Valid and Informed Consent in Data Protection
Recent ODPC penalty notices have highlighted a recurring compliance gap: processing personal data without proper consent. This article explains what “valid and informed consent” means under Kenya’s data protection regime, using real enforcement examples. It also sets out practical safeguards for organisations, especially in digital lending, marketing and customer communications.
Author : Masara Gecheo
- [email protected]
- Rachier & Amollo LLP, Mayfair Center 5th Floor
Valid and Informed Consent in Data Protection
Masara Gecheo
Article Overview
This insight explains why valid, informed consent is becoming a key compliance issue under Kenya’s data protection regime, using recent enforcement actions by the Office of the Data Protection Commissioner (ODPC) as practical examples.
It highlights how consent failures can arise through misuse of third-party data, unauthorised use of images, and publishing children’s photos without parental consent.
The article then links consent to real-world consumer environments, especially digital lending, emphasising data minimisation, clear disclosure of terms, documented consent, and fair handling of changes to charges or credit terms through notice and opt-in acceptance.
Key takeaways
- ODPC enforcement signal: three penalty notices were issued to organisations for consent failures, including a lender using third-party information to send threatening communications, an establishment using a person’s image without consent, and an institution posting children’s photos without parental consent.
- Consent and lending risks: the piece notes frequent allegations against some lending platforms for threatening borrowers and violating privacy and dignity in recovery efforts, underscoring the need for lawful processing and consent discipline.
- Data minimisation: only collect limited information necessary for the stated purpose (for example, creditworthiness assessment).
- Transparency to consumers: consumers should be able to access statements of transactions and an information document setting out benefits, risks, and terms on request, and receive terms and conditions before disbursement.
- Notice and acceptance rule: no term should be altered without a 30-day notice, and charges or credit terms should not be increased without notice plus acceptance by the consumer.
- If a consumer declines revised terms: suggested good practice is to let the facility run on original terms until maturity, offer renewal under new terms on an opt-in basis, or allow early settlement without penalty where changes are materially adverse.
- Documentation controls: provide a side-by-side summary of changes and cost impact, keep acknowledgements in a consent log, confirm choices in writing, and avoid any conduct that could be construed as coercive.
- Fairness safeguards: declining new terms should not trigger hidden fees or adverse reporting, and there should be a clear escalation route for unresolved issues (complaints desk then regulator).
- Compliance note: the article flags that oversight and reporting obligations can be burdensome, especially where timelines are not clearly predictable, increasing the importance of consistent record-keeping and governance.
About the author
Masara Gacheo is an Associate at Rachier & Amollo LLP. In this insight, she uses ODPC enforcement examples to illustrate what valid consent requires in practice and outlines practical steps for organisations, particularly in consumer-facing sectors, to strengthen transparency and documented consent.