{"id":875,"date":"2026-04-10T02:37:00","date_gmt":"2026-04-10T02:37:00","guid":{"rendered":"https:\/\/baadvocates.com\/?p=875"},"modified":"2026-04-10T03:27:04","modified_gmt":"2026-04-10T03:27:04","slug":"a-glimpse-into-kenyas-data-protection-laws-on-unsolicited-marketing","status":"publish","type":"post","link":"https:\/\/baadvocates.com\/index.php\/2026\/04\/10\/a-glimpse-into-kenyas-data-protection-laws-on-unsolicited-marketing\/","title":{"rendered":"A GLIMPSE INTO KENYA\u2019S DATA PROTECTION LAWS ON UNSOLICITED MARKETING"},"content":{"rendered":"\n

Introduction<\/u><\/strong><\/h2>\n\n\n\n

Have you ever received an avalanche of unwanted promotional messages from a bank, a microfinance institution, a supermarket or any other company? Do you often wonder where they got your contacts or why you are receiving them even if you never opted in?<\/p>\n\n\n\n

If you have, you are not alone. For many Kenyans, unsolicited promotional SMS have become part of everyday life, buzzing into our phones at all hours, interrupting our routines and cluttering our personal space. But what most people do not realize is that this is not just an irritation; it is a potential violation of the law.<\/p>\n\n\n\n

Behind every unsolicited message is a legal question: did you consent and if not, why is your data being used?<\/p>\n\n\n\n

 <\/h2>\n\n\n\n

The Right to Privacy<\/u><\/strong><\/h2>\n\n\n\n

Article 31 of the Constitution of Kenya guarantees your right to privacy, which includes the right not to have private affairs or communications unnecessarily revealed or infringed upon.<\/p>\n\n\n\n

This protection extends directly to your phone and your messages. Any company that sends you unsolicited promotional SMS is engaging with your private communication space and must therefore justify that intrusion under the law.<\/p>\n\n\n\n

Your phone number is not just a contact detail, it is personal data protected by law.<\/p>\n\n\n\n

To give effect to this right, the Data Protection<\/strong><\/p>\n\n\n\n

Act, 2019<\/strong> was enacted. It empowers the Office of the Data Protection Commissioner (ODPC) to regulate how personal data is collected, used and protected.<\/p>\n\n\n\n

 <\/u><\/strong><\/h2>\n\n\n\n

This Act transforms privacy from a general right into enforceable legal obligations for businesses.<\/strong><\/p>\n\n\n\n

Data Sourcing: How did they get your number?<\/u><\/strong><\/h2>\n\n\n\n

Under Section 30 of the Data Protection Act, companies and service providers are strictly prohibited from collecting or using your personal information without a lawful basis the most common being your explicit permission. Under this law, service providers are treated as “Data Controllers” (those who decide why your data is processed) or “Data Processors” (those who handle data on behalf of a controller).<\/p>\n\n\n\n

This raises an important question: if you never gave your number, how did they get it?<\/em><\/strong><\/p>\n\n\n\n

If you have never signed up for a service, the law does not allow that company to possess or use your personal details which includes your name and phone number for marketing purposes.<\/p>\n\n\n\n

Yet, in practice, many businesses rely on questionable methods to build contact lists methods that fall squarely outside the law.<\/p>\n\n\n\n

Practices such as buying contact lists, scraping numbers from websites or assuming consent simply because someone interacted with your business are all blatant violations of data protection principles.<\/p>\n\n\n\n

Even where your number is publicly available, that does not mean it is free for commercial use.<\/p>\n\n\n\n

Direct Marketing<\/u><\/strong><\/h2>\n\n\n\n

In legal terms, these messages fall under “direct marketing” any communication sent directly to an individual using their personal data to promote goods or services. This includes SMS, WhatsApp messages, emails and even targeted online advertisements.<\/p>\n\n\n\n

Under Regulation 14(2) of the Data Protection (General) Regulations, 2021, direct marketing is defined as a commercial use of personal data where:<\/p>\n\n\n\n

    \n
  1. A catalogue is addressed to a data subject;<\/li>\n<\/ol>\n\n\n\n
      \n
    • An advertisement is displayed on an online site where a data subject\u2019s personal data has been captured; or<\/li>\n<\/ul>\n\n\n\n
        \n
      • An electronic message about a sale or an advertisement is sent to a data subject using their personal data.<\/li>\n<\/ul>\n\n\n\n

        In simple terms, if your phone number is used to send you a promotional message, the law considers that a regulated activity.<\/p>\n\n\n\n

        Additionally, the Consumer Protection Act, 2012, reinforces this by protecting consumers from unsolicited services, which can include the costs or data usage associated with receiving unwanted digital marketing.<\/p>\n\n\n\n

        Consent: The Line Between Lawful and Unlawful Marketing<\/u><\/strong><\/h2>\n\n\n\n

        The law provides that  businesses must obtain consent before sending promotional messages.<\/p>\n\n\n\n

        Under Section 37(1) of the Act, a data handler can only use personal data for commercial purposes where:<\/p>\n\n\n\n

          \n
        1. It obtains consent from the data subject; or<\/li>\n\n\n\n
        2. It is authorized under a written law and the data subject is informed of such use during collection.<\/li>\n<\/ol>\n\n\n\n

          Crucially, consent must be explicit, informed and freely given. It cannot be assumed, implied or hidden in the fine print.<\/p>\n\n\n\n

          This means pre-ticked boxes, vague privacy notices or clauses buried in lengthy terms and conditions documents do not constitute valid consent.<\/p>\n\n\n\n

          It also means:<\/p>\n\n\n\n

            \n
          1. No buying lists from third parties unless you can demonstrate that each individual consented to receive your messages specifically.<\/li>\n\n\n\n
          2. No scraping phone numbers from websites, social media or public directories.<\/li>\n\n\n\n
          3. No implied consent from casual interactions such as visiting a shop or liking a page.<\/li>\n<\/ol>\n\n\n\n

            If a business cannot clearly show when and how you agreed to receive marketing messages, then those messages are likely unlawful.<\/p>\n\n\n\n

            The Right to Object<\/u><\/strong><\/p>\n\n\n\n

            Even where consent was initially given, the law gives you full control. Every marketing message must include a simple, free-of-charge mechanism for recipients to opt out, such as replying \u201cSTOP.\u201d<\/p>\n\n\n\n

            Under the Data Protection Act, the right to object to processing for direct marketing purposes is absolute. This means once a data subject says “stop,” the business has no legal discretion the processing must cease immediately.<\/p>\n\n\n\n

            Regulations 8(4) and 16 require that this opt-out mechanism be accessible, clear and functional. Regulation 17 further provides that it should be as simple as replying with a single instruction or clicking a link.<\/p>\n\n\n\n

            <\/p>\n\n\n\n

            In practical terms, any promotional message sent after you have opted out is not just annoying it is unlawful.<\/p>\n\n\n\n

            Under regulation 18, requests to restrict disclosure to third parties must also be complied with within seven (7) days.<\/p>\n\n\n\n

            Targeted Marketing and Profiling<\/u><\/strong><\/h2>\n\n\n\n

            Profiling is defined under Section 2 of the Act as automated processing of personal data to evaluate and predict a data subject\u2019s preferences and behaviour.<\/p>\n\n\n\n

            This is what allows businesses to send you targeted or personalized promotions based on your interests.<\/p>\n\n\n\n

            However, the law sets limits. Regulation 13(2)(b) expressly prohibits the use of a child\u2019s profile for direct marketing.<\/p>\n\n\n\n

            This highlights the law\u2019s intention to protect vulnerable groups from intrusive and potentially exploitative marketing practices.<\/p>\n\n\n\n

            Compliance for businesses<\/u><\/strong><\/h2>\n\n\n\n

            Direct marketing is one of the most common ways businesses reach new customers. However, ease of marketing does not remove legal responsibility.<\/p>\n\n\n\n

            Under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, most businesses handling personal data must register with the ODPC.<\/p>\n\n\n\n

            While small entities with a turnover below Kshs. 5,000,000 and fewer than ten employees may be exempt from the mandatory registration fee, they are NOT <\/strong>exempt from the compliance requirements of the Act.<\/p>\n\n\n\n

            Regardless of size, every business must still obtain valid consent, process data lawfully and provide effective opt-out mechanisms.<\/p>\n\n\n\n

            Landmark ODPC Rulings<\/u><\/strong><\/p>\n\n\n\n

            The law on promotional SMS is not only codified,  it is actively enforced by the Office of the Data Protection Commissioner (ODPC) and recent decisions show a clear willingness to penalise non-compliant businesses.<\/strong><\/strong><\/p>\n\n\n\n

            David Owuor & 2 Others v. Ceres Tech Limited t\/a Rocketpesa (2023), In this case, three data subjects lodged complaints after receiving repeated promotional messages and calls from Rocketpesa, a digital lending platform.<\/strong><\/strong><\/p>\n\n\n\n

            The complainants argued that:<\/strong><\/strong><\/p>\n\n\n\n

              \n
            1. They had never consented to receive marketing communications;<\/strong><\/li>\n\n\n\n
            2. The messages were persistent and intrusive; and<\/strong><\/li>\n\n\n\n
            3. There was no clear or functional opt-out mechanism provided.<\/strong><\/li>\n<\/ol>\n\n\n\n

              Upon investigation, the ODPC made several critical findings:<\/strong><\/p>\n\n\n\n

                \n
              1. The company had processed personal data without a lawful basis, as it could not demonstrate that consent had been obtained;<\/strong><\/li>\n\n\n\n
              2. It had failed to provide an opt-out mechanism, which is a mandatory requirement under the law;<\/strong><\/li>\n\n\n\n
              3. In some instances, it had continued sending messages even after the data subjects objected, directly violating their absolute right to object to direct marketing;<\/strong><\/li>\n\n\n\n
              4. The company was also found to be a repeat offender, having failed to comply with a previous Enforcement Notice issued in an earlier complaint.<\/strong><\/li>\n<\/ol>\n\n\n\n

                As a result, the ODPC awarded a total of Kshs. 2,600,000<\/strong> in compensation to the three complainants.<\/p>\n\n\n\n

                This case is significant because it reinforces three key principles: consent must be provable, opt-out mechanisms are mandatory and ignoring a data subject\u2019s objection will attract serious consequences.<\/p>\n\n\n\n

                Dennis Gathara v. Goodtimes Africa (2024<\/strong>), In this matter, the complainant received promotional SMS messages from Goodtimes Africa despite never having consented to such communication.<\/p>\n\n\n\n

                What made this case particularly serious was that:<\/p>\n\n\n\n

                  \n
                1. The data subject had explicitly objected to receiving further messages;<\/li>\n\n\n\n
                2. He had also made a request for erasure of his personal data;<\/li>\n\n\n\n
                3. Despite this, the company continued sending promotional messages.<\/li>\n<\/ol>\n\n\n\n

                  The ODPC found that:<\/strong><\/strong><\/p>\n\n\n\n

                    \n
                  1. The company had no lawful basis for processing the complainant\u2019s data;<\/strong><\/li>\n\n\n\n
                  2. It had failed to provide an effective opt-out mechanism;<\/strong><\/li>\n\n\n\n
                  3. It had violated the data subject\u2019s absolute right to object to direct marketing;<\/strong><\/li>\n\n\n\n
                  4. It had also failed to honour a valid request for erasure, which is another fundamental right under the Act.<\/strong><\/li>\n<\/ol>\n\n\n\n

                     <\/h2>\n\n\n\n

                    The ODPC consequently awarded the complainant Kshs. 700,000<\/strong> as compensation.<\/p>\n\n\n\n

                    This decision underscores that once a data subject objects or requests deletion of their data, any continued use of that data especially for marketing is a clear breach of the law.<\/p>\n\n\n\n

                    These decisions send a clear message: infringing on a Kenyan’s digital privacy is an expensive mistake.<\/p>\n\n\n\n

                    From these rulings, a consistent pattern emerges:<\/p>\n\n\n\n

                      \n
                    1. Consent is not optional it must be obtained and proven.<\/li>\n<\/ol>\n\n\n\n
                        \n
                      • Opt-out mechanisms are not a courtesy they are a legal requirement.<\/li>\n<\/ul>\n\n\n\n
                          \n
                        • The right to object is absolute once invoked, all marketing must stop immediately.<\/li>\n<\/ul>\n\n\n\n
                            \n
                          • Failure to comply can lead to significant financial penalties and reputational damage.<\/li>\n<\/ul>\n\n\n\n

                            In essence, the ODPC is sending a clear message to businesses, respect data privacy or pay the price.<\/p>\n\n\n\n

                             <\/h2>\n\n\n\n

                            Global Perspective<\/u><\/strong><\/h2>\n\n\n\n

                            Kenya\u2019s approach aligns with global standards such as the EU\u2019s General Data Protection Regulation (GDPR), <\/strong>which also requires explicit consent and recognizes the absolute right to object to direct marketing.<\/p>\n\n\n\n

                            This reflects Kenya\u2019s commitment to international best practices in data protection.<\/p>\n\n\n\n

                            Conclusion<\/u><\/strong><\/h2>\n\n\n\n

                            Unwanted promotional SMS may seem like a minor inconvenience, but the law treats them very differently.<\/strong><\/strong><\/p>\n\n\n\n

                            They sit at the intersection of privacy, consent and commercial activity and businesses must navigate this space carefully.<\/strong><\/strong><\/p>\n\n\n\n

                            For individuals, this means you have the right to control how your personal data is used, to refuse marketing and to demand that companies stop contacting you.<\/strong><\/strong><\/p>\n\n\n\n

                            For businesses, it means promotional SMS are not just a marketing tool they are a regulated activity governed by strict legal requirements.<\/strong><\/strong><\/p>\n\n\n\n

                            Ultimately, the next time your phone buzzes with an unsolicited message, it is worth asking not just \u201cwho sent this?\u201d<\/em> but \u201cwas this lawful?\u201d<\/em><\/strong><\/strong><\/p>\n\n\n\n

                            Disclaimer:<\/em><\/strong> The information provided in this article is for general informational purposes only and does not constitute legal advice. The author\/website is not responsible for any errors or omissions and a party desiring legal advise should get in touch with the authors<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

                            Introduction Have you ever received an avalanche of unwanted promotional messages from a bank, a microfinance institution, a supermarket or any other company? Do you often wonder where they got your contacts or why you are receiving them even if you never opted in? If you have, you are not alone. For many Kenyans, unsolicited […]<\/p>\n","protected":false},"author":1,"featured_media":909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"class_list":["post-875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection"],"_links":{"self":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts\/875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/comments?post=875"}],"version-history":[{"count":1,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts\/875\/revisions"}],"predecessor-version":[{"id":876,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/posts\/875\/revisions\/876"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/media\/909"}],"wp:attachment":[{"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/media?parent=875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/categories?post=875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/baadvocates.com\/index.php\/wp-json\/wp\/v2\/tags?post=875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}