Saudi Arabia PDPL Cookie Compliance
CookieYes is a simple and intuitive cookie consent management tool that will help your website to obtain and manage cookie consent.
14-day free trial. Cancel anytime.
What is cookie consent?
Cookie consent is a privacy compliance requirement for websites to obtain consent from users before setting cookies on their devices. It is enabled through cookie banners that are displayed on a user’s first visit to a website.
Cookie consent requires businesses to clearly and explicitly inform users about the cookies present on their website, the purpose of cookies and give user’s the choice to accept or reject cookies.
What is Saudi Arabia’s PDPL?
The Personal Data Protection Law is the Saudi law on data protection. It covers businesses operating in the Kingdom of Saudi Arabia and requires that they collect, use, store, share, transfer, or update data about Saudi residents only for the purpose of providing goods and services to such residents or for the purpose of monitoring their behavior.
The law applies even if these businesses do not have a physical presence in the country.
Saudi Arabia’s PDPL is similar to other global privacy laws in that it regulates how an organization collects and processes personal data. It prohibits the collection of specific types of data without the explicit consent of the individual, including biometric data, religious information, health information, and genetic data.
The law will come into full enforcement on March 17, 2023.
How to comply with PDPL cookie consent?
- Scan your website to detect cookies and other trackers.
- Display a cookie consent banner to your website visitors.
- Enable users to give consent to each category of cookies separately.
- Link up-to-date cookie policy on your cookie banner.
- Block third-party cookies until the user has given consent.
- Record user consents for proof of compliance.
- Allow users to withdraw or revisit their cookie consent at any time.
CookieYes for cookie consent
Cookie consent banner
Display a location-based, auto-translated and responsive cookie consent banner with full customizations for content, design, layout, buttons, behaviour and branding.
Manage cookies
Add a cookie audit table to the cookie banner so users can give granular consent for different category of cookies. The cookie audit table also shows clear information about the category, purpose and lifespan of cookies.
Cookie scanner
Scan your website periodically to identify and categorize cookies that have been newly added or deleted from your websites. The updated cookies are automatically added to the cookie audit table and cookie policy.
Revisit consent
Enable users to change their consent or modify cookie preferences by displaying a ‘revisit consent’ button on your website. This gives users easy access to withdraw their consent as required for compliance.
Auto-block cookies
Auto-detect and block third-party cookies and trackers on your website until users’ give consent through the cookie banner. Support the DNT status of users’ browser settings and automatically block tracking cookies.
Consent record
Record user consents in the consent log and export it for proof of compliance. Document users’ consent (anonymized) as well as their consent modifications or changes, if any.
Cookie policy
Add a dynamic, up-to-date cookie policy with a clear description of the usage of cookies and trackers on your site, and how users can change their cookie preferences. Additionally, generate a custom privacy policy for your website to achieve foolproof compliance.
Flexible integrations
Use a single dashboard, no complicated coding, and integrate cookie banners on any CMS, for all your subdomains and comply with multiple data privacy regulations such as GDPR, ePrivacy Directive, CCPA, LGPD, CNIL, PDPL, and so on.
Do cookies require consent under PDPL?
Personal Data Protection Law (PDPL) is alike to the GDPR, in that both consider any information that can identify an individual as personal data. Cookies collect information that can be used to track a person. Hence, we can say that PDPL does require websites to get consent to use cookies.
Moreover, the law requires entities to not use personal data for marketing purposes without user consent. Cookies are widely used by companies for marketing.
Which cookies require consent?
Cookies other than strictly necessary ones require consent. These include first-party cookies set by the domain you are visiting. They are usually functional cookies that remember login details, your shopping cart, browser preferences etc.
Third-party cookies set by a different domain, i.e. a third party (Google Analytics, Facebook, LinkedIn etc.) require explicit user consent. They usually include advertising or tracking cookies that track your browsing history, online behaviour, spending habits to display targeted ads. Social media buttons, chat functionalities on a website etc. also involve third-party cookies.
Cookie consent examples
For PDPL cookie compliance, your website should display a cookie banner to get user consent and implement a privacy or cookie policy. Cookie consent should involve an affirmative act, is freely given, specific, informed, unambiguous and can be withdrawn. Consent notices should be accessible and be available in plain, intelligible language.
CookieYes banner will enable users to give informed, specific consent for cookies.
A cookie consent banner should:
- Inform users about cookie usage in plain and intelligible language
- Showcase different cookie categories used on your website
- Provide granular options to accept/reject different cookie categories
- Display ‘accept’ and ‘reject’ buttons on the banner with equal emphasis
- Not use pre-ticked boxes or ‘on’ toggles/sliders
- Link to a compliant cookie policy on the cookie banner
Does PDPL require a privacy policy?
Yes, the privacy policy is one of the major requirements of the PDPL.
The law requires that businesses adopt a Privacy Policy to be made available to users before collecting their information.
This policy must state the purpose of collection, the information to be collected, how it will be gathered and stored, how it will be processed, how it will be destroyed, and the rights of a person about whom the data was collected.
Businesses must inform users of the following before collecting their personal data:
- The legal or valid justification for collecting the personal data.
- The purpose of collecting the personal data and whether it was mandatory or optional to collect all of it.
- Inform users that the data would not be used later in a manner inconsistent with the purpose of its collection.
- The identity of the person collecting the personal data and their reference address, where applicable.
- The entity to which the personal data will be disclosed, its description, and whether the personal data will be transferred outside Saudi Arabia.
- Possible consequences of not completing the data collection procedure.
- The data rights of the users.
- Other elements depending on the nature of your organization’s activity.
Frequently asked questions
Does GDPR apply to Saudi Arabia?
The Kingdom of Saudi Arabia (KSA) is not subject to the General Data Protection Regulation (GDPR) because it protects the rights to data privacy of EU and EEA residents. However, if a business established in KSA collects personal data of EU/EEA residents in exchange for goods and services or for monitoring their behavior in the KSA, then GDPR will apply to those businesses.
Does Saudi Arabia have a data protection law?
Yes, The Kingdom of Saudi Arabia (KSA) has a Personal Data Protection Law (PDPL) to protect the data and privacy of its residents. It is an important development for the country, as it does not have an overarching privacy law.
The law will regulate the collection and processing of personal information and set out principles that organizations must follow.
What is the difference between PDPL and GDPR?
GDPR and PDPL are similar in many ways. However, there are a few differences that set them apart. For example, while PDPL covers personal data related to deceased people, GDPR does not cover such data. PDPL provides fewer data rights than GDPR. Law states that the authority is to be informed about a data breach “immediately” rather than specifically mentioning a time period for informing the authority. Fines and imprisonment penalties have been spaced out by specific violations and include imprisonments with or without fines.
What is the penalty for PDPL violation?
Businesses violating any PDPL provision will be issued a warning and/or fined SAR 5 million (USD 1.3 million). The fine may be doubled for repeated violations.
What is personal data of PDPL
The PDPL defines personal data as any information that identifies a person specifically or could lead to their identification, including (but not limited to): name, driver’s license number, phone number, email address, or social security numbers. Personal data used for personal or household purposes are exempted from PDPL. The law also protects the personal data of deceased individuals if their information could lead to the identification of the deceased individual or their family members specifically.
Like GDPR, the PDPL also groups some types of personal data as “sensitive”. Sensitive personal data under PDPL is any information inferred from an individual’s “ethnic or tribal origin, religious, intellectual or political belief, or indicates his membership in civil associations or institutions.” It also includes criminal and security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that an individual is unknown to one or both parents.
What are the data subject rights under PDPL?
Saudi Arabia PDPL grants its users the following data rights:
- Right to be informed about personal data
- Right to access personal data
- Right to correct personal data
- Right to request deletion of personal data
Where can I find additional resources on PDPL and cookie compliance?
Here are some links you can refer to for additional reading: