Saudi PDPL Compliance for Marketers: What You Need to Know Before Your Next Campaign

On 14 September 2024, the Kingdom of Saudi Arabia switched on full enforcement of its Personal Data Protection Law (PDPL) — and the grace period officially ended. If your brand emails a single lead in Riyadh, runs a Meta pixel on Saudi traffic, or sends a WhatsApp broadcast to a KSA number, you are now a regulated entity under Saudi law. Fines start at warnings and climb to SAR 5,000,000 per violation, with criminal penalties of up to two years in prison for the most serious breaches. Yet most GCC marketing teams — even the sophisticated ones — are still operating on a vague mental model of "it's like GDPR, right?" It is not.

This guide is the regulatory briefing every marketing leader, performance specialist, and agency partner operating in or into Saudi Arabia should read before their next campaign. We will cover what the PDPL actually regulates, who SDAIA is and what powers it holds, how Saudi rules differ sharply from GDPR on cross-border transfers and data localization, and — most importantly — how the law reshapes the tactical playbook for email, SMS, WhatsApp, programmatic, and pixel-based retargeting. We close with a practical compliance checklist you can hand to your CMO on Monday morning.

What the PDPL actually covers

Saudi Arabia's Personal Data Protection Law was issued by Royal Decree M/19 in September 2021, revised by Royal Decree M/148 in March 2023, and the Implementing Regulations and Regulations on Personal Data Transfer Outside the Kingdom were published by SDAIA in September 2023. Full enforcement commenced on 14 September 2024 after a one-year transitional period.

The law applies to any processing of personal data related to individuals who reside in the Kingdom of Saudi Arabia — whether that processing takes place inside KSA or anywhere else in the world. This extraterritorial scope is the first detail most international marketers miss. A Dubai-based DMCC agency running a paid campaign that targets Saudi residents falls inside the PDPL regardless of where its servers live.

"Personal data" is defined broadly: any data that identifies or can reasonably identify a natural person. Names, phone numbers, national ID numbers, email addresses, IP addresses, device identifiers, cookie IDs, location data, and even photos all qualify. A separate category of "sensitive data" — covering racial or ethnic origin, religious belief, health, genetic, biometric, and financial data along with data on security or criminal record — triggers stricter obligations. Health and genetic data in particular require an explicit, separately documented consent and, in many cases, pre-approval from the regulator.

SDAIA: the regulator you now report to

The Saudi Data and Artificial Intelligence Authority (SDAIA) is the lead regulator for personal data in the Kingdom. Operational oversight is delegated to the National Data Management Office (NDMO), which supervises registration, guidance, and enforcement. SDAIA maintains a National Data Controller Register — every organization processing personal data of Saudi residents on anything beyond a trivially small scale is expected to register.

SDAIA's enforcement toolkit is serious. It can issue warnings, order corrective measures, suspend processing, levy administrative fines up to SAR 5,000,000 per violation (doubled for repeat offenses, plus up to 2% of annual revenue in certain aggravated cases), publish decisions naming offenders, and refer matters for criminal prosecution. For unlawful disclosure of sensitive data with intent to harm, individuals can face imprisonment for up to two years alongside fines up to SAR 3,000,000.

Key obligations every marketer must know

There are five pillars of the PDPL that rewrite how marketing operates in Saudi Arabia.

1. Lawful basis and consent. Consent is the default lawful basis under the PDPL, and the bar is high. Consent must be freely given, specific, informed, and documented. Pre-ticked boxes, bundled consents, and "by continuing you agree" banners do not meet the standard. For direct marketing — email, SMS, WhatsApp, and push — prior explicit opt-in is effectively required in the Saudi market. Legitimate interests exists as a lawful basis, but it is narrower than the GDPR equivalent and is not a safe harbour for behavioural marketing.

2. Data subject rights. Saudi residents now have the right to be informed, to access, to rectify, to request destruction, and to withdraw consent at any time. Importantly, they also have the right to request transfer of their data to another controller, and a right to complaint directly to SDAIA. Requests must be acknowledged and actioned within thirty days. Every marketing team should have a tested, documented DSAR workflow — not a shared Gmail inbox.

3. Breach notification within 72 hours. Any personal data breach that is likely to cause harm must be notified to SDAIA within 72 hours of becoming aware, and affected data subjects must be notified without undue delay. This is tight. Most marketing stacks — your ESP, your CDP, your tag manager, your lead-capture forms, your CRM connectors — all sit in the blast radius of a breach and almost none of them are instrumented to flag one automatically. Building a marketing-operations incident runbook is non-negotiable.

4. Data localization and the shift in 2023. The original 2021 draft of the PDPL effectively mandated in-Kingdom storage of personal data with narrow exceptions. The March 2023 amendments softened this materially — the default is now a permitted transfer regime rather than a hard localization rule — but sensitive data, data of national importance, and certain public-sector datasets still face localization expectations. Many enterprise Saudi clients, particularly in banking, healthcare, and government, continue to require in-Kingdom hosting as a procurement condition regardless of what the law strictly permits.

5. Cross-border transfers. Transfers of personal data outside Saudi Arabia are allowed, but only on a specific lawful basis. The framework is built around the concept of countries that provide an "adequate level of protection" as assessed by SDAIA, binding corporate rules, standard contractual clauses, and — for limited cases — explicit consent or a documented necessity test. In practice, this means your data-processing agreements with Meta, Google, TikTok, Snap, HubSpot, Salesforce, and any other non-KSA vendor need to be reviewed, updated, and filed.

Marketing-specific implications: where the rubber meets the road

The PDPL is not an abstract legal document; it rewrites specific tactics that every GCC marketer uses every day.

Email and SMS. Sending marketing emails to a purchased or scraped list of Saudi contacts is now a clearly unlawful activity under the PDPL. Double opt-in, logged and timestamped, is the practical standard. SMS marketing sits under an even tighter lens because it interacts with the Communications, Space and Technology Commission (CST) anti-spam rules that predate the PDPL. Your consent receipts should include the channel, the purpose, the timestamp, and the specific wording the user agreed to.

WhatsApp and conversational channels. WhatsApp Business, within Meta's own policy, already requires opt-in. Under the PDPL, the requirement hardens: the opt-in must be specific to WhatsApp, separable from other consents, and reversible with a single action. Template messages, 24-hour customer-service windows, and broadcast lists all need to be mapped to a documented lawful basis. The easiest violation to commit in the entire PDPL is a bulk WhatsApp broadcast to a list that was built in the pre-PDPL era.

Behavioural ads and retargeting pixels. Meta Pixel, Google Tag, TikTok Pixel, LinkedIn Insight Tag, and similar trackers drop cookies and collect device identifiers that qualify as personal data. Firing them on Saudi traffic without a valid lawful basis is a breach. The practical consequence: you need a consent-first cookie banner, not a cosmetic one. Tags must not fire before consent. Consent Mode v2 (Google), Meta's Conversions API with consent signals, and a proper CMP (Consent Management Platform) configured for KSA are now baseline infrastructure, not nice-to-haves.

Programmatic and audience marketplaces. Uploading a customer list to a DSP or building a lookalike on Facebook requires explicit, documented consent from every person on that list for that specific use. Matched-audience campaigns, retargeting pools, and offline conversion uploads are the three highest-risk activities for a Saudi audit. If your agency cannot produce the consent record for the list, do not upload the list.

Cookie banners done right

Saudi cookie banners need to meet four conditions to satisfy the PDPL. First, they must present a clear choice — an "Accept," "Reject," and "Manage" action of equivalent prominence. Second, they must block non-essential tags from firing until the user opts in. Third, they must be granular, so users can accept analytics but reject advertising. Fourth, they must log consent in a retrievable, auditable form. Most of the "cookie notices" in the GCC today meet none of these four conditions. This is one of the fastest areas where strategic marketing advisory delivers immediate risk reduction.

DPO and governance: who is actually accountable

The PDPL requires certain controllers to appoint a Data Protection Officer. An internal DPO — or an external, documented equivalent — is effectively mandatory if you are a public entity, process personal data as a core activity (and marketing at scale qualifies), or carry out large-scale processing of sensitive data. The DPO must be reachable by data subjects and by SDAIA, and must report to the highest management level. Agencies acting as processors need to mirror this structure in their own organizations.

Beyond the DPO, the PDPL expects a Record of Processing Activities (ROPA), a Data Protection Impact Assessment (DPIA) for high-risk processing, a data classification policy, a retention schedule, vendor due-diligence records, and a signed Data Processing Agreement (DPA) with every processor. Every element of the modern MarTech stack — ESP, CDP, CRM, CMP, DMP, analytics, MMP — needs to appear in that ROPA by name, location, and lawful basis.

PDPL vs GDPR: the differences that actually matter

"It's basically GDPR with an Arabic cover" is the single most expensive assumption a marketer can make. The two frameworks rhyme, but they diverge on points that directly affect campaign strategy.

Consent under the PDPL is framed more strictly for marketing. Legitimate interests as a lawful basis is narrower and rarely safe for behavioural advertising. Cross-border transfers rely on an SDAIA-driven adequacy list rather than the European Commission's list, and at the time of writing very few jurisdictions have been granted Saudi adequacy status, which means SCCs, BCRs, and explicit consent are the practical transfer mechanisms. Data localization expectations for sensitive and government-adjacent data are stronger in KSA than under the GDPR. Criminal penalties exist in Saudi Arabia for intentional harmful disclosure — GDPR is a civil regime. Finally, SDAIA's enforcement posture is active and visible: registration requirements, audit rights, and a growing public record of enforcement actions make "flying under the radar" an increasingly poor strategy.

A practical compliance checklist for marketing teams

Use this as your starting discovery brief with legal and IT.

1. Map every dataset containing Saudi-resident personal data across your ESP, CRM, CDP, analytics, ad platforms, and lead-capture tools.
2. Identify the lawful basis for each processing activity and record it in a ROPA.
3. Audit every existing consent record. Where consent pre-dates the PDPL era or fails the "freely given, specific, informed, documented" test, re-consent or suppress.
4. Deploy a consent-first CMP, configured for KSA, with tags blocked by default and granular categories.
5. Enable Google Consent Mode v2, Meta Conversions API with consent signals, and server-side tagging where possible.
6. Review every DPA with international MarTech vendors for PDPL cross-border clauses and SCC equivalents.
7. Appoint a DPO or a documented equivalent and publish their contact in your privacy notice.
8. Run a DPIA on every high-risk campaign type — programmatic, lookalike audiences, sensitive-category targeting, health, finance, minors.
9. Build and test a DSAR response workflow with a thirty-day SLA.
10. Write a 72-hour breach response runbook that covers marketing systems specifically.
11. Train your internal marketers and agency partners. An untrained team is the most common root cause of a breach.

The PDPL is not a reason to slow down Saudi marketing. It is a reason to professionalize it. Brands that treat compliance as a capability rather than a cost will build more durable permission assets, higher-quality lead pools, and measurably lower acquisition risk than competitors who keep operating on the old playbook. The Saudi market is the largest in the GCC and growing fast — it rewards operators who respect it.

If you would like a PDPL-ready campaign and MarTech audit, our team builds compliant, high-performance digital marketing programs for regulated sectors across KSA and the wider GCC. Book a compliance review and we will benchmark your current stack against the PDPL checklist in a single working session.

Frequently asked questions

Does the PDPL apply to my Dubai agency if my client is UAE-based?

Yes, if any of the campaign's audience, leads, or stored personal data relates to Saudi residents. The PDPL is extraterritorial. The location of your agency, your client, or your servers does not change the applicability.

Can I still run Meta and Google campaigns in Saudi Arabia?

Yes. You must ensure tags only fire after valid consent, that cross-border transfer terms in your DPA with the platform are documented, and that any custom audience upload is backed by specific, documented consent for that use. Consent Mode v2 and the Conversions API are the current standard.

What is the fine for a PDPL violation?

Administrative fines can reach SAR 5,000,000 per violation, doubled for repeat offenses. Certain aggravated cases can trigger additional penalties tied to annual revenue. Intentional harmful disclosure of personal data can attract criminal penalties including up to two years of imprisonment.

Do I need to store Saudi customer data inside Saudi Arabia?

Not for most categories after the 2023 amendments — cross-border transfers are permitted under specific lawful mechanisms. However, sensitive data, certain public-sector data, and data classified as nationally important face stronger localization expectations, and many Saudi enterprise procurement teams still require in-Kingdom hosting as a contractual condition.

Is WhatsApp marketing still possible under the PDPL?

Yes, with a specific, separable, logged opt-in for WhatsApp as a channel, a clear purpose, and a single-step opt-out. Broadcasting to pre-PDPL lists without fresh consent is the single fastest way to generate a complaint to SDAIA.