Ksh 250,000 for a Text Message: The Ruling That Redefined Data, Consent, and Power in Kenyan Business

A single promotional text message has quietly become one of the most expensive lessons in Kenyan business this year. In a decisive ruling, the Office of the Data Protection Commissioner (ODPC) ordered Pepinos Pizza Inn to pay KSh 250,000 for violating a customer’s data privacy rights by sending unsolicited marketing messages without proper consent. The decision may appear modest in monetary terms, but its implications for businesses across Kenya are profound, far-reaching, and unavoidable.

At the heart of the case was a simple but powerful question: when does a customer give consent? Pepinos argued that consent was implicitly obtained during a routine M-PESA transaction. This defence mirrors a widespread business assumption in Kenya—that once a customer pays, their data becomes fair game for future engagement. The ODPC firmly rejected this logic, drawing a clear boundary between transactional necessity and commercial exploitation.

The ruling clarified that consent under the Data Protection Act must be express, free, specific, informed, and unequivocal. A payment process designed to complete a transaction should not also serve as a permission slip for advertising. By collapsing these two ideas into one, Pepinos crossed a legal line that many businesses have unknowingly straddled for years.

Read Also: How Kenya’s AI Future Will Be Built on Trust, Data and Practical Automation

More importantly, the ODPC found that the restaurant failed to disclose the purpose for which the customer’s data would be used, violating Section 26(a) of the Act. Consent is not merely about saying “yes” or “no”; it is about understanding what one is agreeing to. If a customer is not clearly told that their phone number will later be used for promotional messaging, then no valid consent exists, regardless of how convenient the business process may be.

The ruling also faulted Pepinos for unlawful commercial use of personal data under Section 37, reinforcing the principle that marketing is not a neutral activity. It is a commercial act with legal consequences. Data collected for one purpose—processing a payment—cannot be silently repurposed for another. Purpose limitation is no longer a theoretical concept buried in legislation; it is now an enforceable business reality.

Perhaps most damaging to the defence was the absence of a clear and user-friendly opt-out mechanism. Even if consent had been arguable, the failure to provide customers with an easy way to stop receiving messages compounded the violation.

The ODPC’s position was unequivocal: direct marketing without proper consent and meaningful control by the data subject is unlawful, full stop.

This case marks a turning point for Kenyan businesses, especially small and medium enterprises that have historically assumed they operate below the regulatory radar. The regulator has now demonstrated that enforcement is not reserved for banks, telcos, or big tech. Restaurants, retailers, online sellers, and startups are all data controllers, and all are equally accountable.

For the business community, the ruling reframes data from a casual operational by-product into a regulated asset. Customer databases, phone numbers, email lists, and transaction logs are no longer just marketing tools; they are legal responsibilities.

Poor data governance now carries financial penalties, reputational damage, and operational risk.

The broader debate this decision ignites is one of convenience versus rights. Many businesses will argue that strict consent requirements slow down commerce and raise costs. Yet the counterargument is increasingly compelling: trust is now part of the product. Customers who feel respected, informed, and in control of their data are more likely to engage, return, and recommend.

In a market saturated with spam calls and unsolicited texts, this ruling also aligns business practice with consumer fatigue. The law is catching up with public sentiment, and businesses that continue to rely on aggressive, assumption-based marketing strategies are positioning themselves on the wrong side of both regulation and reputation.

Ultimately, Pepinos Pizza Inn did not just lose KSh 250,000. It lost a long-standing illusion—that customer data is free, reusable, and consequence-free. The ODPC has made it clear that in Kenya’s evolving digital economy, data is borrowed, not owned, and permission is not implied.

For businesses willing to adapt, this ruling is not a threat but a blueprint. Clear disclosures, explicit consent, simple opt-outs, and purpose-driven data use are no longer compliance luxuries; they are competitive necessities. The age of casual data use is over, and Kenyan commerce has officially entered the era of accountable growth.

Read Also: Data Is Not Collateral: Betika Fined KSh 250,000 for Abusing Customer Data in Account Deletion Dispute