Since 2023, the UAE's federal data protection law — PDPL — has been in full effect. It applies to every website that collects emails, phone numbers, or uses cookies. Without properly drafted legal pages, you risk fines of up to 5,000,000 AED and your site being blocked by the regulator TRA.
In 2026, three documents are mandatory for any commercial website in the UAE: a Privacy Policy (compliant with PDPL), Terms & Conditions, and a Cookie Policy. Missing any one of them gives the regulator grounds for action and erodes client trust. Fines for a PDPL violation reach 5,000,000 AED for a first offence and 10,000,000 AED for a repeat breach. An Arabic version of the documents is not legally required by default — but it becomes critical when serving an Arabic-speaking audience or working with the public sector.
Many business owners treat a Privacy Policy as an optional, copy-paste section of their website. This is a dangerous misconception. Federal Decree-Law No. 45 of 2021 (PDPL), which came into force in 2023, obliges all companies operating in the UAE market to disclose: what user data they collect, for what purpose, where it is stored, and to whom it is transferred. TRA (Telecommunications and Digital Government Regulatory Authority) has the right to launch an investigation based on any user complaint.
There is another practical risk: losing payment integrations. Providers such as Stripe, Tap, and Telr require a link to a valid Privacy Policy when opening a merchant account. Without one, online payments on your website will not be available. Learn more in the guide to online payments in the UAE.
1. Privacy Policy — the core document under PDPL. It must include:
2. Terms & Conditions — governs the relationship between your business and the client. It must include:
3. Cookie Policy — a document separate from the Privacy Policy, mandatory when using analytics tools (GA4, Clarity, Meta Pixel). It describes the types of cookies used, their lifespan, and the mechanism for opting out. Learn more in the guide to GA4 and Clarity for businesses in Dubai.
Working with business owners relocating to the UAE, Norvalio studio consistently sees the same mistakes:
It is far easier to address these issues before launch. See the full checklist in the guide: 25 points before launching a website.
The federal PDPL does not require commercial websites to publish their Privacy Policy exclusively in Arabic. However, there are important exceptions:
The practical takeaway: for a multilingual website, commission your legal pages in all relevant languages from the outset — English and Arabic as a minimum. The additional cost is marginal, while the reduction in legal risk is substantial. Learn more about website translation in the guide to translating your site into English and Arabic.
Current market options in 2026:
At Norvalio, legal pages are included in our standard turnkey development package. We use templates adapted to UAE legislation, populated with your licence details and contact information. Learn more on the website development page. Package pricing is available in the offers section.
Having the documents is only half the job. Correct integration matters just as much:
If your site is already live without these elements, request an audit. Norvalio specialists will assess PDPL compliance and provide a remediation list within 1–2 business days.
If the site collects no data and uses no cookies, technically no. However, any analytics tool — including Google Analytics — already triggers the requirement to publish a privacy policy. In practice, almost every website needs one.
Technically yes — PDPL does not mandate any specific language other than Arabic in certain contexts. However, if your primary audience speaks another language, a regulator or court may deem the document insufficiently accessible to users. We recommend providing the policy in the main language of your audience as well.
Under PDPL, fines for a first violation reach up to 5,000,000 AED, and up to 10,000,000 AED for a repeat offence. TRA has the authority to demand that the website be suspended until all violations are remedied.
Yes. Any change in the categories of personal data you process, or in the third parties to whom data is transferred, requires an updated Privacy Policy with a new effective date.
With your company details to hand — licence number, jurisdiction, and a list of data processed — three documents in two languages take 2–3 business days to prepare; integrating them into the website takes approximately one additional day.
Tell us about your project and get a solution with pricing — free, via WhatsApp.