Unlike Europe, the UAE does not have separate legislation regulating the use of cookies so general principles of data protection law apply. Therefore, obtaining prior explicit consent will be required.
The federal data protection law in the UAE prohibits the processing of personal data without the consent of the individual and if the cookies process personal data, express consent should be sought prior to the processing as the exemptions to consent are unlikely to apply. Note the conditions for consent:
As mentioned above in Q1, there are no specific cookie rules in the UAE and therefore the federal data protection law principles should be applied to the use of cookies which include the processing of personal data.
It is prohibited to process personal data without consent. However, the following cases
are excluded from such prohibition:
The federal data protection law in the UAE does not distinguish between types of cookies. If cookies process personal data, consent is required prior to processing meaning they should not be placed automatically unless they fall within an exemption.
For example, the processing is necessary:
No, implicit consent would not be sufficient. The consent must be a specific, informed and unambiguous indication of the individual’s agreement to the processing of personal data by a statement or by a clear affirmative action. This means implying consent from a user continuing to browse a site would not be considered valid consent.
As the UAE does not have separate legislation regulating the use of cookies, we rely on general principles of data protection law instead. For this reason, it is important to provide a notice to the individuals (in addition to obtaining prior explicit consent), which explains the purpose of the processing, the targeted sectors or establishments with which the personal data is to be shared whether inside or outside the UAE and the protection measures for cross border processing. The notice can be in the form of a privacy notice or a separate cookie notice.
There are no explicit laws on this. However, we recommend implementing a cookie banner with a consent functionality to provide individuals with information about the data processing carried out via cookies and/ or other tracking technologies.
If the cookie wall constitutes a hybrid approach that obtains general user consent but leaves out any choice for the user to granulate their consent to certain types of cookies, then this would not be permitted as personal data must be collected for a specific and clear purpose and may not be processed at any subsequent time in a manner incompatible with that purpose; meaning bulk consent is not compliant. However, personal data may be processed if the purpose of processing is similar or close to the purpose for which such data is collected.
The UAE Data Office has not yet been set up. We do not have any information on the timeframe for its establishment as at the date of this publication.
None that we are aware of.
The executive regulations are expected to provide more guidance and information on the basic data protection principles established in the federal data protection law in the UAE. In terms of timing, the executive regulations were expected to be published within 6 months of the date of promulgation of the data protection law which was in March 2022. However, they were delayed, and no timeframe has been provided for its release as yet.