Kenya Kenya data protection authority ODPC

Kenya's Data Registration Enforcement Push Lands the Same Month Betting Operators Face a Separate KES 60 Million Licensing Bill

ODPC's registration directive is legally sound, but its timing next to new gambling licensing fees shows Kenya lacks a coordinated compliance calendar.

Kenya's Data Registration Squeeze People of Internet Research · Kenya KES 5M Max ODPC fine Or 1% of annual turnover, whicheve… KES 60M Online gambling license cost Application + license + annual fee… KES 4K–40K ODPC registration fee range Scaled by employee count and turno… 2022 Year of first ODPC fine Oppo Kenya fined the maximum KES 5… peopleofinternet.com
Kenya's Data Registration Squeeze People of Internet Research · Kenya KES 5M Max ODPC fine KES 60M Online gambling license cost KES 4K–40K ODPC registration fee range 2022 Year of first ODPC fine peopleofinternet.com

Key Takeaways

The Office of the Data Protection Commissioner (ODPC) has told every data controller and processor operating in Kenya to register with it or risk a fine of up to KES 5 million — or 1% of annual turnover, whichever is lower, the ceiling set by Section 63 of the Data Protection Act, 2019. A June 8 explainer followed, walking businesses through fee tiers and confirming which sectors must register regardless of size, gaming and betting operators chief among them.

This is not a new law. Registration has been mandatory since the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 took effect on July 14, 2022. What's changed is enforcement posture: the ODPC is now naming penalties in the same breath as the registration deadline, and it has the track record to back the threat. In December 2022 it fined Oppo Kenya the full KES 5 million after the phone maker used a data subject's photograph on Instagram without consent — the first penalty imposed under the Act, and proof the maximum fine isn't theoretical.

The Case For the Directive

The strongest argument for a hard registration push is straightforward: a regulator can't supervise what it can't see. Kenya's data economy has grown fast — mobile money, digital lending, biometric SIM registration, and a betting sector that processes payment and identity data on millions of users daily. Without a registry, the ODPC has no baseline of who is processing what, at what scale, or where the data ends up. The registration regulations require controllers to disclose the categories of personal data handled, whether sensitive data is involved, cross-border transfers, and the technical safeguards in place — information a regulator needs before it can prioritize inspections or respond to breach complaints. Given real, adjudicated harms already on the books (Oppo's unauthorized use of a customer photo, among others), the case for a working registry isn't hypothetical.

Where the Timing Breaks Down

The problem isn't the registration mandate itself — it's that the ODPC is enforcing it in isolation from everything else Nairobi is asking regulated businesses to do simultaneously. Gaming and betting operators are the clearest case. On June 30, 2026, the Gambling Regulatory Authority gazetted the Gambling Control (Licensing) Regulations, 2026, which set a KES 5 million application fee, a KES 50 million license fee, and a KES 5 million annual operating fee for online bookmakers and casinos — KES 60 million in first-year licensing costs before a single bet is taken, on top of minimum capital requirements of KES 100–150 million. The same operators are now told, in the same month, that skipping ODPC registration risks a further KES 5 million fine. Each requirement is defensible on its own terms. Stacked without coordination, they read less like a coherent regulatory strategy and more like two agencies independently reaching the same conclusion — hit betting operators — without checking what the other was doing.

The fee schedule for ordinary businesses is more proportionate on paper: the ODPC charges micro and small entities (under KES 5 million turnover, fewer than 50 staff) just KES 4,000 to register, scaling to KES 40,000 for large firms above KES 50 million turnover. That tiering is sensible design — it doesn't charge a corner shop the same as a bank. But the mandatory-sector list bypasses the tiering entirely: telecoms, health, education, financial services, credit bureaus, and betting operators must register regardless of revenue or headcount, meaning a small licensed betting shop with five employees carries the same registration obligation as a multinational bank, even before the sector-specific GRA fees land on top.

A Penalty Regime About to Get Sharper

The stakes are also about to rise. The Data Protection (Amendment) Bill, 2025 would strike the word "lower" from Section 63 and replace it with "higher" — meaning the ODPC's cap would shift from KES 5 million or 1% of turnover, whichever is smaller, to whichever is larger. For a large firm, that turns a capped, predictable ceiling into a fine that scales uncapped with revenue. That's a defensible modernization if Kenya's fines have genuinely been too small to deter large processors — GDPR-style penalties abroad routinely reach far higher percentages of turnover. But it should not move forward in the same legislative session as an aggressive registration enforcement drive without the ODPC first publishing clear, risk-based enforcement guidance, so businesses know registration lapses won't be treated the same as willful, large-scale data misuse.

The Fix Is Coordination, Not Retreat

None of this argues against registration as a policy. It argues for sequencing. Kenya's regulators would serve both compliance and investment goals better by publishing a single consolidated compliance calendar across ODPC, GRA, and sector regulators, so a betting operator (or bank, or telco) can see its full annual regulatory bill in one place rather than discovering overlapping deadlines sector by sector. A registry that works is worth building. A registry enforced as one more surprise bill in a crowded compliance year mostly teaches operators to budget for fines rather than trust the process.

Sources & Citations

  1. Kenya Data Protection Act, 2019 — Section 63 (Kenya Law)
  2. ODPC — Registration FAQs
  3. ALN Africa — ODPC's first fine under the Data Protection Act
  4. CM Advocates — Gambling Control (Licensing) Regulations 2026
  5. Wamae & Allen — Summary of the Data Protection (Amendment) Bill, 2025