SIM cards on display as Kenya considers new rules requiring DNA and biometric data for registration. Photo/Courtesy.
Kenyans registering new SIM cards may soon face unprecedented data collection requirements under the Communications Authority of Kenya’s (CA) proposed 2025 regulations.
The new rules would compel subscribers to provide highly sensitive personal information, including DNA, blood type, and detailed biometric markers. Mobile operators would also be required to maintain comprehensive subscriber databases and submit them quarterly to the regulator.
Critics have raised concerns that the regulations conflict with Kenya’s Data Protection Act, which emphasizes data minimisation and collecting only information that is necessary and relevant.
The collection of genetic and biometric data exposes subscribers to significant privacy risks.
The regulations, which carry penalties of up to Sh1 million or six months’ imprisonment for non-compliance, place operators in a difficult position. They must balance the high cost of compliance with the risk of eroding customer trust.
Service providers argue that outsourcing sensitive identity management functions to private companies without clear safeguards could create additional vulnerabilities.
Telecom, fintech and banking sectors have historically promoted data minimisation to build customer trust. Banks often mask credit card digits, and fintechs anonymise user information whenever possible.
Mobile money providers like Safaricom and Airtel have tried to limit data exposure through features that conceal phone numbers during transactions, although regulatory restrictions have hindered full implementation.
CA’s new approach represents a sharp shift in industry norms, potentially undermining years of privacy-focused practices.
Operators now face the dual challenge of adhering to strict compliance requirements while safeguarding the confidentiality and security of subscriber data.
