Kenya’s fast-growing digital economy has made personal data one of the most valuable and most abused resources in the country. From mobile lenders and e-commerce platforms to marketing agencies, companies are collecting, sharing and using customer information at an unprecedented scale. While this has unlocked innovation and financial inclusion, recent court decisions, including the ruling ordering Platinum Credit to compensate a phone user for persistent unsolicited loan messages, reveal a sinister side, widespread disregard for privacy and consent.
At the centre of the problem is weak enforcement, not the absence of law. Kenya already has the Data Protection Act, 2019, which clearly outlines how personal data should be collected, stored, processed and shared. It also created the Office of the Data Protection Commissioner (ODPC) to enforce compliance. However, many companies continue to operate as though the law is optional. Customer phone numbers are regularly traded, reused for marketing without consent, and used to send excessive promotional messages. The relatively low number of penalties compared to the scale of violations has reduced the law’s deterrent effect.
One of the most urgent reforms needed is stronger enforcement power and capacity for the ODPC. The office must be given greater financial and operational independence, more staff and advanced investigative tools to track data misuse across sectors. Audits of high-risk industries such as digital lending, insurance, telecommunications and direct marketing should be made routine rather than complaint-based. Regular public reporting of investigations and penalties would also improve transparency and deter offenders.
Second, Kenya needs clearer, stricter consent standards. Currently, consent is often buried in complex terms and conditions that most people do not read or understand. Policy reform should require all companies to seek explicit, simple, opt-in consent before sending any marketing communication. Consent must also be easy to withdraw. Where consent is not clearly recorded or cannot be proven, the default should be that the communication was illegal.
Another key reform is the introduction of meaningful financial and criminal penalties for repeat offenders. Some companies simply treat fines as a cost of doing business. Progressive penalties, increasing with each violation, and personal liability for managers who authorize illegal data use could significantly improve compliance. In extreme cases, licenses of repeat offenders should be suspended or revoked.
Kenya can also benefit from creating a national “Do Not Contact” registry, similar to systems in other countries such as the United States of America, where citizens can officially opt out of telemarketing and promotional messaging. Any organization that contacts a registered number without clear permission should automatically be subject to penalties. This would move the burden away from the consumer and onto the sender.
Finally, public awareness must be part of the reform process. Many Kenyans do not know their data rights or where to report violations. Government agencies, civil society and the private sector should invest in national campaigns to educate citizens on data privacy and how to protect themselves.
