According to Section 62, the telecommunication apparatus requires approval of the Authority before it is connected for use by a licensee. As a basis of approval, the Authority may publish a notice in the Gazette establishing standards to which an apparatus of a specified description shall conform to be approved. It is reported that self-declaration of conformity is not allowed in Zimbabwe.

According to Art. 47 of the Mid-Term Monetary Policy Statement, users are restricted to only one mobile wallet account per person and a daily transfer limit of ZW 5,000 (approx. USD 50). This applies to individuals for person-to-person transfers, person-to-merchant payments for goods and services, bill settlement and purchase of airtime. In addition, pursuant to Art. 50 merchants are not allowed to make payments from their wallets. This is also the case for agent mobile money wallets, which have been abolished by the Policy. In this regard, users can no longer make transactions through mobile money agents. It is reported that this is likely to affect customers in rural Zimbabwe who rely on the agents to access mobile money services. These agents gave rural consumers the opportunity to integrate into the financial system.

It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 10, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

The Consumer Protection Act (Chapter 14:44) of 2019 provides a comprehensive framework for consumer protection that also applies to online transactions.

Zimbabwe has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Zimbabwe has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Zimbabwe has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

According to Art. 7.1 of the Broadcasting Services Act, no person may provide a broadcasting service or operate as a signal carrier in Zimbabwe without a broadcasting licence or a signal carrier licence. Art. 7.2 specifies that a broadcasting licence authorises the licensee to offer various types of broadcasting services, including narrowcasting, datacasting, and webcasting. However, under Art. 8.1, a broadcasting licence can only be issued to individuals who are citizens of Zimbabwe or to a corporate entity in which a controlling interest is held, whether directly or indirectly, by one or more Zimbabwean citizens.
Art. 7 of Broadcasting Services (Licensing and Content) Regulations, 2004 provides the licensing requirements for narrowcasting, datacasting, and webcasting. It is reported that the Zimbabwean authorities might use this section to require licensing fees for video-on-demand and live-streaming services (YouTube, Facebook, Netflix, etc.), and, as a result, smaller companies have to obtain licenses ranging from USD 2,500 to USD 20,000.

Zimbabwe has a telecommunications authority: The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ). However, it is reported that this entity is not fully independent.

Section 8 of the Postal and Telecommunications (Subscriber Registration) Regulations of 2014 stipulated that subscriber information in the telecom sector must not be transferred outside the Republic of Zimbabwe. An amendment in 2019 introduced new provisions. According to the revised Section 8, if transferring subscriber information to a foreign host becomes necessary or unavoidable for operational purposes, the service provider must ensure that the data is encrypted to prevent it from being read by the foreign host. The local service provider is required to retain the encryption keys to prevent unauthorised access. Additionally, before entering into any storage arrangement, the service provider must submit a report on data protection measures and hosting agreements to the relevant authority. Furthermore, the service provider must obtain clear, affirmative consent in writing from the subscriber for the transfer of personal data and must not sell, trade, or share the transferred data.
Reports indicate that the approvals of the regulators for data transfers are evaluated on a case-by-case basis.

Sections 28 and 29 of the Cyber and Data Protection Act establish a framework for the cross-border transfer of data. Data can be transferred to countries that offer adequate protection. In addition, data can be transferred if it is in the public interest to do so. The data subject must provide consent for their information to be transferred. However, this consent may also be implied or offered ambiguously.
Moreover, Section 11 of the Cyber and Data Protection Act prohibits the processing of sensitive personal information unless with the consent of the data subject or where processing is for legitimate purposes. Sensitive data, according to Section 3, includes social, political, and cultural information, as well as health and genetic information, and any information which may be considered as presenting a significant risk to the rights of the data subject.

Zimbabwe has not joined any free trade agreement committing to open transfers of cross-border data flows.

Zimbabwe has a comprehensive regime of data protection in place: the Cyber and Data Protection Act [Chapter 12:07] was promulgated with the policy objective of data privacy and protection of all data collected by Data Controllers both within and outside Zimbabwe depending on the location of the means used to process the said data. The Act seeks to shield the privacy of such information and regulate the way in which such information is stored, used and disclosed.

Sections 4-7 of the Postal and Telecommunications Regulations mandate ICT service providers to obtain, record and store personal information of juristic and natural persons who are registered with these entities. Such a register is to be known as a Subscriber Register. The register is to be provided to POTRAZ or any state agency upon request and without delay. Furthermore, the regulation provides for the establishment of a Central Subscriber Database, which is the consolidated portal for personal information gathered from subscribers.

The Interception of Communications Act provides wide-ranging powers to state security agencies to have access to personal data. Section 5 mandates that intelligence, defence, police, and prison services request warrants of interception from the executive in charge of postal and telecommunication services. Section 9 of the Interception of Communications Act instructs ISPs to install necessary surveillance technologies and intercept any content that the state may deem fit. In addition, Section 9 obliges data services providers and processors to cooperate with the state in enabling data access. To this end, data processors are instructed to capture full personal information, regularly update it, and use technologies that can be intercepted.
It is reported that warrants allowing the monitoring and interception of communications are issued by the Minister of Information at their discretion. Consequently, there is no adequate judicial oversight or other independent safeguard against abuse, and the extent and frequency of monitoring remains unknown.