Nepal Privacy Act

Individual Privacy Act, 2075 (2018)

Flag of NP
NepalOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 18, 2018
Enacted
January 1, 2018
Enforcing Authority
Not publicly documented — no dedicated data protection authority
Consent Model
Opt-in
Applies To
Any person or organization collecting personal or family data as defined in the Act

Overview

Nepal's Privacy Act covers both physical and informational privacy but has a critical limitation for websites: it explicitly does NOT cover IP addresses, cookies, location data, or online identifiers. This makes the law largely irrelevant to website consent management.

What This Means for Your Website

  • The law explicitly excludes cookies, IP addresses, location data, and online identifiers
  • Consent is required for personal or family data as narrowly defined in the Act
  • Penalties are among the lowest globally (~USD 225)
  • No dedicated data protection authority exists
  • Practical impact on website cookie consent is minimal

Key Requirements

No dedicated DPA enforces the Act. Penalties include imprisonment up to 3 years or fines up to NPR 30,000 (~USD 225). The narrow definition of personal data, excluding digital identifiers, significantly limits the law's relevance to online data processing.

How ConsentStack Handles This

ConsentStack applies best-practice consent for Nepalese visitors despite the law's limited relevance to online tracking.

Penalties

Imprisonment up to 3 years, fines up to NPR 30,000 (~USD 225), or both.

Maximum Fine
NPR30,000 per violation

Key Requirements

  • Consent required for collecting personal or family data
  • Protection from unauthorized surveillance and data misuse
  • Applies to both physical and informational privacy
  • Limited to categories of personal data defined in the Act

Notable Provisions

  • Explicitly excludes cookies, IPs, location data, and online identifiers
  • Penalties among the lowest globally (~USD 225)
  • No dedicated data protection authority
  • Covers physical privacy as well as informational

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does Nepal's law cover cookies?

No. Nepal's Privacy Act explicitly excludes IP addresses, cookies, location data, and online identifiers from its definition of personal data.

What are Nepal's privacy penalties?

Up to 3 years imprisonment or NPR 30,000 (~USD 225) — among the lowest privacy penalties globally.

Is Nepal's Privacy Act relevant to websites?

Minimally. The explicit exclusion of digital identifiers makes the law largely irrelevant to website consent management.

Stay compliant with Nepal Privacy Act

ConsentStack helps you implement Opt-in consent for Nepal automatically.

Get started