NAIROBI, KENYA – The Communications Authority of Kenya (CA) on Tuesday, November 18, 2025, confirmed that Kenyans will not be required to provide biometric data for new SIM card registrations, putting an end to public anxiety over potential privacy infringements. The clarification addresses widespread concerns that recently published regulations would mandate the collection of sensitive personal information, such as fingerprints, DNA samples, or retinal scans.

In a statement, the CA asserted that fears regarding mandatory biometric data collection are "unfounded." The regulator clarified that while the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, include a broad definition of biometric data, this does not compel mobile network operators to collect it. The defined data includes fingerprints, DNA, blood type, earlobe geometry, retinal scans, and voice recognition. However, the CA emphasized, "The Authority has not directed our licensees to collect this data."

Purpose of the New Regulations

The updated regulations, which were published in May 2025, are primarily aimed at enhancing the security and integrity of Kenya's digital ecosystem. The CA stated the rules are designed to combat SIM-related fraud, identity theft, and other criminal activities that have become more prevalent with the growth of digital services. By ensuring every SIM card is registered to a verified individual, the authority aims to bolster trust in essential services like mobile money, e-government platforms, and e-commerce.

The move is part of a broader strategy to protect consumers from persistent issues such as spam messages, unauthorized subscriptions, and the misuse of personal phone numbers. The regulations empower operators to suspend services for subscribers who provide false information or repeatedly fail to comply with registration requirements, but only after issuing prior notice.

Data Protection and Operator Obligations

Addressing data privacy concerns, the CA reiterated that all subscriber information must be handled in strict compliance with the Kenya Information and Communications Act of 1998 and the Data Protection Act of 2019. Mobile operators are prohibited from sharing customer data without explicit consent or a lawful order.

The CA, in collaboration with the Office of the Data Protection Commissioner, will conduct regular audits to ensure compliance and will impose significant penalties for any misuse of customer data. This oversight is intended to build public confidence that personal information gathered during registration will be securely managed.

Legal and Regulatory Context

The confusion among the public stemmed from the technical language in the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025. While the legal text defined various forms of biometric data, the CA's recent statement clarifies that this was for legal scope rather than an instruction for collection. The primary requirement for registration remains the verification of identity documents against government databases.

The regulations also introduce other significant changes, including allowing refugees with valid identification to register SIM cards, a move seen as promoting digital inclusion. Furthermore, parents or guardians can register SIM cards for minors, with the requirement that the child re-registers in their own name upon turning 18. Telecommunication companies like Safaricom, Airtel, and Telkom Kenya are now tasked with ensuring all existing subscribers comply with these updated verification standards.

This clarification from the Communications Authority provides much-needed certainty for millions of Kenyan mobile subscribers, reaffirming that while security measures are being tightened, the collection of sensitive biometric data is not part of the current regulatory framework.