Kenya just hit the brakes on the wild ride of biometric data collection and age verification—at least to check if we’re all still buckled in. The Office of the Data Protection Commissioner (ODPC) has released two major draft guidance notes: one on processing biometric data and another on handling children’s data, including age assurance online. Think of it as Kenya’s way of saying: “Yes, we want to be a digital powerhouse—but not at the cost of your privacy.”
Let’s break it down.
Biometrics: Use Responsibly or Face the Tune
Biometric data—like your fingerprints, face, retina scans, and voice patterns—is no longer just the stuff of spy movies. From your bank’s facial recognition to time-in/time-out fingerprint scans at work, this stuff is everywhere. But here’s the kicker: it’s sensitive. So the ODPC wants companies to treat it as such.
Under the new draft guidance, every organization processing biometric data must register with the ODPC. They’re required to show they have a good reason for collecting such data (lawful basis), ensure it’s accurate, only use what’s necessary (data minimization), and toss it out when it’s no longer needed. No hoarding biometric data like it’s your childhood toys.
There’s also a checklist for compliance, including requirements for a Data Protection Impact Assessment (DPIA), mandatory breach notifications within 72 hours, and use of international standards like ISO/IEC 39794. So yes, it’s serious business.
And if you think this is just bark without bite, ask Worldcoin. In mid-2023, the controversial crypto-biometric project landed in hot soup for scanning irises of Kenyans in exchange for tokens—without proper safeguards or consent protocols. The Ministry of Interior promptly halted the operation and the High Court recently ordered Worldcoin to delete biometric data, citing massive privacy violations. That saga served as a wake-up call—not just for regulators but for the public too. It proved just how far things can go without clear, enforced rules. And now, those rules are being drawn up.
Age Assurance: Keeping Kids Safer Online
The ODPC is also aiming to shield kids from the nastier corners of the internet. In the draft Guidance Note on the Processing of Children’s Data, it calls for age verification methods that are privacy-preserving, proportionate, and grounded in a risk-based approach. That means platforms like social networks and gaming sites will be expected to ramp up protections based on how risky their environments are. In line with this, the Communications Authority of Kenya has set an October 2025 deadline for enforcing these guidelines.
And no, blanket ID checks for everyone just to access a cartoon site aren’t encouraged. The idea is to find a balance—verify age without collecting more data than necessary.
While these guidance notes are still drafts, it’s worth noting that the ODPC has already begun setting precedents with actual penalties. In September 2023, it slapped several organizations with fines totalling KES 9,375,000 for mishandling personal data—including a school which published photos of minors without parental consent. These weren’t symbolic wrist slaps either. The message is loud and clear: privacy violations will cost you.
So businesses better take this seriously. The age of impunity is over. The ODPC is building its teeth—and it’s not afraid to bite.
Kenya Joins the Privacy Vanguard
This isn’t happening in isolation. South Africa’s POPIA law, Nigeria’s NDPR, the EU’s GDPR, and even the UK’s Children’s Code all emphasize similar protections. Kenya is simply catching up.
If you’re a regular Kenyan with a smartphone and an internet connection, you’ve likely already handed over some biometric data—knowingly or not. These new rules, once finalized, are meant to give you more control and make sure organizations don’t abuse your trust. And here’s where you come in: the ODPC is inviting public comments on the draft guidance before it’s finalized. You can download the comment template from ODPC’s website, fill it in with your feedback, and send it to compliance@odpc.go.ke.
The deadline for submissions is May 30, 2025.
Whether you’re a parent, techie, privacy advocate, or just someone who values their data, this is your chance to speak up and shape the rules that will affect how your data is handled going forward.
Discover more from Techish Kenya
Subscribe to get the latest posts sent to your email.
