Personal Data”
The 2024 law broadens the scope of what constitutes personal data to include digital identifiers such as IP addresses, device IDs, and biometric data (e.g., fingerprints or facial recognition). This reflects the growing use of technology in sectors like banking (Mobile Money) and healthcare.
Why it matters:
Businesses must now secure not just names and addresses but also digital footprints.
Startups using AI or IoT devices (e.g., agritech sensors) must reassess data collection practices.
- Stricter Consent Requirements
Gone are the days of pre-ticked boxes or vague permissions. The law mandates explicit, informed consent for data collection, requiring clear explanations in French, English, or local languages. Consent can be withdrawn anytime.
Example:
A Douala e-commerce site must now explain how customer data (e.g., phone numbers) will be used (e.g., SMS alerts) before checkout.
- Enhanced Rights for Data Subjects
Cameroonians now have GDPR-style rights, including:
Right to Access: Request a copy of their data held by organizations.
Right to Erasure: Demand deletion of outdated or unnecessary data.
Right to Portability: Transfer data between service providers (e.g., switching Mobile Money platforms).
Impact:
Businesses must implement systems to handle such requests within 30 days or face penalties.
- Mandatory Data Protection Officers (DPOs)
Organizations handling large-scale data (e.g., telecoms, banks, hospitals) must appoint a Data Protection Officer to oversee compliance. Even SMEs processing sensitive data (e.g., health records) may need a designated DPO.
Who’s affected:
MTN, Orange, and financial institutions.
Startups in healthtech, edtech, or fintech.
- Breach Notification Within 72 Hours
A major shift from the 2010 law, the 2024 update requires organizations to report data breaches (e.g., leaks, hacks) to the Cameroon Data Protection Authority (CDPA) within 72 hours of discovery. Affected individuals must also be notified if the breach poses a “high risk” to their rights.
Preparation tip:
Invest in cybersecurity tools and incident response plans to meet tight deadlines.
- Tighter Cross-Border Data Transfer Rules
Transferring Cameroonian citizens’ data outside the country now requires:
Adequacy Decisions: Recipient countries must have “equivalent” data protection laws.
Binding Corporate Rules (BCRs): For multinational companies sharing data across borders.
Challenge:
Many Cameroonian businesses using cloud services (e.g., AWS, Google Cloud) must verify if providers comply.
- Hefty Fines for Non-Compliance
The law introduces tiered penalties to deter violations:
Minor breaches: Up to XAF 10 million (~$16,500) or 2% of annual turnover.
Major breaches: Up to XAF 50 million (~$82,500) or 4% of annual turnover.
Note: Fines apply to both companies and responsible individuals (e.g., CEOs, DPOs).
- Creation of the Cameroon Data Protection Authority (CDPA)
The CDPA replaces the fragmented oversight under the 2010 law. This independent body will:
Investigate complaints.
Issue fines.
Educate the public on data rights.
Expect:
Increased audits for sectors like finance and healthcare.
Public awareness campaigns in cities like Yaoundé and Douala.
- Special Provisions for Children’s Data
Collecting data from minors under 16 now requires parental consent. Schools, apps, and online platforms must implement age verification mechanisms.
Local context:
Edtech startups like e-learning platforms must redesign sign-up processes.
Social media influencers targeting teens need legal reviews.
- Encouraging Innovation with “Data Sandboxes”
To balance regulation and growth, the CDPA will launch data sandboxes allowing startups to test innovations (e.g., AI, blockchain) under temporary exemptions.
Opportunity:
Tech hubs in Silicon Mountain (Buea) or Dakar-inspired incubators can pilot projects responsibly.
Preparing for Compliance: Steps for Businesses
Audit Your Data: Map what you collect, where it’s stored, and who accesses it.
Update Privacy Policies: Ensure clarity and multilingual support (FR/EN).
Train Staff: Educate teams on consent protocols and breach response.
Partner with Experts: Consult legal and IT firms familiar with the law.
The Bigger Picture: Cameroon’s Digital Ambitions
The 2024 law isn’t just about compliance—it’s a strategic move to:
Boost investor confidence in Cameroon’s digital economy.
Facilitate cross-border trade with GDPR-compliant partners.
Combat cybercrime, which costs African economies $4 billion annually (World Bank).
Final Thoughts
Cameroon’s 2024 Data Protection Law marks a pivotal step toward a safer, more transparent digital ecosystem. While compliance may seem daunting, businesses that adapt early will gain a competitive edge through customer trust and operational resilience. As the CDPA rolls out guidelines, staying informed and proactive is key.
Need Help?
Trendesigners offers compliance-ready IT solutions, from secure cloud systems to GDPR/Cameroonian law-aligned software. Contact us to future-proof your business.
