~ The Unsolicited SMS: A Nuisance for Consumers, A Liability for Business ~
The Briefing
As a data privacy practice, we view an unsolicited marketing text differently than most. Where a consumer sees a daily nuisance, and a commercial team sees a routine campaign, we see the inception of a complex, highly punitive legal dispute. We have all experienced it. You pay for a meal via M-Pesa, or you leave your number for a digital receipt. Days later, your phone pings with a promotional offer you never asked for.
Historically, consumers simply ignored these messages. But the landscape has fundamentally shifted. Armed with the Data Protection Act and an aggressive enforcement mandate by the Office of the Data Protection Commissioner (ODPC), individuals are realizing their power. Recent ODPC determinations against prominent brands like CJ’s Limited and Pepino’s Pizza illustrate a stark reality: What businesses consider standard marketing is frequently classified as unauthorized data processing.
Whether you are an individual tired of your personal data being exploited, or an organization suddenly staring down a regulatory complaint, the rules of engagement have changed.
For the Consumer: Turning Annoyance into Accountability
If you are receiving marketing messages you did not explicitly sign up for, your statutory rights are likely being violated.
The law is clear: a financial transaction does not equal consent for marketing. If a business harvests your number from an M-Pesa payment and repurposes it to sell you products, they are engaging in unlawful processing.
Many individuals feel powerless, assuming a single text message is not worth the hassle of a legal fight. But recent ODPC determinations prove that the "little guy" has the upper hand. Essentially:
You do not have to prove that you didn't consent. The law forces the corporation to prove that you did. If they cannot produce a time-stamped, specific record of your agreement, they lose. Consent must be "express, unequivocal, free, specific, and informed".
Companies cannot force you to jump through hoops to stop their messages. In the Pepino's case, the business argued that a customer could simply email their support team to opt out. The Complainant successfully countered that this was unduly burdensome, and the law requires a clear, visible, and accessible opt-out mechanism directly within the promotional message itself.
If your data rights have been infringed, you have the legal standing to file a complaint with the ODPC and seek financial redress. Recent penalties awarded to individuals for unsolicited SMS marketing have ranged from KES 75,000 to KES 250,000.
Apologies Are Not Enough: When caught, companies often try to quietly delete your data, issue a PR apology, or offer a token gift. Nevertheless, the ODPC is saying that apologies are not enough.
Your Next Steps: Do not delete the text message. Take a screenshot, document the dates, and contact our litigation team. We help individuals elevate their grievances from a silent frustration to a formal, legally binding action, ensuring corporations pay the price for exploiting your personal data.
For the Enterprise: The Ticking Regulatory Time Bomb
If you are a business owner or corporate director, you cannot afford to rely on outdated marketing playbooks. The ODPC is looking strictly at the letter of the law, and internal operational assumptions are failing under regulatory scrutiny. When we audit enterprises, we see two massive compliance traps that recently cost CJ's and Pepino's dearly:
Many businesses assume they are protected because their website has a privacy policy stating that customer data may be used for marketing. The ODPC has effectively dismantled this defense for physical retail stores. In the recent Pepino's determination, the Complainant successfully argued that as a walk-in customer paying via M-Pesa, he had no legal obligation to hunt down a privacy policy hidden on a website. Relying on undisclosed terms that were never brought to the customer's attention at the point of sale is improper and legally void. Consent must be a clear, affirmative action.
When an aggrieved consumer complains, many organizations attempt to handle it internally. In the case of CJ's Limited, the company did everything that a traditional PR playbook suggests: They immediately stopped the messages, deleted the user's data, issued a formal apology, and even offered a KES 10,000 dining voucher as a goodwill gesture. They also implemented new staff training and consent-based controls.
The ODPC's response? While these actions mitigated the severity of the breach, they did not absolve the company of liability. By the time a complaint is filed, you are no longer managing a marketing glitch but are defending against a statutory breach. An after-the-fact operational fix will not stop a regulatory penalty.
Where We Step In
Data privacy disputes require a forensic understanding of both digital architecture and statutory frameworks.
For Individuals: We help elevate your grievance from a silent frustration to a formal, legally binding action, ensuring corporations are held accountable for exploiting your personal data.
For Businesses: We provide crisis management and robust defense when you are facing regulatory scrutiny. More importantly, we offer strategic counsel needed to audit your data flows and rebuild your commercial operations so that your marketing engines are legally sound before the ODPC comes knocking.
The price of a text message or email has never been higher. Whether you need to enforce your rights or defend your enterprise, the time to seek top-tier legal counsel is now.
Connect with our Data Protection and Privacy Team to enforce your data rights, or to audit your systems and safeguard your business against liability.
~Published on 9 April 2026~