Website privacy standards: Is Ghana’s data protection commission falling short?

By Kofi Anokye OWUSU-DARKO (Dr)

In the digital age, having a web presence is more than just an aesthetic exercise involving colours, fonts, images, and user-friendliness. Websites, particularly those that interact with users and collect personal data, must comply with legal standards concerning data protection.

Data controllers (website owners) who collect personal data from website users (data subjects) have a legal and ethical responsibility to ensure compliance with data protection principles.

Unfortunately, in Ghana, many websites fail to meet these obligations, leaving users exposed to privacy risks. Surprisingly, even the Data Protection Commission (DPC)—the regulatory body responsible for enforcing compliance—exhibits gaps in meeting its own standards.

This article examines the fundamental legal requirements for website data protection, assesses the compliance of Ghana’s Data Protection Commission website, though under construction but collecting and processing data and highlights the urgent need for improvement.

It also explores the economic potential of data compliance as a growing field, offering employment opportunities for professionals. Ultimately, it calls for stronger enforcement, proactive regulatory leadership, and greater accountability in ensuring that Ghana’s digital landscape aligns with global best practices.

LEGAL COMPLIANCE IN WEBSITE DATA PROTECTION

To ensure a website adheres to data protection laws and best practices, the following elements are crucial:

 Privacy Policy

A privacy policy is a fundamental document for any website collecting personal data. It should clearly outline:

• What data is collected (e.g., names, email addresses, browsing behavior, IP addresses).
• How the data will be used (e.g., analytics, marketing, service improvement).
• Security measures in place to protect personal information.
• Whether cookies or tracking technologies are used.
• Third-party data-sharing policies, if applicable.
• How users can access, modify, or delete their data.

A privacy policy must be prominently displayed, and users should be made aware of it before submitting any personal information.

Terms and Conditions of Use

This document governs how users interact with a website and establishes the legal relationship between the website owner and the users. It should include:

• Acceptable use policies to prevent website misuse.
• Applicable laws and jurisdictions governing disputes.
• Copyright and intellectual property rights, especially concerning user-generated content.
• Dispute resolution mechanisms.
• Liability limitations and disclaimers.

Terms and conditions should be easily accessible and accepted by users before they engage with any interactive services on the site.

Opt-in/Opt-out Mechanisms

When a website collects personal data for purposes beyond core functionality—such as direct marketing or data sharing with third parties—users should have the right to opt in or opt out.

• Opt-in: Users must actively consent before their data is used for additional purposes. This is the preferred and more ethical approach, as it prioritizes user privacy.
• Opt-out: Users should be able to withdraw consent at any time if they initially agreed to data collection for marketing or other purposes.

Websites cannot use deceptive design practices (i.e., “dark patterns”) that make it harder for users to opt out or exercise their rights. Opt-out requests must be as easy to execute as opting in.

Websites should implement clear mechanisms (e.g., checkboxes, email preferences) to allow users to manage their data preferences easily.

 Use of Cookies

Cookies are small text files stored on a user’s device that help track browsing behaviour, enhance user experience, and enable website functionality such as authentication and personalization. Websites must:

• Inform users if cookies are being used.
• Provide an option to accept or reject them.

Transparency in cookie usage helps users make informed decisions about their privacy while browsing.

Websites must obtain explicit user consent before placing non-essential cookies (e.g., tracking cookies). Cookie banners must allow users to accept, reject, or customize tracking preferences. Pre-checked consent boxes (opt-out) are not allowed, ensuring that users make an active choice regarding their data privacy.

INTERNATIONAL BEST PRACTICES: LESSONS FROM GDPR AND GLOBAL STANDARDS

Internationally, robust data protection laws such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the U.S. have set a high standard for website compliance. These frameworks emphasize user consent, data transparency, and strict enforcement.

Under GDPR, websites must:

• Obtain explicit consent from users before collecting personal data.
• Provide clear and accessible privacy policies explaining data collection, usage, and retention.
• Implement strict penalties for non-compliance.

Many African countries, including South Africa (POPIA), Nigeria (NDPR), and Kenya (DPA), have adopted similar frameworks, reinforcing the importance of strong data protection regulations.

Additionally, GDPR mandates that users have rights over their data, including:

• The right to access, modify, and delete their personal data.
• The right to object to automated decision-making, particularly in AI-driven profiling.

Ghana’s Data Protection Act, 2012 (Act 843) incorporates some principles of the General Data Protection Regulation (GDPR) which can guide data protection compliance in website design but lacks strong enforcement mechanisms. This enforcement gap weakens regulatory effectiveness and reduces digital trust, making it difficult to ensure that websites and businesses fully comply with data protection laws.

To address this, Ghana’s Data Protection Commission (DPC) must take a more proactive approach in enforcing compliance. One way to strengthen regulatory oversight is by amending Act 843 to include a specific section on website data protection compliance. This would ensure that website designs align with international privacy standards and adequately protect data subjects.

Alternatively, the DPC could develop a simple and practical guideline for website compliance—an “idiot-proof” manual that outlines clear and straightforward steps for website designers. This would make it easier for businesses and developers to create privacy-compliant websites while ensuring that users’ personal data is protected.

Since websites often have global reach, ensuring compliance with international data protection frameworks—such as GDPR—would not only safeguard Ghanaians’ privacy rights but also enhance trust in Ghana’s digital ecosystem on an international scale.

THE CASE OF GHANA’S DATA PROTECTION COMMISSION (DPC) WEBSITE

The Data Protection Commission (DPC) is mandated to enforce Ghana’s Data Protection Act, 2012 (Act 843). As a regulatory leader, it should set the benchmark for compliance. However, a review of its website (https://dataprotection.org.gh/) accessed 17/02/2025, though under construction reveals some areas of concern:

• Despite being under construction, the site allows users to register and renew licenses meaning personal data is actively collected and processed. Therefore, data protection standards must still be met, regardless of the site’s construction status.

• The website’s landing page does not trigger a pop-up notice informing users about the collection or use of cookies. Further analysis reveals that the website employs a third-party tracker, Cloudflare, which has the capability to collect contact information, monitor browsing activity, and track clickstream data. This data is used to enhance user experience and profiling. Additionally, Cloudflare stores information in log files, raising concerns about cross-border data processing and potential cross-border data compliance issues.
• Clicking “REGISTER NOW” leads users to a data collection page without displaying a privacy policy or terms of use more so when a 3^rd Party tracker, Cloudflare, is being used.
• There is no visible cookie policy or consent mechanism.
• Users are not informed about their rights regarding data usage, nor are they given options to opt in or opt out of additional data use.

While the DPC plays a critical role in shaping Ghana’s digital regulatory landscape, these gaps highlight the urgent need for its own compliance. At a minimum, activation emails sent to users should have included the Privacy Policy and Terms of Use—or a link to them—ensuring acknowledgment before proceeding.

For the DPC to uphold its mandate effectively, it must first lead by example. Strengthening its website’s compliance will:

• Demonstrate credibility in enforcing Ghana’s Data Protection Act, 2012 (Act 843).
• Encourage businesses to prioritize data protection, knowing the regulator adheres to the same standards.
• Prevent legal challenges and protect its institutional reputation.”

It is however hoped that upon completion of the construction of the DPC website, the concerns will be addressed.

THE NEED FOR URGENT COMPLIANCE

For Ghana to align with global best practices in data protection, the following steps should be prioritized:

• Mandatory Privacy Policies: Websites collecting personal data must have an accessible privacy policy.
• User Awareness & Consent Mechanisms: Users should be informed of data collection practices before sharing personal information.
• Default Opt-in Preference: Websites should prioritize opt-in mechanisms rather than assuming user consent.
• Regulatory Oversight: The DPC should take proactive measures to enforce compliance among businesses and organizations.
• Regular Audits: Organizations should conduct periodic compliance audits to verify adherence to data protection standards.

JOB CREATION OPPORTUNITIES: THE ROLE OF DATA COMPLIANCE OFFICERS

Data privacy compliance is not just a regulatory requirement—it is a growing professional field that offers employment opportunities. As businesses collect and process more personal data, the demand for compliance professionals continues to rise and there is the opportunity for professionals to support the DPC in undertaking Data Protection Impact Assessments (DPIAs).

Flowing for the need for urgent privacy compliance in our eco-system, the DPC has a unique opportunity to create job opportunities for our teeming youth. Indeed, provisions within the Data Protection Act creates the platform for persons qualified, to assist businesses with their Data Protection requirements. The role of a Data Protection Supervisor is being underutilized as the Commission has to ensure that persons trained and qualified to perform the roles of this function are given the Certification.

The job of Data Compliance requires not just the effort of the DPC but the collective efforts of all stakeholders.

Emerging Career Pathways

• Law Graduates (LLB): Those awaiting their professional exams at Makola can pursue certification as licensed Data Protection Practitioners, providing legal expertise in compliance.
• IT and Business Professionals: With specific data protection training, individuals from diverse backgrounds can enter this field.
• Law Firms: Legal practices can expand their services by becoming licensed data protection consultants.

By investing in data compliance professionals, Ghana can strengthen its regulatory framework while creating sustainable employment opportunities for its youth.

CONCLUSION

Data protection compliance is a legal necessity and an ethical obligation for any website that collects personal data. In Ghana, many websites, including the Data Protection Commission’s own platform, fail to meet these basic standards.

Given that the DPC is mandated to enforce data protection laws, its failure to adhere to basic compliance standards sets a poor example for other organizations and businesses in Ghana. To foster a culture of data privacy and security, website owners must prioritize compliance by implementing privacy policies, terms of use, and user consent mechanisms. The DPC must also take a more proactive role in enforcement to ensure that digital spaces in Ghana are legally and ethically responsible.

Additionally, investing in data compliance professionals not only strengthens data privacy protection but also creates a robust employment avenue, particularly for young professionals. By developing expertise in data compliance, individuals can contribute to organizational accountability while securing meaningful career opportunities. This growing sector has the potential to bridge the gap between technology, law, and business, ultimately supporting Ghana’s digital economy and regulatory landscape.

The author is a Digital Rights Avocate  and a licensed Management Consultant. He holds an MBA (IT Management) and  an LLM (IT & Telecommunication).

Contact : [email protected]  ; Blogspot: kofianokye.blogspot.com :kofidarko2.blogspot.com

The post Website privacy standards: Is Ghana’s data protection commission falling short? appeared first on The Business & Financial Times.

Read Full Story