Key Facts
Overview
Kenya's Data Protection Act 2019 (Act No. 24 of 2019) is a comprehensive privacy law enforced by the Office of the Data Protection Commissioner (ODPC). It requires data controllers to register with the ODPC before processing personal data and obtain consent as the primary legal basis. The law is notable for its unusual penalty calculation using "whichever is lower" between KES 5 million or 1% of annual turnover. Criminal penalties of up to 10 years imprisonment also apply.
What This Means for Your Website
If your website collects personal data from users in Kenya, you must register as a data controller with the ODPC, appoint a Data Protection Officer when required, and obtain freely given, specific, and informed consent before collecting any personal data. You also need to conduct Data Protection Impact Assessments for high-risk processing activities and respond to data subject requests within statutory timelines.
Key Requirements
Organizations must register with the ODPC if their annual turnover exceeds KES 5 million or they have more than 10 employees. Consent must be obtained before processing personal data. DPIAs are required for high-risk processing. Breach notifications must be submitted promptly. The ODPC has a 90-day complaint resolution timeline, signaling active enforcement expectations.
How ConsentStack Handles This
ConsentStack provides a compliant consent banner that collects freely given, specific, and informed consent as required by Kenya's DPA. It automatically records consent preferences with timestamps for audit purposes, supports data subject rights workflows, and helps you demonstrate compliance with ODPC registration requirements through detailed consent logs.
Penalties
KES 5,000,000 or 1% of annual turnover (whichever is LOWER); daily penalty KES 10,000 for continuing violations; up to 10 years imprisonment
Key Requirements
- Mandatory registration with ODPC for controllers/processors (KES 5M+ turnover or 10+ employees)
- DPO appointment required for public bodies, large-scale sensitive data, or systematic monitoring
- Data Protection Impact Assessment required for high-risk processing
- Consent must be freely given, specific, and informed
- Data subjects have rights of access, rectification, and erasure
- 90-day complaint resolution timeline for ODPC
Notable Provisions
- Penalty cap uses "whichever is LOWER" — unusual globally as most laws use "whichever is higher"
- Criminal penalties including up to 10 years imprisonment
- Registration thresholds based on turnover and employee count
- 90-day complaint resolution requirement
Other Sub-Saharan Africa Regulations
Frequently Asked Questions
Does Kenya's DPA apply to my website?
Yes, if you collect personal data from users in Kenya, the DPA applies regardless of where your organization is based. Registration with the ODPC may be required.
What are the penalties for non-compliance with Kenya's DPA?
Penalties include KES 5 million or 1% of annual turnover (whichever is lower), daily fines of KES 10,000 for continuing violations, and up to 10 years imprisonment.
Do I need a Data Protection Officer under Kenya's DPA?
A DPO is required for public bodies, organizations processing large-scale sensitive data, or those conducting systematic monitoring of individuals.
How does Kenya's DPA compare to GDPR?
Kenya's DPA shares many GDPR principles including consent requirements, DPIAs, and data subject rights, but uniquely uses a 'whichever is lower' penalty cap and requires mandatory ODPC registration.
Stay compliant with Kenya DPA 2019
ConsentStack helps you implement Opt-in consent for Republic of Kenya automatically.