Kenyan mobile phone users are raising concerns over a surge in spam or unsolicited promotional SMSs, increasing scrutiny over how telecom operators handle customers’ personal data and whether regulators are doing enough to curb intrusive messaging.
Subscribers say their phones have been inundated with trivia alerts, quizzes, motivational quotes, betting platform notifications and digital lending offers, including messages from services they have never used.
Some of these alerts deduct airtime or mobile money balances without clear consent, while attempts to unsubscribe often lead to dead ends.
Frustrated users have flooded telcos’ customer-care pages on social media with complaints, questioning how unknown companies acquired their numbers and whether the contacts were obtained legitimately or through undisclosed data-sharing arrangements.
“I'm concerned about my data privacy. I'm getting spam messages about gambling and I didn't give consent. Can you help me understand how my number was obtained?” one user wrote on social media X platform last month.
On Tuesday, the Communications Authority of Kenya (CA) acknowledged the rising anger, calling the matter a priority.
“We have also noted consumer frustration over spam messages, unsolicited subscriptions, unauthorised use of phone numbers and unauthorised premium services,” the regulator said in a statement.
“These concerns are a priority for the Authority, and the improved SIM card registration processes are part of the larger strategy to safeguard consumer interests.”
The regulator was referencing new SIM card registration rules issued by ICT Cabinet Secretary William Kabogo, which require telcos to collect biometric data, including fingerprints, when onboarding customers.
The rules are framed as a tool for combating fraud and strengthening accountability, but they have sparked controversy on their own over sensitivity regarding how subscriber data is being stored and used.
A September report by Kenya’s second-largest telco- Airtel, showed that the country had the highest prevalence of spam SMS among 13 African countries monitored by its AI-powered spam alert tool, with 68 million suspicious messages flagged out of 205 million detected across the markets.
Safaricom, in its data privacy statement, insists that it collects customer information with full knowledge and consent and uses it strictly for defined purposes such as identity verification, billing, credit scoring and sending product updates, unless a customer opts out.
“We may… contact you with offers or promotions based on how you use our or third-party products and services unless you opt out,” the company says.
According to data security specialist Raymond Kamau, the assumption that telcos are directly leaking customer phone numbers is not always accurate.
“There are many places these companies may have gotten people’s phone numbers from; websites where you sign up using your number, online purchases, or even places you leave your data for access control,” he told the Business Daily in an interview.
“It does not necessarily mean your mobile carrier gave your data to a third party.”
Mr Kamau adds that tracing the original source of personal data used to send spam or flash messages is often difficult:
“The telcos cannot stop it unless you alert them,” he said, noting that customer reports are key to blocking problematic senders.
Such complaints fall within the mandate of the Office of the Data Protection Commissioner (ODPC).
“If a customer does not know who shared their data without permission, they should raise the issue with the ODPC,” said a data privacy lawyer.
“Where possible, one should also contact the sender directly and ask how they obtained the number.”
As per the Data Protection Act, marketers must only send direct marketing messages if they collected the customer’s data legally, notified them that marketing is a purpose of collection and provided a working opt-out mechanism.
“It is a violation when the SMS marketer does not give an opt-out option in their message, when the option does not work, or when marketing messages continue even after a subscriber opts out,” said the lawyer.
The law also requires marketers to include clear contact information through which consumers can request that the communications stop, without incurring charges.
Consumers also have the right to ask a data controller not to process their data for all or part of a specific purpose, including direct marketing.
“A data subject may request a data controller or data processor not to process all or part of their personal data, for a specified purpose or in a specified manner, such as direct marketing purposes,” the Act states.
An aggrieved mobile subscriber can complain to the ODPC by filling out the complaint form available online and sending it via email.
“The ODPC then investigates within 90 days,” said the lawyer. “If the investigation reveals who illegally shared the customer’s data, the user can pursue a case against the responsible data processor or controller.”
