A recent ruling against CJ’s, a popular Nairobi restaurant chain, has set a precedent on unsolicited marketing after the Office of the Data Protection Commissioner (ODPC) ordered the eatery to pay a man Sh75,000 for sending him promotional text messages without his consent.
In October 2025, Steve Onwonga Omwenga filed a complaint at the ODPC accusing the chain of constantly bombarding him with promotional text messages about their delivery services.
In his claim, Mr Omwenga said he had never shared his personal data or telephone number with CJ’s, and wondered why the eatery would be sending him messages despite not giving it prior consent. He also noted that there was no option to opt out of receiving the texts.
CJ’s sent him promotional messages on September 15, 22, and 25.
After receiving the third promotional message from CJ’s, he contacted the eatery by email to complain and requested that the restaurant acknowledge that it had broken the law by processing personal data without his permission. He also stated that he wanted to resolve the matter amicably.
Mr Omwenga then sought compensation or general damages, noting that prior efforts to settle the matter directly with CJ’s had been unsuccessful.
In its defence, CJ’s told the Data Commissioner that the messages sent to Mr Omwenga formed part of a general customer outreach and promotional campaign intended to inform the public about free delivery services during the festive season, and that there was no malicious intent.
The restaurant, however, claimed that after it received Mr Omwenga’s complaint, it immediately ceased all communication to the number, permanently deleted it from its database and assured him that no further messages would be sent. CJ’s alleged that it was surprised to learn that Mr Omwenga had filed a complaint against it.
The eatery said that besides deleting his data from its database, it invited him for an amicable meeting which took place on November 29, 2025 during which CJ’s explained the actions it had taken, issued an apology and offered him a Sh10,000 dining voucher as a gesture of goodwill.
CJ’s alleged that Mr Omwenga accepted the apology but sought time to consider the offer, and subsequently requested a better offer via SMS, which the restaurant declined, maintaining that its proposal was fair.
The eatery insisted the incident was an isolated lapse and not a systemic failure, maintaining that personal data was not shared with any third party.
Expressing regret for the breach, CJ’s also urged the Data Commissioner to provide guidance that carefully balances the rights of data subjects with the need to shield legitimate businesses from abuse of process by complainants.
When issuing a determination, the Data Commissioner noted the law stipulates that a data controller or processor shall not process personal information unless the subject consents to it.
“The respondents processed the complainant's personal data without obtaining consent. The respondent failed to obtain a lawful basis for processing the complainant's data for marketing purposes. The processing was therefore unlawful, non-transparent, and unfair, as the complainant had no opportunity to object or opt out before receiving the messages.”
Although acknowledging the apology and goodwill gesture by CJ’s to Mr Omwenga, the Data Commissioner noted that the eatery was still guilty of violating the Data Protection Law.
“The Office notes that the Respondent subsequently took remedial measures, including reaching out, issuing an apology, offering a goodwill gesture of Sh10,000, ceasing further communications and implementing consent-based marketing controls. While these actions mitigate the severity of the breach, they do not absolve the respondent of liability. In consideration of these mitigating factors, the Office hereby orders the respondent to pay the complainant Sh75,000 as compensation.”
