Loi 09-08 explained: what your website legally must do with user data in Morocco

If your website has a contact form, collects email addresses, uses cookies, or tracks visitor behavior, you're processing personal data under Moroccan law. Loi 09-08 has been in effect since 2009, but most Moroccan websites still ignore it. This isn't a best practice suggestion. It's a legal obligation with real penalties.

What is Loi 09-08 and who enforces it

Loi n° 09-08 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel is Morocco's equivalent of Europe's GDPR. It was adopted in February 2009 and is enforced by the CNDP (Commission Nationale de contrôle de la protection des Données à caractère Personnel).

The law applies to any natural or legal person who processes personal data in Morocco — regardless of whether they are a large corporation or a sole trader. If you run a website that collects a visitor's name, email, phone number, or IP address, you are a data controller under Loi 09-08.

What your website must do — the 6 obligations

1. Declare your data processing to the CNDP. Before you start collecting personal data, you are legally required to submit a prior declaration (or request authorization for sensitive data) to the CNDP. This is done via their online platform at cndp.ma. Many Moroccan businesses skip this step entirely — it is the most commonly violated obligation.

2. Inform users about data collection. Your website must clearly tell visitors what data you collect, why you collect it, how long you store it, and who has access to it. This is typically done through a privacy policy page. The notice must be accessible before data collection occurs — not buried in a footer link that nobody reads.

3. Obtain consent. Consent must be free, specific, informed, and unambiguous. Pre-checked checkboxes don't count. If you're using analytics tools (Google Analytics, PostHog) or marketing cookies, you need explicit consent before those tools load. A cookie banner that says "By continuing to browse, you accept cookies" doesn't satisfy the consent requirement.

4. Limit data collection to what is necessary. The principle of data minimization means you should only collect the data you actually need. If your contact form asks for a phone number, address, company name, budget range, and project timeline — ask yourself whether all of those fields are truly necessary for the initial contact.

5. Secure the data you collect. You must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction. This means HTTPS (SSL) on every page, secure storage of form submissions, and access controls on databases containing personal information.

6. Respect data subject rights. Individuals have the right to access, correct, and delete their personal data. If a contact form submitter asks you to delete their information, you must comply. You must also provide a way for individuals to exercise these rights — typically by listing a contact email in your privacy policy.

What most Moroccan websites get wrong

No privacy policy at all. Most Moroccan business websites have no privacy policy page. This is the most basic compliance failure and the easiest to fix.

Cookie banners that do nothing. A banner that says "We use cookies" with only an "OK" button is not compliant. You need to offer a genuine choice — accept, reject, or configure — and you must not load tracking scripts before consent is given.

No CNDP declaration. The CNDP declaration is a legal prerequisite for any personal data processing. Filing it is straightforward and free. Not filing it exposes you to administrative sanctions.

Contact forms without purpose limitation. When someone fills your contact form, they consent to being contacted about their inquiry. They do not consent to being added to a newsletter list, a WhatsApp broadcast group, or a marketing database. Each purpose requires separate consent.

What the penalties look like

The CNDP can impose administrative sanctions including formal warnings, injunctions to cease processing, and fines. Fines under Loi 09-08 can reach 300,000 MAD for non-compliance. Criminal penalties are also possible for serious violations, including unauthorized cross-border data transfers and failure to implement security measures.

Enforcement has historically been light, but the CNDP has increased its activity in recent years. More importantly, as Moroccan businesses grow internationally and European partners demand GDPR-adjacent compliance, Loi 09-08 compliance becomes a business necessity — not just a legal checkbox.

How to make your website compliant — the practical checklist

Add a privacy policy page. State clearly: what data you collect, why, how long you keep it, who processes it, and how users can exercise their rights. Include the CNDP declaration number once you have it.

Implement a proper cookie consent banner. Use a consent management tool that blocks analytics and marketing scripts until the user actively consents. Offer clear accept/reject options. Record consent for your records.

File your CNDP declaration. Go to cndp.ma, create an account, and submit a prior declaration for your data processing activities. The process is online and free. Keep the receipt and declaration number.

Add HTTPS. If your site is still on HTTP (no padlock in the browser), fix this immediately. Every hosting provider and CDN offers free SSL certificates. There is no excuse for an unencrypted website in 2026. For more on why this matters, read SSL, HTTPS, and trust for Moroccan businesses.

Review your contact form. Remove unnecessary fields. Add a consent checkbox that links to your privacy policy. Do not pre-check it. For technical guidance on securing your forms, see why your contact form is a security hole.

Secure your data storage. Form submissions should be stored in encrypted databases with access controls. If you use email to receive form submissions, ensure the email account is properly secured with 2FA.

Loi 09-08 vs GDPR — the key differences

Loi 09-08 is heavily inspired by the French "Informatique et Libertés" law (1978) and shares many principles with GDPR. The key differences: Loi 09-08 requires prior declaration to the CNDP (GDPR replaced this with accountability records). GDPR has higher fines (up to 4% of global turnover). GDPR has more detailed provisions for data breach notification. Morocco is not recognized by the EU as providing "adequate" data protection — which matters if you handle EU citizen data.

If your business serves European customers alongside Moroccan ones, you may need to comply with both laws. The good news: if you comply with GDPR, you are largely compliant with Loi 09-08. The reverse is not always true.

Build compliance into your website from day one

The cheapest and easiest time to build data privacy compliance into your website is during development — not after a CNDP inquiry. When we build websites at Sentinel Studio, privacy is part of the architecture: HTTPS by default, minimal data collection, consent-first analytics, and a privacy policy template tailored to Moroccan law. If your current site needs a compliance review, start with a conversation.