DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

πŸ‡°πŸ‡ͺ Sub-Saharan Africa

Cookie consent in Kenya

Consent and privacy law in Kenya

In short
Kenya's Data Protection Act of 2019 is closely modelled on the GDPR and enforced by the Office of the Data Protection Commissioner, an active regulator in the region. A distinctive feature is a mandatory registration regime under which many data controllers and processors must register with the ODPC, with thresholds set by regulation. The ODPC has issued enforcement decisions and fines, including in the digital lending sector over misuse of contacts and consent. Consent must be express, informed, and freely given, and the Act provides GDPR-style rights and breach notification. Notices in English are common. Cookies that identify users are personal data under the Act.
Authority
Office of the Data Protection Commissioner (ODPC)
Status

Data Protection Act 2019, with registration regulations from 2022

Primary law
DPA KE
Languages

en

Who must comply

Data controllers and processors established in Kenya, and those abroad that process personal data of data subjects in Kenya.

Penalties

Penalties up to 5 million Kenyan shillings or 1 percent of annual turnover

Key obligations

  • Obtain express, free and specific consent where it is the basis
  • Provide notice of purpose and rights before collection
  • Honor access, rectification, erasure and objection rights
  • Register as a data controller or processor where required
  • Notify the commissioner and affected people of breaches

Local guidance

  • Register with the ODPC where thresholds are met
  • Use express, informed, and freely given consent
  • Take special care in digital lending and marketing
  • Apply GDPR-style rights and breach notification

How ConsentX helps

  • Express, specific opt-in consent capture
  • Direct-marketing opt-out controls
  • Geo-aware banner for Kenyan visitors
  • Rights request workflow with evidence
  • Region rule engine tuned for Kenya
Get started free
yoursite.com
πŸ‡°πŸ‡ͺ Kenya

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Kenya using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Kenya.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Kenya requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Kenya audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Do I need to register with Kenya's ODPC?+

Many data controllers and processors must register with the Office of the Data Protection Commissioner, with thresholds set by the registration regulations of 2022.

Has Kenya enforced its data protection law?+

Yes. The ODPC has issued enforcement decisions and fines, notably in the digital lending sector for misusing borrowers' contacts and processing without proper consent.

Governing law

πŸ‡°πŸ‡ͺ DPA KE

Other countries in Sub-Saharan Africa

πŸ‡ΏπŸ‡¦ South AfricaπŸ‡³πŸ‡¬ NigeriaπŸ‡¬πŸ‡­ Ghana