NAIROBI, KENYA – The Communications Authority of Kenya (CA) on Tuesday, November 18, 2025, moved to quell public anxiety, stating unequivocally that it has not directed telecommunications operators to collect DNA, fingerprints, or any other sensitive biometric data from subscribers for SIM card registration. The clarification follows widespread concern and media reports suggesting that revised regulations would mandate the submission of highly personal biological information.

In a detailed statement, the regulator described these fears as "unfounded," explaining that a misunderstanding arose from the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, which were published in May 2025. The confusion appears to have stemmed from a section of the regulations that provides a broad legal definition of "biometric data." This definition includes terms such as "blood typing, DNA analysis, fingerprints, earlobe geometry, retinal scans, and voice recognition."

However, the CA clarified that the inclusion of this definition is for legal scope and does not constitute a directive for collection. “The New Sim Card Regulations do not contain any provision for the collection of biometric data,” the authority stated emphatically. “This definition does not mean that all this information will be collected from subscribers during SIM card registration. As a matter of fact, the Authority has not directed our licensees to collect this data.”

So What for Kenya? The Push Against Digital Fraud

The primary objective of the updated regulations, according to the CA, is to enhance the security and integrity of Kenya's burgeoning digital ecosystem. The rules are designed to protect Kenyan citizens from a rising tide of SIM-related crimes, including financial fraud, identity theft, SIM-boxing, and impersonation, which have become increasingly prevalent with the growth of mobile money and other digital services. By ensuring every registered SIM card is linked to a verified individual, the CA aims to make it more difficult for criminals to operate anonymously.

The clarification comes after draft regulations, which are open for public comment until January 31, 2026, sparked significant backlash from privacy advocates and the public. Critics had warned that compelling telcos like Safaricom, Airtel, and Telkom Kenya to collect and store such sensitive data would create unprecedented privacy risks and could turn Kenya into a state of genetic surveillance. Concerns were also raised about the capacity of private companies to securely manage vast databases of sensitive biological information, which is classified as “sensitive data” under Kenya's Data Protection Act of 2019.

Data Protection and Consumer Rights

In its Tuesday statement, the CA sought to reassure the public that data protection remains a cornerstone of the new regulations. The authority affirmed that all subscriber information must be handled, processed, and stored securely in accordance with the Kenya Information and Communications Act (1998) and the Data Protection Act (2019). Mobile network operators are explicitly prohibited from sharing customer data without consent or a legitimate legal order.

The CA also stated it would work jointly with the Office of the Data Protection Commissioner (ODPC) to conduct regular audits and impose significant penalties for any misuse of customer information.

The regulator also addressed rules around service suspension, clarifying that operators can only suspend a SIM card after providing prior notice to the subscriber. Such action is permissible only when a user provides false information or repeatedly fails to comply with registration requirements. This includes a provision requiring children to update their registration with their own ID within 90 days of turning 18.

Acknowledging widespread public frustration with spam messages, unsolicited subscriptions, and the misuse of phone numbers for premium-rate scams, the CA confirmed these issues are a priority. The enhanced SIM registration framework is part of a broader strategy to protect consumers and improve accountability across all mobile networks.