Kenyans registering new SIM cards may soon have to submit some of the most intimate biological identifiers known to science, including DNA analysis, blood type, and detailed biometric markers, under new regulations proposed by the Communications Authority of Kenya (CA). The data demands, critics warn, could expose millions of subscribers to serious privacy risks.
The CA last month issued a notice directing all mobile network operators and subscribers to comply with the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025. Non-compliance attracts fines of up to Sh1 million or a six-month jail term.
The rules dramatically expand the scope of personal information that telcos must collect, moving beyond the traditional identifiers; names, ID numbers, and dates of birth, to include a broad category of highly sensitive biometric and physiological data.
“Biometric data means personal data resulting from specific technical processing based on physical, physiological or behavioural characterisation, including blood typing, fingerprinting, DNA analysis, earlobe geometry, retinal scanning, and voice recognition,” the regulations state.
While the law obligates operators to keep this information confidential and secure, analysts say the new obligations introduce risks the telcos are ill-equipped to manage.
“It is a big risk to spread such sensitive data to more hands. We cannot be sure that all telcos have sufficient capacity to handle huge volumes of such sensitive data,” said tech analyst Phil Emorang.
“A telecommunications operator shall take all reasonable steps to ensure the security and confidentiality of its subscribers’ registration particulars in accordance with the Act and the Data Protection Act (Cap. 411C),” read the regulations.
Service providers fear a double bind: the heavy cost of compliance on one side, and the potential erosion of subscriber trust on the other.
The most contentious issue is the apparent conflict between the new requirements and Kenya’s Data Protection Act, which enshrines the principle of data minimisation — that organisations should collect only what is adequate, relevant, and necessary to achieve a specific purpose.
According to guidance issued by the Office of the Data Protection Commissioner (ODPC), service providers must ensure that personal data is collected sparingly, stored only for as long as necessary, and deleted once its purpose is fulfilled. Sensitive data, including genetic and biometric information, is subject to even tighter restrictions.
By contrast, the regulations mandate telcos to maintain comprehensive databases of subscriber biometric records and submit them to the CA every quarter. Operators must also grant the regulator access to systems, premises, files, and infrastructure , a requirement legal experts say effectively outsources sensitive identity-management functions to private companies without clear safeguards.
Shift unsettles industry norms
Kenya’s telecom, fintech, and banking sectors have spent years promoting data minimisation as a trust-building measure. Banks routinely mask credit card digits and tokenise account identifiers, while fintechs increasingly anonymise user information wherever possible.
Mobile money providers have also attempted to adopt similar privacy-first practices. Two years ago, Safaricom informed developers on its M-Pesa network that it would progressively minimise data exposure in line with customer demands.
The company developed a feature to mask customer phone numbers during Till and PayBill payments, but has been unable to deploy it due to CA restrictions.
Airtel Kenya has likewise revised its data protection policies to limit collection to what is strictly necessary and to use anonymised data whenever possible.
“Airtel Kenya will evaluate whether and to what extent the processing of personal data is necessary and, where the purpose allows, anonymised data must be used,” states the firm in its data protection policy.
