The Office of the Data Protection Commissioner has confirmed that sending promotional text messages without consent amounts to unlawful data processing and can attract financial penalties and compensation.
In a recent determination involving Samuel Kamau Waweru v Platinum Credit Limited, the regulator fined the lender KSh 400,000 for sending unsolicited promotional SMS messages to an individual who had not consented to receive them.
The ruling marks a significant shift in how nuisance text messages are treated under Kenya’s data protection law. What many mobile phone users have long dismissed as harmless or unavoidable marketing has now been formally classified as a violation of personal data rights.
The Office of the Data Protection Commissioner made it clear that a phone number does not give companies automatic permission to market their products. Consent to receive promotional messages must be clear, informed, and specific. It cannot be assumed simply because a person once took a loan, downloaded an application, opened an account, or shared their contact details in the past.
The regulator further stated that once consent is absent or has been withdrawn, continued promotional messaging becomes illegal, regardless of how widespread the practice may be in the industry.
According to the determination, businesses are required to demonstrate that consent was freely given and that individuals were informed about how their data would be used. Failure to do so exposes companies to penalties and possible compensation claims by affected individuals.
The ruling has wide implications beyond the lender involved in the case. Banks, digital lenders, loan applications, SACCOs, betting firms, and other businesses that rely on bulk SMS marketing are all subject to the same standards.
For Kenyan consumers, the decision means unwanted promotional messages are no longer just an inconvenience. They can now form the basis of a formal complaint and lead to financial consequences for companies that ignore consent requirements.
The determination reinforces the growing role of data protection enforcement in Kenya and signals that the regulator is prepared to act against organisations that misuse personal data, even in areas that have long been normalised.
