Kenya has a Data Protection Act. What it doesn't have is enforcement, and millions of Kenyans are paying the price as their personal information is harvested, sold, and exploited without their knowledge or consent.
Every time a Kenyan enters an office building, apartment complex, or institution and writes their name, phone number, or ID in a visitor's book, that data doesn't simply disappear. In many cases, it is digitized, stored carelessly, and sold or shared with third parties. No one asks permission. No one explains what will happen to the information. The visitor simply signs and walks away, unaware they have just fed the data mining machine.
Online platforms present an even bigger problem. Job hiring websites collect CVs, phone numbers, emails, work history, and ID numbers from desperate job seekers. Many Kenyans believe this information is used only for recruitment. Instead, some platforms quietly monetize it by selling access to recruiters, advertisers, or data brokers, all buried in vague "terms and conditions" that no one reads and few would understand.
The result is endless spam calls, targeted scams, and systematic privacy violations. Random callers somehow know your name, your job status, your location. This is not magic. This is digital exploitation, and it is happening at scale.
Kenya's Data Protection Act, 2019, was supposed to prevent exactly this. Section 25 requires lawful, fair, and transparent processing of personal data. Section 26 requires explicit consent for data collection. Section 29 gives individuals the right to know how their data is used. Section 30 restricts unauthorized sharing of personal data.
Most data collection in Kenya fails every single one of these tests.
Yet enforcement remains weak to nonexistent. The Office of the Data Protection Commissioner has limited resources, limited visibility, and limited political will behind it. Meanwhile, institutions, platforms, and businesses continue harvesting Kenyan data as if it were a free resource ripe for extraction.
This is not a technical problem. This is a governance problem. Data has value. Right now, that value is being extracted from ordinary Kenyans unlawfully and carelessly, while the profits flow to platforms and intermediaries who face zero accountability.
