DPA 2011

Data Protection Act, 2011 (Act No. 5 of 2012)

Flag of LS
LesothoOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2012
Enacted
January 1, 2011
Enforcing Authority
Data Protection Commission (NOT YET APPOINTED)
Consent Model
Opt-in
Applies To
All data controllers processing personal data within Lesotho

Overview

Lesotho's Data Protection Act 2011 is one of the earlier data protection laws in Southern Africa. Published in the Government Gazette in 2012, it establishes a Data Protection Commission as the supervisory authority. However, the Commission has never been appointed, rendering the law largely unenforceable. Penalties include fines of M50,000 and up to 5 years imprisonment, but enforcement requires court action as the Commission cannot impose fines directly.

What This Means for Your Website

If your website processes personal data of Lesotho visitors, consent is technically required under the law. Data must be collected for specified, explicit, and legitimate purposes, and processing must be adequate, relevant, and not excessive. However, the absence of an operational Data Protection Commission means enforcement is effectively non-existent.

Key Requirements

The law mandates consent for processing, purpose limitation, data minimization, storage limitation, and data integrity obligations. Data subjects have rights of access and rectification. Penalties are enforced through courts only, as the Commission lacks direct fining powers.

How ConsentStack Handles This

ConsentStack detects Lesotho-based visitors and presents a consent banner requiring opt-in, ensuring your website is prepared for future enforcement when the Data Protection Commission is eventually established.

Penalties

M50,000 fines; up to 5 years imprisonment

Maximum Fine
LSL50,000 per violation

Key Requirements

  • Consent required for personal data processing
  • Data collected for specified, explicit, and legitimate purposes only
  • Processing must be adequate, relevant, and not excessive
  • Personal data not retained longer than necessary
  • Data controllers must secure integrity of personal data
  • Data subjects have rights of access and rectification

Notable Provisions

  • Data Protection Commission mandated but NEVER APPOINTED
  • Commission lacks power to impose fines even when appointed (courts-only model)
  • Considerably weaker enforcement mechanisms than analogous bodies in other jurisdictions

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Is Lesotho's DPA actively enforced?

No. The Data Protection Commission mandated by the law has never been appointed, making enforcement effectively non-existent.

What are the penalties under Lesotho's DPA?

Fines of M50,000 and up to 5 years imprisonment, though enforcement requires court action.

Should I still comply with Lesotho's DPA?

Compliance is advisable as a best practice. The Commission may be appointed in the future, and consent requirements exist on paper regardless of enforcement status.

Stay compliant with DPA 2011

ConsentStack helps you implement Opt-in consent for Lesotho automatically.

Get started