The Data Protection Act, 2019, effective from 25 November 2019, is Kenya’s primary data privacy law. It enshrines the constitutional right to privacy and establishes the Office of the Data Protection Commissioner (ODPC) to oversee data protection, governed by subsidiary regulations on registration, general compliance, and enforcement.
Businesses are required to understand that the scope of the DPA applies to both Kenyan and non-Kenyan entities processing the personal data of Kenyan residents. The rights these residents hold include the right to be informed, the right to access, rectification, erasure, portability, objection to automated decisions, and opting out of direct marketing.
Businesses must also register with the ODPC, appoint data processing officers and conduct data protection impact assessments as well as implement data protection and security safeguards.
To verify compliance:
Map and specify cookie use:
Map current cookie usage and classify data collected.
Implement consent management:
Review consent mechanisms for clarity and granularity.
Track consent:
Track user consent records and allow for withdrawal.
Maintain privacy policy:
Update your privacy policy to reflect cookie practices.
Registration:
Register as a data controller or processor with the ODPC where applicable.
Any data controller or processor (public or private) handling personal data of Kenyan residents, regardless of where the entity is based, must comply with the DPA. Small businesses are not exempt.
Rwanda’s DPPL gives residents a set of data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Request data in a structured, commonly used format
Request that decisions not be made solely on automated processing
Organizations must obtain consumer consent before processing data
File complaints with the Office of the Data Protection Commissioner in the case of data protection violations
Cookies that collect or transfer personal information (like through third parties or analytics) are subject to DPA rules. Businesses must categorize cookies, state their purposes and gather valid consent prior to deployment.
DPA non-compliance can lead to:
Fines up to 5 million KES or 1% of annual turnover, whichever is lower
Specific breaches (e.g. processing without consent, failure to register, obstructing ODPC) can accrue separate fines (20,000–3 million KES) or prison terms (up to 10 years)
The ODPC may issue compliance directives, seize equipment, or refer matters for prosecution as part of their enforcement authority.
Individuals can claim damages for data rights violations by bringing civil suits against violators.
Reputational fallout and brand damage can be collateral damage.
DPA Kenya compliance and data privacy best practices go hand in hand:
Conduct data and cookie audits:
Review current data practices to identify areas for aligning with the DPA
Update privacy and cookie policies:
Revise privacy notices to clearly outline data practices, consumer rights, and how to exercise those rights
Implement consent management:
Manage cookie use and consent with a comprehensive consent management platform like CookieHub
Educate employees:
Give employees training on the importance of compliance with DPA
Implement breach processes:
Ensure clear pathways for notifying consumers about data breaches
Assign a privacy officer:
Add a privacy officer to your organization to manage compliance
A consent management platform like CookieHub can simplify DPA Kenya compliance by automating cookie categorization, banner presentation, consent recording, withdrawal handling, and regulatory reporting—ensuring your website meets DPA Kenya compliance standards.
The DPA applies to any person or organization—whether established in Kenya or outside—that processes personal data of individuals located in Kenya. It governs how personal data is collected, stored, used, and shared, ensuring privacy and protection for data subjects.
Personal data refers to any information that relates to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, or other data that can be used to identify someone directly or indirectly.
Sensitive personal data includes information that reveals a person’s race, health status, ethnic or social origin, conscience, belief, genetic data, biometric data, sexual orientation, or sex life. This type of data is subject to stricter protection requirements under the Act.
The Office of the Data Protection Commissioner (ODPC) is the regulatory authority responsible for overseeing the implementation and enforcement of the DPA in Kenya.
The DPA does not apply to data processing done for purely personal or household activities. Additionally, exemptions may apply in cases involving national security, public interest, or journalism, subject to specific legal conditions.
You can find more information by visiting the official website of the Office of the Data Protection Commissioner (ODPC). The site offers resources, guidelines, and updates related to data protection in Kenya.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
