Law 2010/012

Law No. 2010/012 of December 21, 2010 on Cybersecurity and Cybercrime; superseded by Law No. 2024/017 on Personal Data Protection

Flag of CM
CameroonOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 21, 2010
Enacted
December 21, 2010
Enforcing Authority
ANTIC (original law); Personal Data Protection Authority (2024 law)
Consent Model
Opt-in
Applies To
All entities processing personal data within Cameroon; 2024 law establishes a new Personal Data Protection Authority

Overview

Cameroon originally regulated data protection through its 2010 cybersecurity law (Law 2010/012), then enacted a comprehensive standalone data protection law in December 2024 (Law 2024/017). The 2024 law is notably stricter than GDPR in key areas: there is no legitimate interest basis for processing, and pre-ticked boxes, opt-out mechanisms, and bundled consent are explicitly prohibited. Penalties include fines up to XAF 100,000,000 and imprisonment up to 10 years.

What This Means for Your Website

If your website serves Cameroonian visitors, prior consent is required for ALL processing with no legitimate interest fallback. Pre-ticked consent boxes and opt-out mechanisms are explicitly banned, meaning you must implement clear affirmative opt-in. Bundled consent is also prohibited, so each processing purpose must be consented to separately.

Key Requirements

The law requires prior declaration or authorization from the supervisory authority before processing. Fines reach XAF 100M with up to 10 years imprisonment for serious violations. Data subjects have rights of access, rectification, and opposition. The 2024 law establishes a new Personal Data Protection Authority to supersede ANTIC's role.

How ConsentStack Handles This

ConsentStack detects Cameroonian visitors and displays a strict opt-in consent banner with no pre-ticked boxes. Each processing purpose is presented separately to comply with the bundled consent prohibition.

Penalties

Up to XAF 100,000,000; up to 10 years imprisonment; civil damages; suspension or withdrawal of authorization (2024 law)

Maximum Fine
XAF100,000,000 per violation

Key Requirements

  • Prior consent required for ALL processing (no legitimate interest basis)
  • Pre-ticked boxes, opt-out mechanisms, and bundled consent explicitly prohibited
  • Prior declaration or authorization from supervisory authority
  • ANTIC notification required for cyberattacks and intrusions
  • Data subjects have rights of access, rectification, and opposition
  • Data retained for 10 years (connection data under original law)

Notable Provisions

  • STRICTER than GDPR: no legitimate interest basis
  • Pre-ticked boxes and opt-out explicitly prohibited
  • Bundled consent prohibited
  • New comprehensive 2024 law supersedes 2010 cybersecurity provisions
  • 10-year imprisonment among the highest in Africa

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Cameroon's law stricter than GDPR?

Yes. Cameroon's 2024 law has no legitimate interest basis for processing, and explicitly prohibits pre-ticked boxes, opt-out mechanisms, and bundled consent.

What are the penalties in Cameroon?

Fines up to XAF 100,000,000, up to 10 years imprisonment, civil damages, and suspension or withdrawal of authorization.

When was Cameroon's new data protection law enacted?

The comprehensive standalone data protection law (Law 2024/017) was enacted in December 2024, superseding data protection provisions in the 2010 cybersecurity law.

Stay compliant with Law 2010/012

ConsentStack helps you implement Opt-in consent for Cameroon automatically.

Get started