What the Data Protection Act 2019 Means for Cookies
Kenya enacted the Data Protection Act (DPA) in November 2019, making it one of the most comprehensive privacy laws in East Africa. The Act applies to any organisation that processes the personal data of individuals located in Kenya, regardless of where the organisation itself is based.
Cookies fall squarely within the DPA's scope when they collect or facilitate the collection of personal data. Tracking cookies such as _ga, _fbp, and advertising identifiers all process personal data under the Act's broad definition, which covers any information relating to an identified or identifiable natural person.
The DPA does not contain a standalone section dedicated to cookies or electronic communications the way the EU's ePrivacy Directive does. Instead, cookie compliance is governed by the Act's general consent and data processing principles, found primarily in Sections 25 through 32.
Consent Requirements Under the DPA
Section 32 of the DPA defines consent as an express, unequivocal, free, specific, and informed indication of the data subject's wishes. That definition sets a high bar, one that rules out pre-ticked checkboxes, implied consent through continued browsing, and bundled consent buried inside terms of service.
For cookie banners, this means you must present visitors with a genuine choice before setting non-essential cookies. The burden of proving that valid consent was obtained rests on you as the data controller.
Data subjects also have the right to withdraw consent at any time, and that withdrawal must be as straightforward as the original act of giving consent. A cookie banner that collects consent but offers no simple way to revoke it will not satisfy the DPA.
The ODPC and Enforcement Powers
The Office of the Data Protection Commissioner (ODPC) is Kenya's dedicated supervisory authority. Appointed under Section 5 of the DPA, the Commissioner oversees registration of data controllers and processors, investigates complaints, and issues enforcement notices.
Penalties under the current Act cap at KES 5,000,000 (roughly USD 38,000) or 1% of annual turnover, whichever is lower. The ODPC has actively used these powers. By mid-2025, the office had received over 7,600 complaints, issued 247 determinations, 112 enforcement notices, and 19 penalty notices. Organisations collectively paid over KES 30 million in compensation orders during 2025 alone.
A pending Data Protection (Amendment) Bill proposes changing the penalty calculation from "whichever is lower" to "whichever is higher," which would substantially increase exposure for larger organisations.
Recent Enforcement Examples
Liquid Telecommunications Kenya was fined KES 700,000 for collecting and processing personal data without consent. In a separate 2025 case, the ODPC ordered Grain Industries Limited to pay KES 1,000,000 in compensation after using an individual's image in a marketing campaign without permission. Digital lender Whitepath received a KES 250,000 fine for listing a person as a loan guarantor without their knowledge.
These cases signal that the ODPC is willing to act on individual complaints, not only large-scale breaches.
Which Cookies Need Consent in Kenya?
The DPA's consent requirement applies whenever personal data is processed. Strictly necessary cookies that do not collect personal data, such as PHPSESSID for session management or a pll_language cookie storing language preference, generally fall outside the scope because they do not identify an individual.
Cookies that track behaviour, build profiles, or share data with third parties require prior consent. The table below sets out how common cookie categories map to DPA obligations.
| Cookie Category | Examples | Collects Personal Data? | Consent Required? |
|---|---|---|---|
| Strictly necessary | PHPSESSID, pll_language | Typically no | No |
| Functional | Chat widget preferences, A/B test assignment | Sometimes | Yes, if personal data is processed |
| Analytics | _ga, _gid | Yes | Yes |
| Marketing/Advertising | _fbp, IDE | Yes | Yes |
Kenya DPA vs GDPR: Key Differences
The DPA draws heavily from the GDPR, sharing concepts such as lawful bases for processing, data subject rights, and cross-border transfer restrictions. There are meaningful differences, though.
| Area | Kenya DPA 2019 | EU GDPR |
|---|---|---|
| Maximum fine | KES 5 million or 1% of turnover (whichever is lower) | EUR 20 million or 4% of global turnover (whichever is higher) |
| Cookie-specific rules | No standalone cookie provision; general consent rules apply | ePrivacy Directive provides specific cookie rules alongside GDPR |
| Supervisory authority | ODPC (single commissioner) | Multiple DPAs across member states |
| Data breach notification | 72 hours to ODPC and data subjects | 72 hours to DPA; data subjects notified if high risk |
| DPO requirement | Required for controllers processing sensitive data | Required based on processing type and scale |
| Extraterritorial reach | Applies to processing of data of persons in Kenya | Applies to processing of data of persons in the EU |
If your site already meets GDPR standards, you are well positioned for Kenya's DPA. The main gap to watch is the absence of a separate ePrivacy-style rule, which means the general consent framework applies to all cookie processing.
Compliance Checklist for Kenyan Websites
Use this checklist to verify your site meets the DPA's requirements for cookies and consent.
Audit your cookies. Run a cookie scan to identify every cookie and tracker your site sets, including those added by third-party scripts.
Categorise each cookie. Separate strictly necessary cookies from analytics, marketing, and functional cookies that process personal data.
Implement a consent mechanism. Display a cookie banner that requests consent before non-essential cookies are set. Consent must be opt-in, not opt-out.
Provide clear information. Your banner and cookie policy should explain which cookies you use, why, and who receives the data.
Allow easy withdrawal. Give visitors a straightforward way to change or revoke their consent at any time.
Keep records. Store proof of each consent event, including what was consented to, when, and by whom. The DPA places the burden of proof on the data controller.
Register with the ODPC. Data controllers and processors operating in Kenya must register with the ODPC under Section 18 of the Act.
Review cross-border transfers. If cookie data is transferred outside Kenya, confirm that adequate safeguards are in place as required by Section 48.
Cookie Consent Across East and Southern Africa
Kenya is part of a growing wave of African data protection legislation. If your website serves visitors across the continent, you will need to account for multiple overlapping frameworks.
South Africa's POPIA has been fully enforceable since 2021 and carries fines of up to ZAR 10 million. Nigeria's NDPR applies a percentage-of-turnover penalty model. Ghana's Data Protection Act 2012 predates Kenya's law and is enforced by the Data Protection Commission.
Tanzania, Uganda, and Ethiopia have each introduced or strengthened their own data protection rules in recent years. A geo-detection approach that adapts your consent banner based on visitor location helps you meet each country's specific requirements without a one-size-fits-all banner.
Frequently Asked Questions
Does Kenya's Data Protection Act apply to websites outside Kenya?
Yes. The DPA applies to any organisation that processes personal data of individuals located in Kenya, regardless of where the organisation is incorporated or hosted.
Are analytics cookies like Google Analytics covered by the DPA?
Yes. Cookies such as _ga and _gid collect unique identifiers that qualify as personal data under the Act. You need prior consent before setting them.
What is the maximum fine for non-compliance with Kenya's DPA?
The current maximum is KES 5,000,000 or 1% of annual turnover, whichever is lower. A pending amendment bill proposes changing this to whichever is higher.
Do I need to register with the ODPC as a data controller?
Yes. Section 18 of the DPA requires data controllers and data processors operating in Kenya to register with the Office of the Data Protection Commissioner.
Can I use a cookie wall that blocks access until consent is given?
The DPA requires consent to be freely given. A cookie wall that denies all access unless cookies are accepted may not meet this standard, as the visitor has no genuine choice.
How does Kenya's DPA compare to the GDPR?
The DPA shares many GDPR concepts, including lawful bases for processing, data subject rights, and breach notification within 72 hours. The main differences are lower maximum fines and the absence of a standalone ePrivacy-style cookie provision.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Kenya's Data Protection Act.
