Kenya Data Protection Act & SMS Marketing: What You Must Know
Stay compliant with Kenya's Data Protection Act 2019 when running SMS campaigns. Understand consent requirements, opt-out obligations, data storage rules, and penalties for non-compliance.
The Data Protection Act 2019: A Quick Overview
Kenya's Data Protection Act (DPA) was signed into law on 8 November 2019, making Kenya one of the first East African countries with comprehensive data protection legislation. For businesses sending bulk SMS — whether promotional campaigns, transactional messages, or informational alerts — this law fundamentally changed the rules of engagement.
The Act is enforced by the Office of the Data Protection Commissioner (ODPC), and non-compliance can result in penalties of up to KES 5 million or 1% of annual turnover, whichever is higher. For a business doing KES 500 million in annual revenue, that is a potential KES 5 million fine — enough to wipe out an entire marketing budget.
This is not a law you can afford to ignore. Here is what every Kenyan business using SMS marketing needs to know.
What Constitutes Valid Consent for SMS?
The DPA requires that personal data (including phone numbers) be processed lawfully. For SMS marketing specifically, this means obtaining valid consent before sending promotional messages. But what qualifies as valid consent?
Requirements for Valid Consent
- Freely given — the customer must not be coerced. You cannot make a purchase conditional on agreeing to receive SMS marketing.
- Specific — the customer must know they are consenting to SMS messages specifically, not just general "communications."
- Informed — the customer must be told who will be sending messages, what type of content to expect, and how frequently.
- Unambiguous — a clear affirmative action (ticking a box, sending "YES" to a short code) is required. Pre-ticked checkboxes do not count.
Consent Examples in Practice
Here are real-world examples that Kenyan businesses encounter:
Valid consent: A customer visits your Westlands shop, fills out a loyalty card form, and ticks a box labelled "I agree to receive promotional SMS messages from [Your Shop] about offers and new products. I can opt out at any time by texting STOP."
Invalid consent: A customer gives you their phone number for delivery purposes. You add them to your marketing list without asking. This violates the purpose limitation principle — the number was collected for delivery, not marketing.
Valid consent (digital): On your website checkout, a separate, unticked checkbox says "Send me weekly deals via SMS." The customer actively ticks it.
Invalid consent: Buying a phone number list from a data broker at Marikiti market. Those people never consented to hear from your business.
The Purpose Limitation Principle
Under Section 25 of the DPA, personal data must be collected for a specified, explicit, and legitimate purpose and not processed in a manner incompatible with that purpose. This means:
- If someone gave you their number for order delivery SMS, you cannot use it for promotional campaigns without separate consent.
- If someone signed up for account alerts, you cannot sell their number to partner businesses for cross-promotion.
- Each new use of the phone number requires its own consent or a compatible purpose.
Data Minimisation
Section 26 requires that you only collect data that is adequate, relevant, and limited to what is necessary. For SMS marketing, this means:
- You need the phone number and consent status. You probably do not need the customer's ID number, date of birth, and home address just to send promotional SMS.
- Segment your data: store marketing consent separately from transaction data.
- Regularly review your contact lists and remove people who have not engaged in 12+ months.
Opt-Out Requirements: The STOP Mechanism
Every promotional SMS you send must include a mechanism for the recipient to opt out. The industry standard in Kenya is to include "Reply STOP to opt out" at the end of messages, or to provide a toll-free number for opt-out requests.
Key requirements:
- Immediate effect — once someone opts out, you must stop sending within 48 hours (practically, it should be instant).
- Free of charge — the opt-out mechanism must not cost the recipient anything.
- Easy to execute — one-step opt-out. Do not require people to visit a website, fill a form, or call a number during business hours.
- Permanent record — maintain a suppression list of opted-out numbers. Never re-add them without fresh consent.
At KenyaSMS, our platform includes built-in opt-out management. When a recipient replies STOP, their number is automatically added to your suppression list and excluded from all future campaigns. This happens without any action from you — the system handles it in real-time.
Data Storage and Security Obligations
The DPA imposes obligations on how you store customer phone numbers and consent records:
- Security measures — implement appropriate technical measures to protect phone numbers from unauthorised access, loss, or theft.
- Breach notification — if your customer database is breached, you must notify the ODPC within 72 hours and affected customers without unreasonable delay.
- Cross-border transfers — if your SMS platform stores data outside Kenya, ensure the destination country has adequate data protection laws or obtain explicit consent for the transfer.
- Retention — do not store phone numbers longer than necessary. Define a retention policy and stick to it.
Penalties for Non-Compliance
The ODPC has the power to impose significant penalties:
| Violation | Penalty |
|---|---|
| Processing without consent | Up to KES 5,000,000 or 1% of annual turnover |
| Failure to notify breach | Up to KES 3,000,000 |
| Obstruction of ODPC | Up to KES 5,000,000 or imprisonment up to 2 years |
| Unauthorised disclosure | Up to KES 3,000,000 or imprisonment up to 1 year |
Beyond fines, non-compliance can damage your brand reputation. In the age of social media, a single viral tweet about unwanted SMS spam can do more damage than any fine.
Your Compliance Checklist
- Audit your current contact list — do you have documented consent for every number?
- Implement clear opt-in at every collection point (physical forms, website, apps)
- Add opt-out instructions to every promotional SMS
- Maintain a suppression list and check it before every campaign
- Document your data retention and security policies
- Train staff who handle customer phone numbers
- Review your data processor agreements (including your SMS provider)
KenyaSMS helps you stay compliant with built-in opt-out management, consent tracking, and data security. Send your campaigns with confidence knowing that compliance is handled automatically. Trusted by over 10,000 Kenyan businesses.
Ready to Start Sending SMS?
Join thousands of Kenyan businesses using KenyaSMS. Get 10 free credits on signup.