The Data Protection Act (DPA) is a Kenyan law that was passed in 2019 and came into effect in July 2022. It sets out new rules for how companies can store and process personal data about Kenyan residents. The DPA also imposes new obligations on how websites should handle the personal data of their visitors. Personal information that has been collected from an individual includes name, identification number, and contact information such as email address and phone number. The regulation requires companies to be transparent about how they collect, use and share personal data. It also gives individuals more power over their information including the right to ask for it to be deleted or corrected, as well as other rights such as being forgotten online or objecting to automated decision-making, including profiling which could have an impact on them. So as a website owner, you need to make sure that your website complies with the DPA by meeting certain requirements. For example, only the cookies that are strictly necessary for the operation of your website may be automatically activated by your website without first obtaining the consent of site visitors. Otherwise, DPA requires you to have a cookie consent pop-up before allowing users to continue browsing your website. It also requires you to provide essential information about how you collect and use personal customer data – such as the ability for them to access, correct, or delete personal data; as well as the option for them to manage their privacy rights at any time.

DPA compliance can be complicated, but it’s essential in this digital age to maintain the trust of your consumers. A website owner can ensure their site is compliant with the DPA by implementing the measures discussed below.

Update Privacy Policies

Under the Data Protection Act (DPA), all websites need to update their privacy policies, providing essential information regarding how they collect and use customer data. The privacy policy needs to be concise, transparent, easily accessible, and easy to understand. This measure ensures any user, regardless of their age, can understand the terms. Additionally, the privacy policy needs to get delivered promptly, that is, at the point of collection of personal information. The privacy policy should also be provided to the visitor free of charge. When the website is collecting personal information directly from the visitor, it needs to properly highlight the specific reasons for processing the visitor’s data, as well as the identity of any third party with whom the data will get shared. Additionally, the privacy policy should also provide the visitor with information regarding any plans to transfer or store the data outside the country of operation.

The organization should secure all the data collected from its visitors. Securing data involves encryption, where the data remains unreadable except for authorized parties. The organization also needs to conduct frequent vulnerability assessments to mitigate any risks of breaches that could compromise personal data. In case of any breaches, the organization must notify the Data Protection Commissioner within 72 hours, as outlined in the Data Protection Act. Moreover, the privacy policy should relay to the visitor the duration in which they intend to retain the data. The policy should also inform the user of the existence of any automated decision-making system, including profiling, and the significance and consequences of the setup.

Give visitors the ability to manage cookies

Accompanying the privacy policy should be a system that gives visitors the capability to manage cookie consent. Cookies get collected by websites as a means to identify a user online and contain details such as login information and page preferences. For a website to be compliant with the data protection guidelines, it must give the visitor control over cookies, especially third-party cookies. The website’s visitors must have the choice to opt in or refuse cookies on their browsers. Browsers cannot collect third-party cookies without unambiguous consent from a website’s visitor.

Allow visitors to exercise privacy rights

Websites need to give visitors the ability to access, correct, or delete any personal information collected by a website. Additionally, the user also has the power to enforce restrictions on how the personal data gets processed and to object to the way their data is being currently used. Additionally, the visitor can also object to their personal information getting used in an automated way, without any human involvement. The visitor also has a right to request their data from the website, so that they can use it elsewhere. The website must provide visitors with an explicit process detailing the process to request their data, and how it will get provided upon request.

The next important step in complying with the DPA is ensuring that your organization and all of its affiliates are in compliance with the new requirement. Without full compliance, your organization and its affiliates could be subject to fines of up to KES 5 Million for infringements, as well as criminal sanctions. There is no excuse for non-compliance. It’s up to you to protect your customer’s data – and make sure they can access, correct, or delete it at any time they want. We, however, recognize that protecting customer data is a global burden, and nearly impossible for small businesses to manage on their own. We can help! We want to make sure you’re DPA compliant. For more information on how you can be DPA compliant, please contact us today at