Is a Cookie Policy legally required in Pakistan?

A Cookie Policy is not yet mandated by a single dedicated data protection statute in Pakistan, but it is strongly recommended and increasingly required under the Prevention of Electronic Crimes Act 2016 (PECA 2016). PECA 2016 Section 3 criminalises unauthorised access to information systems and data, which creates an implied obligation to obtain informed consent before setting non-essential cookies on users' devices. The Pakistan Telecommunication Authority (PTA), under the Pakistan Telecommunication (Re-organisation) Act 1996, has issued digital rights and data privacy guidance requiring websites to publish transparent privacy disclosures. The Personal Data Protection Bill (PDPB), currently in legislative development, will create explicit cookie consent and disclosure obligations once enacted. Businesses targeting international markets — particularly the European Union, the United Kingdom, or the United States — must comply with GDPR, UK GDPR, or CCPA respectively, which require a comprehensive Cookie Policy regardless of where the operator is based. E-commerce platforms and fintech companies regulated by SECP or SBP are strongly advised to implement a Cookie Policy now in preparation for the forthcoming PDPB regime.

What is the difference between session cookies and persistent cookies?

Session cookies are temporary files stored in the browser's memory only for the duration of a user's visit to a website — they are automatically deleted when the browser is closed. Session cookies are used for shopping cart functionality, user authentication tokens, and maintaining login state during a single browsing session on e-commerce sites registered under the Companies Act 2017 in Pakistan. Persistent cookies, by contrast, remain on the user's device for a defined period after the browser is closed — ranging from 30 days for standard analytics cookies to 24 months for advertising frequency capping cookies used in campaigns run through Meta Ads or Google Ads. Persistent cookies enable websites to remember user preferences (language, location, login credentials), track repeat visits for analytics purposes through tools such as Google Analytics 4 (GA4), and serve personalised advertising based on previous browsing behaviour. Under the Personal Data Protection Bill framework being developed in Pakistan and referenced by PTA guidelines, persistent cookies that process personal data must be disclosed with their retention periods in the Cookie Policy, and users must have the ability to delete or opt out of these cookies.

Do Pakistani websites need a cookie consent banner?

Pakistani websites that deploy non-essential cookies — particularly advertising and analytics cookies — are strongly advised to implement a cookie consent banner, even though Pakistan does not yet have a fully enacted data protection statute equivalent to the European Union GDPR. The Prevention of Electronic Crimes Act 2016 (PECA 2016) Section 3 requires authorised access to data, which creates a legal basis for obtaining consent before collecting user data through cookies. The Pakistan Telecommunication Authority (PTA) has issued guidance on digital privacy notices, and the forthcoming Personal Data Protection Bill (PDPB) will formalise consent requirements for data processing, including cookie-based tracking. Additionally, websites that serve users from GDPR jurisdictions (EU, UK, Norway, Iceland, Liechtenstein) or CCPA jurisdictions (California, USA) are legally required to display cookie consent banners for those users regardless of where the website is hosted. A consent management platform (CMP) such as Cookiebot, OneTrust, or Usercentrics can be integrated to manage consent records, satisfy multiple jurisdictional requirements simultaneously, and maintain audit trails demonstrating compliance — a practice endorsed by SECP for technology companies and fintech operators regulated under SBP guidelines.

Can a website use Google Analytics without a Cookie Policy in Pakistan?

Using Google Analytics without a Cookie Policy in Pakistan creates legal and commercial risk that businesses should not ignore. Google Analytics 4 (GA4) deploys persistent cookies — particularly the _ga cookie with a 2-year retention period — that collect user identifiers, page views, session duration, geographic location, and device information. Under the Prevention of Electronic Crimes Act 2016 (PECA 2016) Section 3, collecting user data without disclosure and authorised consent can constitute unauthorised data access. Google's own Terms of Service and Privacy Policy require website operators to have a Privacy Policy and Cookie Policy disclosing Google Analytics usage to users. Furthermore, if the website receives visitors from EU or UK jurisdictions, GDPR and UK GDPR require explicit consent for Google Analytics cookies, which must be obtained through a cookie banner with granular consent options. Google Analytics data is processed on servers in the United States, creating a cross-border data transfer that must be disclosed under PTA's data localisation guidance. Businesses operating without a Cookie Policy also risk reputational damage and loss of trust from international business partners, SECP-regulated investors, and enterprise clients who conduct data privacy due diligence as part of commercial agreements.

How long can cookies be stored under Pakistani law?

Pakistani law does not currently prescribe specific maximum retention periods for cookies, as the Personal Data Protection Bill (PDPB) — which will establish data minimisation and storage limitation principles — has not yet been enacted. However, the prevention of Electronic Crimes Act 2016 (PECA 2016) Section 5 on data interference and Section 6 on data damage create liability for processing data beyond its intended purpose, implying that cookie retention must be proportionate to the purpose. International best practices referenced in PTA's digital rights framework and the PDPB consultation documents suggest: session cookies should expire when the browser session ends; analytics cookies (such as Google Analytics _ga cookies) should not exceed 24 months, though 13 months is recommended by EU GDPR supervisory authorities; advertising cookies for frequency capping should not exceed 90 days; and functional cookies for preferences should be refreshed upon each user interaction. Websites serving international users must comply with the retention period standards of those jurisdictions — GDPR requires that retention periods be specified and justified, and UK ICO guidance recommends reviewing cookie retention periods annually. Pakistani businesses aligned with ISO 27001 information security standards typically apply international retention period benchmarks as part of their data governance frameworks.

What happens if a website violates cookie consent rules in Pakistan?

Violations of cookie consent and data privacy obligations in Pakistan can result in consequences under multiple legal frameworks. Under the Prevention of Electronic Crimes Act 2016 (PECA 2016), unauthorised access to or interference with electronic data (Sections 3 and 5) carries imprisonment of up to three years and fines of up to one million rupees. The Federal Investigation Agency (FIA) Cyber Crime Wing and the National Response Centre for Cyber Crimes (NR3C) have jurisdiction to investigate PECA 2016 violations, including unlawful data collection through cookies. The Pakistan Telecommunication Authority (PTA) can issue directions, impose penalties, and block or suspend digital services that violate PTA regulations under the Pakistan Telecommunication (Re-organisation) Act 1996. For businesses regulated by SECP under the Companies Act 2017, data privacy violations can attract regulatory scrutiny and enforcement action that affects the company's good standing. International consequences are more immediately significant for many Pakistani businesses: GDPR supervisory authorities in the EU can impose fines of up to €20 million or 4% of global annual turnover for violations affecting EU users; UK ICO can impose fines up to £17.5 million or 4% of global turnover; and US FTC has enforcement authority over deceptive practices regarding cookie disclosures under Section 5 of the FTC Act.

Cookie Policy (Pakistan)

COOKIE POLICY

[Business Name]

Website: [Website URL]

Effective Date: [Effective Date]

Governed by: Prevention of Electronic Crimes Act 2016 | Pakistan Telecommunication (Re-organisation) Act 1996

1. INTRODUCTION

[Business Name], with registered address at [Business Address] ("we", "us", "our"), operates the website at [Website URL] (the "Website"). This Cookie Policy explains what cookies are, how we use them, and how you can control cookie settings when visiting our Website.

This Cookie Policy is published in compliance with the Prevention of Electronic Crimes Act 2016 (PECA 2016), the Pakistan Telecommunication Authority (PTA) digital privacy guidelines under the Pakistan Telecommunication (Re-organisation) Act 1996, and the principles of the forthcoming Personal Data Protection Bill (PDPB). For users in the European Union or United Kingdom, this policy also addresses compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

2. WHAT ARE COOKIES?

Cookies are small text files placed on your device (computer, tablet, or mobile phone) by websites you visit. They are widely used to make websites work efficiently, remember your preferences, and provide information to website owners. Cookies may be set by us (first-party cookies) or by third-party service providers (third-party cookies). Cookies can be session cookies (deleted when you close your browser) or persistent cookies (remaining on your device for a defined period).

We also use similar technologies including web beacons, pixel tags, and local storage objects that function in a similar way to cookies.

3. CATEGORIES OF COOKIES WE USE

3.1 Strictly Necessary Cookies

These cookies are essential for the Website to function and cannot be switched off. They are set in response to your actions (such as logging in or completing forms) and do not store personally identifiable information. No consent is required for strictly necessary cookies.

3.2 Functional Cookies

Functional cookies: [Uses Functional]. These cookies remember your preferences (language, region, display settings) to improve your experience on return visits. They do not track your activity across other websites.

3.3 Performance / Analytics Cookies

Analytics cookies used: [Uses Analytics]. Provider: [Analytics Provider]. These cookies collect information about how visitors use our Website — pages visited, time spent, links clicked — to help us improve website performance. The data is aggregated and anonymised where possible. Consent is required before these cookies are set.

3.4 Targeting / Advertising Cookies

Advertising cookies used: [Uses Advertising]. Platforms: [Advertising Providers]. These cookies track your browsing activity to build a profile of your interests and show you relevant advertisements on other websites. They are set by our advertising partners. Consent is required before these cookies are set.

4. HOW WE OBTAIN YOUR CONSENT

We obtain your consent for non-essential cookies through: [Consent Mechanism]. When you first visit the Website, you will be presented with our cookie consent notice. You may accept all cookies, accept only necessary cookies, or customise your preferences. Your consent preferences are stored and respected on subsequent visits. You may withdraw or change your consent at any time through the cookie settings option available in the website footer or through your browser settings.

5. HOW TO MANAGE AND DELETE COOKIES

You can control cookies through your browser settings. Most browsers allow you to: view and delete existing cookies; block cookies from specific websites; block all third-party cookies; and be notified when a cookie is being set. Please note that disabling certain cookies may affect website functionality.

Browser cookie management guides: Chrome — Settings > Privacy and security > Cookies and other site data; Firefox — Settings > Privacy and Security > Cookies and Site Data; Safari — Preferences > Privacy; Edge — Settings > Cookies and site permissions > Cookies and site data.

You may also opt out of interest-based advertising through the Digital Advertising Alliance opt-out tool (youradchoices.com) or the Network Advertising Initiative opt-out (networkadvertising.org).

6. THIRD-PARTY COOKIES AND DATA TRANSFERS

Third-party services integrated into our Website may set their own cookies. These services include analytics and advertising platforms identified in Section 3 above. Data collected through third-party cookies may be processed on servers outside Pakistan — including servers in the United States, European Union, and other jurisdictions. We ensure such transfers are governed by appropriate safeguards consistent with PECA 2016 and PTA guidance.

7. UPDATES TO THIS COOKIE POLICY

We may update this Cookie Policy from time to time to reflect changes in technology, law, or our business practices. The effective date at the top of this policy indicates when it was last updated. Material changes will be communicated through a notice on the Website or by email where we hold your contact details.

8. CONTACT US

For questions about this Cookie Policy or to exercise your privacy rights, contact:

Data Privacy Officer / Privacy Contact: [DPO Name]

Email: [Privacy Email]

Phone: [DPO Phone]

Address: [Business Address]

We will respond to privacy enquiries within 30 days of receipt.

Authorised Signatory (Website Operator)

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Cookie Policy (Pakistan)?

A Cookie Policy in Pakistan records the organisation's position on the matter, defining what is permitted, what is prohibited and how breaches are handled.

PECA 2016, enacted as Act XL of 2016, criminalises unauthorised access to electronic data under Section 3, data interference under Section 5, and electronic fraud under Section 9. While PECA 2016 is primarily a criminal statute, its provisions on unauthorised data access create a legal basis requiring websites to obtain informed consent before setting non-essential cookies on users' devices. The Personal Data Protection Bill (PDPB), which Pakistan has been developing in alignment with international standards including the European Union General Data Protection Regulation (EU GDPR) and the California Consumer Privacy Act (CCPA), further reinforces the need for transparent cookie disclosures and consent mechanisms.

The Pakistan Telecommunication Authority (PTA), established under the Pakistan Telecommunication (Re-organisation) Act 1996, has issued directives requiring digital service providers to implement data privacy notices and obtain consent for data collection. The PTA's Digital Rights Protection Authority framework and the Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules 2021 create additional compliance obligations for websites operating in or targeting Pakistani users.

A Cookie Policy for Pakistan typically distinguishes between strictly necessary cookies (required for website functionality, exempt from consent requirements), performance cookies (analytics tracking such as Google Analytics or Adobe Analytics), functional cookies (remembering user preferences and language settings), and targeting or advertising cookies (used for remarketing through platforms such as Meta Ads, Google Ads, and TikTok for Business). The policy must identify the third-party service providers operating these cookies, including the data they collect, the retention periods, and the mechanisms by which users can opt out.

E-commerce businesses registered with the Securities and Exchange Commission of Pakistan (SECP) under the Companies Act 2017 and operating through digital platforms are particularly subject to cookie compliance requirements, as their data processing activities involving Pakistani consumers must align with both PECA 2016 and the evolving PDPB framework. Financial technology companies regulated by the State Bank of Pakistan (SBP) under the Payment Systems and Electronic Fund Transfers Act 2007 face additional requirements regarding data security and user consent in digital banking applications.

The Cookie Policy (Pakistan) template from forms-legal.com provides a compliant starting point for businesses of all sizes — from sole proprietors registered under the Firms (Registration) Act 1932 to large corporations listed on the Pakistan Stock Exchange (PSX) — confirming that users are fully informed about data collection practices and that the website operator demonstrates accountability consistent with good digital governance standards.

When Do You Need a Cookie Policy (Pakistan)?

A Cookie Policy in Pakistan is required whenever a website, mobile application, or digital platform deploys cookies or similar tracking technologies that collect, store, or transmit data about users visiting from Pakistan.

A Cookie Policy is needed when an e-commerce business registered in Pakistan under the Companies Act 2017 or operating as a sole proprietorship under the Firms (Registration) Act 1932 operates an online store that uses session cookies for shopping cart functionality, analytics cookies through Google Analytics or similar services, and advertising cookies for remarketing campaigns through Meta Ads or Google Ads.

A Cookie Policy is required when a financial services company regulated by the State Bank of Pakistan (SBP) or the Securities and Exchange Commission of Pakistan (SECP) operates a website or mobile banking application that tracks user sessions, records login activity, and uses analytics tools to monitor user behaviour within the application.

A Cookie Policy is needed when a media company, news portal, or digital publisher operating under Pakistan Electronic Media Regulatory Authority (PEMRA) rules publishes content online and monetises the site through programmatic advertising networks, which invariably deploy tracking cookies to build audience profiles for targeted advertising.

A Cookie Policy is required when a software-as-a-service (SaaS) company registered in Pakistan and exporting digital services to international clients uses cookies for user authentication, session management, and product analytics, particularly if the company's international clients are subject to GDPR in the European Union or similar data protection regimes.

A Cookie Policy is needed when a healthcare provider or telemedicine platform operating under the Pakistan Medical Commission Act 2020 deploys a patient portal or appointment booking system that uses session cookies and analytics tools, given the sensitive nature of health-related data and the heightened obligations under PECA 2016 regarding protection of sensitive personal information.

A Cookie Policy is required when any website targets Pakistani consumers and participates in affiliate marketing programmes, as affiliate tracking cookies create specific disclosure obligations to users regarding the commercial relationship between the website operator and the affiliated brands.

Parties in Pakistan should prepare a Cookie Policy (Pakistan) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2017, the Securities and Exchange Commission of Pakistan (SECP) maintains the register of Pakistani companies. Section 16 of the Companies Act 2017 governs company incorporation. The Contract Act 1872 governs general contractual obligations. The Federal Board of Revenue (FBR) administers corporate tax under the Income Tax Ordinance 2001. The High Courts (Lahore, Sindh, Peshawar, Balochistan, Islamabad) have original and appellate jurisdiction. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

What to Include in Your Cookie Policy (Pakistan)

A compliant Cookie Policy in Pakistan under the Prevention of Electronic Crimes Act 2016 and the Pakistan Telecommunication Authority's data privacy framework must contain the following essential elements.

Website Identification: The policy must identify the full legal name of the website operator, its SECP registration number or business registration details where applicable, the registered business address in Pakistan, and the contact email address for privacy enquiries. This information establishes accountability and enables users to exercise their data rights.

Definition of Cookies: The policy must explain clearly what cookies are — small text files stored on the user's device by the website — and distinguish cookies from other tracking technologies such as web beacons, pixel tags, local storage objects (LSOs), and software development kit (SDK) trackers used in mobile applications. The Prevention of Electronic Crimes Act 2016 under Section 2(f) defines 'data' broadly to include any form of representation of information, which encompasses cookies and tracking identifiers.

Categorisation of Cookies: The policy must classify cookies by purpose — (1) Strictly Necessary cookies required for basic website functionality; (2) Performance/Analytics cookies measuring website usage through tools such as Google Analytics 4 (GA4) or Hotjar; (3) Functional cookies storing user preferences such as language settings and location; and (4) Targeting/Advertising cookies used for remarketing through platforms including Meta Pixel, Google Ads, TikTok Pixel, and programmatic advertising exchanges.

Third-Party Cookie Disclosure: The policy must list all material third-party services that set cookies on the website, including the service provider name, the data collected, the retention period, the location of data processing (including any cross-border data transfers), and a link to the third party's own privacy and cookie policy. Under PTA's data localisation guidance, cross-border transfers of Pakistani users' data require transparency and, where applicable, safeguards.

ConsentMechanism: The policy must describe the consent mechanism deployed — typically a cookie banner or consent management platform (CMP) compliant with PECA 2016 Section 3's requirement for authorised access — explaining how users accept all cookies, accept only necessary cookies, or customise their preferences. The consent record must be stored to demonstrate compliance.

User Rights and Opt-Out: The policy must inform users of their right to withdraw consent at any time, instructions for disabling cookies through browser settings (Chrome, Firefox, Safari, Edge, and Opera all have native cookie management interfaces), links to industry opt-out tools such as the Digital Advertising Alliance opt-out and the Network Advertising Initiative opt-out, and the effect of disabling cookies on website functionality.

Retention Periods: The policy must state the retention period for each category of cookie — session cookies expire when the browser is closed; persistent cookies may be retained for periods ranging from 30 days (standard for analytics) to 24 months (for advertising frequency capping). Retention periods must be proportionate to the purpose of the cookie under the principles consistent with the Personal Data Protection Bill framework.

Cookie List Table: Best practice under international standards referenced by PTA requires a detailed cookie inventory table listing each cookie by name, the provider, the purpose, the type (session or persistent), and the expiry period. This level of disclosure is increasingly expected by major e-commerce platforms and enterprise clients doing business with Pakistani operators.

Policy Updates: The policy must state that it will be updated as new technologies are deployed or legal requirements change, the date of the last update, and whether users will be notified of material changes. The Pakistan Electronic Crimes Act 2016 Section 5 on data interference creates liability for unauthorised modification of data — a well-maintained cookie policy demonstrates that data collection is authorised and transparent.

Contact Information: The policy must provide the name and contact details of the data privacy officer or designated privacy contact, the address for written correspondence, and a commitment to respond to privacy enquiries within a reasonable period (typically 30 days, consistent with international standards referenced in PDPB consultations).

Forms-legal.com provides this Cookie Policy (Pakistan) template to help businesses of all sizes — from technology startups to established enterprises listed on the Pakistan Stock Exchange — implement transparent data practices that meet PECA 2016 requirements and align with the forthcoming Personal Data Protection Bill regime.

Under the Companies Act 2017, the Securities and Exchange Commission of Pakistan (SECP) maintains the register of Pakistani companies. Section 16 of the Companies Act 2017 governs company incorporation. The Contract Act 1872 governs general contractual obligations. The Federal Board of Revenue (FBR) administers corporate tax under the Income Tax Ordinance 2001. The High Courts (Lahore, Sindh, Peshawar, Balochistan, Islamabad) have original and appellate jurisdiction.

Sources & Citations

Statutory citations link to official government sources.

California Consumer Privacy ActCA (US) official

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Cookie Policy (Pakistan) (Pakistan) [Legal document template]. Forms Legal. https://forms-legal.com/pakistan/business/policies/cookie-policy-pakistan

MLA

"Cookie Policy (Pakistan) (Pakistan)." Forms Legal, 2026, https://forms-legal.com/pakistan/business/policies/cookie-policy-pakistan.

BibTeX

@misc{formslegal-cookie-policy-pakistan,
  author       = {{Forms Legal}},
  title        = {Cookie Policy (Pakistan) (Pakistan)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/pakistan/business/policies/cookie-policy-pakistan}},
  note         = {Free legal document template}
}

Also available for these jurisdictions:

Frequently Asked Questions

Statute-referenced template — Template last modified June 2026

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know