Data Protection for SMEs: Is Your Customer List a Legal Risk?

Data Protection for SMEs: Is Your Customer List a Legal Risk?

Collecting M-Pesa numbers for marketing? Without consent, that customer list could cost you millions in fines.

Written by

Waweru Nyambura Law

in

,

Data Protection for SMEs: Is Your Customer List a Legal Risk?

7 Minutes
Data Protection for SMEs: Is Your Customer List a Legal Risk?

Walk into some hardware stores in Thika, or boutiques in Ruiru, and you will see the same routine. A customer pays via M-Pesa. The business owner writes the number in a “counter book” or saves it to a phone. A week later, that customer receives a text message: “New Stock Arrived! 50% Off.”

It seems like smart business. It feels efficient. It feels like modern marketing.

But under the Data Protection Act, 2019, this common practice is a legal minefield. The days of treating customer data as “free property” are over.

At Waweru Nyambura Law, we help modern businesses navigate the digital economy. We have noticed a dangerous trend: many SMEs believe that data laws only apply to giants like Safaricom or Google. This is a costly mistake. The Office of the Data Protection Commissioner (ODPC) is now actively targeting small businesses—clubs, schools, and digital lenders—for mishandling personal data.

Today, we are auditing your customer list. Is it an asset, or is it a liability waiting to explode?

Meet the Watchdog: Who is the ODPC?

Before we dive into the fines, you need to understand the regulator. The Office of the Data Protection Commissioner (ODPC) is the body established under the Act to regulate the processing of personal data in Kenya.

They are not just a policy-making body; they have teeth. Their mandate includes:

  • Investigation: They can enter your premises (with a warrant) to inspect your computers and records.
  • Enforcement: They can issue enforcement notices demanding you stop processing data.
  • Penalties: They can impose fines of up to Ksh 5 Million or 1% of your annual turnover, whichever is lower.

The ODPC has moved from an “education phase” (2019–2022) to an “enforcement phase” (2023 onwards). They are actively encouraging Kenyans to report businesses that spam them or misuse their photos.

The “Consent” Trap: The M-Pesa Misconception

This is where 90% of Kenyan businesses fail. The scenario is simple: A customer pays you via M-Pesa. You now have their phone number and full name on the transaction message.

The Mistake: You assume that because they paid you, you have the right to save that number and use it for marketing (WhatsApp status views, Bulk SMS, calling them).

The Law: Section 32 of the Act requires express consent. Just because a customer gave you their number to pay (transactional purpose) does not mean they gave you permission to market to them (commercial purpose). Using that data for a different purpose without fresh consent is a breach of privacy.

[LSK-CHECK] Legal Reality: “Implied Consent” is dead. You cannot say, “They didn’t say no.” The customer must take a positive action (like ticking a box or signing a form) to agree to marketing.

The Cautionary Tales: Recent ODPC Fines

Nothing illustrates the risk better than the recent penalty notices issued by the ODPC. These cases are fascinating because they dismantle common defenses used by business owners.

1. The Casa Vera Lounge Fine (Ksh 1,850,000)

The Offense: A popular Nairobi club posted a photo of a reveler on their social media pages to promote the club’s vibe. The reveler complained that they did not consent to their image being used for advertising.

The Defense: The club likely argued that the person was in a public place and knew photos were being taken.

The Verdict: The ODPC fined them Ksh 1.85 Million. The ruling clarified that while you can take photos for security, you cannot use a person’s image for commercial gain (advertising) without their written consent. A “Disclaimer” at the entrance is not enough.

2. The Roma School Fine (Ksh 4,550,000)

The Offense: A school posted pictures of minors (students) on their social media pages to market the school. Parents complained.

The Verdict: A massive Ksh 4.55 Million fine. Under the Act, data relating to children is classified as “Sensitive Personal Data.” The bar for processing it is incredibly high. You cannot use students as marketing props without explicit, written parental consent.

3. The WhitePath Fine (Ksh 5,000,000)

The Offense: A digital lender was accessing the contacts of defaulters and calling their friends/family to shame them into paying.

The Verdict: The maximum fine of Ksh 5 Million. As reported in the Business Daily, the ODPC ruled that accessing third-party contacts (who never signed a loan agreement) is a gross violation of privacy. This signaled the end of “debt shaming” tactics in Kenya.

Are You a “Data Controller”? (Registration is Mandatory)

Many SMEs ask, “Do I really need to register?” Since July 2022, it has been mandatory for certain businesses to register with the ODPC as Data Controllers or Processors.

Data Protection for SMEs: Is Your Customer List a Legal Risk?

If you process personal data for any of the following, you MUST register:

  • Financial services: This includes Saccos, digital lenders, and even businesses that offer credit.
  • Health administration: Clinics, chemists, and hospitals (handling sensitive health data).
  • Education: Schools and colleges (handling data of minors).
  • Hospitality: Hotels, Airbnbs, and clubs (handling ID copies and guest logs).
  • Direct Marketing: If your core business involves sending bulk SMS or email blasts.

Operating without a certificate is a criminal offense under the Act.

The SME Compliance Checklist

We know this sounds overwhelming. But as modern litigators, we believe compliance should be an enabler, not a blocker. Here is how to protect your business today:

  1. The “Opt-In” Box: If you want to send marketing texts, have a physical or digital form where customers tick a box saying, “I agree to receive offers.” Do not assume.
  2. Privacy Policy: Your website (and even your physical reception) needs a simple Privacy Policy explaining what data you collect, why you collect it, and how long you keep it.
  3. Secure the “Counter Book”: Do not leave the book of customer names open on the counter where other customers can see it. That is a data breach.
  4. Delete Old Data: If a customer hasn’t bought from you in 3 years, why are you keeping their ID copy? Data Minimization is a key principle of the Act.
  5. CCTV Signage: If you have cameras, you must have a visible sign saying “CCTV in Operation.” Recording people secretly is illegal.

Why Compliance is a Competitive Advantage

In 2025, trust is currency. Customers are tired of spam SMS and betting companies selling their numbers. When you tell a client, “We respect your privacy and will never spam you,” you build loyalty.

When you have a clear Privacy Policy, you look like a professional corporate entity, not a “Jua Kali” operation. It opens doors to partnerships with larger corporates who can only work with compliant vendors.

Conclusion

Data protection is not just for Safaricom. It is for the hardware store, the private school, and the real estate agent in Thika. The fines are real, and as the Casa Vera case showed, the ODPC is ready to make examples of businesses that ignore the law.

Don’t wait for an enforcement notice to fix your systems.

Need a Data Privacy Audit or ODPC Registration?
[Book a Consult] with Waweru Nyambura Law. We can review your data practices, draft your privacy policy, and get you compliant in under 48 hours.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts