Kenya data protection / connectivity rights

Kenya's ICT Consumer Regulations Mandate Automatic Outage Refunds and Give the Regulator a Veto Over Service Shutdowns

Kenya's 2026 ICT consumer rules are a substantive upgrade — but the mandatory regulator approval for service exits needs a binding response timeline to avoid chilling investment.

Kenya ICT Consumer Protection: Key Numbers People of Internet Research · Kenya 58.5M Kenya data subscribers Active data subscriptions as of Q4… 78.2% Mobile broadband share Share of data subscriptions using … KSh 1M Max fine per violation Maximum penalty under 2026 Consume… ~11.5M Safaricom breach exposure Estimated subscribers exposed in l… peopleofinternet.com

Key Takeaways

On 1 July 2026, Kenya's Information and Communications (Consumer Protection) Regulations, 2026 came into force, replacing a framework last updated in 2010. Issued jointly by the Cabinet Secretary for Information, Communications and the Digital Economy and the Communications Authority of Kenya (CA), the rules cover every licensed telecom operator, internet service provider, and broadcaster in the country. Three provisions define the new regime: a mandatory automatic outage credit system, a three-month notice plus CA approval requirement before any service can be discontinued, and a formal alignment between subscriber data handling and the Data Protection Act, 2019.

What the Regulations Require

The outage compensation rule is the most commercially significant change. Every ISP and telecom must implement a credit system — either automatic or available on subscriber request — compensating customers whenever service fails for reasons within the provider's control. Force majeure events such as natural disasters or severed submarine cables are explicitly excluded. The credit system must receive CA approval before deployment and must be written into subscriber agreements.

The service-shutdown clause is the most structurally unusual provision. Any licensee seeking to discontinue a service must first obtain the CA's approval, then give affected subscribers at least three months' written notice explaining the reason, the effective date, and available alternatives, including penalty-free termination and refunds of unused balances or deposits.

On data consent, the regulations require full compliance with the Data Protection Act, 2019, meaning subscriber information may only be shared with explicit consent, under lawful authority, or where strictly necessary to deliver the service. Providers must disclose the purposes of data collection, identify third parties that may receive data, and offer opt-out mechanisms for marketing communications. Breaking any of these rules is now a criminal offence, carrying a fine of up to KES 1 million, up to six months' imprisonment, or both. Licensees have three months from the 1 July effective date — until approximately October 2026 — to achieve full compliance.

The Consumer Case Is Genuine

The strongest argument for these rules is not abstract. Kenya has 58.5 million active data subscriptions and 73.2 million mobile subscribers, a penetration rate of 139.7 per cent. For tens of millions of people, a mobile connection is not a luxury — it is the primary channel for banking, healthcare information, e-commerce, and government services. When that connection fails without compensation, real economic harm falls on users who have no straightforward legal recourse under the previous 2010 framework.

The data consent requirements are similarly grounded in recent reality. In Constitutional Petition E095 of 2026, Kenya's High Court awarded KSh 9.9 million to eleven petitioners after finding that Safaricom staff had extracted and sold subscriber data to third parties, including betting firms — a breach estimated to have exposed approximately 11.5 million subscribers. The court grounded liability directly in the Constitution's Articles 31 and 46, establishing that corporate data controllers carry a non-delegable duty they cannot attribute to individual rogue employees.

Against that backdrop, embedding DPA 2019 compliance into the telecommunications licence regime is a logical step. The Data Protection Act already imposes consent requirements and enforcement powers on data controllers; the 2026 regulations close the gap by making DPA compliance a licence condition with its own dedicated criminal sanction.

Where the Regulatory Design Raises Questions

The more challenging provision is the mandatory CA approval before service shutdown. The consumer protection rationale is clear: subscribers who depend on a regional or niche ISP should not be stranded overnight when that provider exits. But the structural implication is that the CA becomes a gatekeeper of market exit — and markets that are hard to exit tend to become harder to enter.

Smaller ISPs and rural connectivity providers operate on thin margins in a competitive sector where mobile operator revenue reached KSh 425.5 billion in financial year 2024/25. If the CA does not process exit applications promptly and predictably, operators facing commercial distress may find themselves legally obligated to continue running an unprofitable service while creditors and investors wait. That is a risk factor that infrastructure funds and development-finance institutions will price into their cost of capital for early-stage or underserved-area connectivity projects — exactly the projects Kenya most needs.

The 2026 regulations do not specify how quickly the CA must decide on a shutdown application, nor do they establish an appeals channel if approval is withheld or conditions imposed. These are not minor implementation details. Nigeria's Nigerian Communications Commission, which introduced its own mandatory outage-compensation framework for mobile operators in early 2026, has faced similar criticism for lacking published timelines on regulatory decisions — a gap that has generated uncertainty among operators in that market.

The three-month consumer notice period is proportionate and consistent with comparable requirements in the EU's Electronic Communications Code. It should, however, be paired with a statutory obligation on the CA to decide shutdown applications within a defined window — thirty to sixty days is a reasonable benchmark — and a deemed-approval provision if the Authority fails to act within that period.

A Framework Worth Completing

The 2026 Consumer Protection Regulations represent a genuine upgrade to Kenya's ICT consumer rights architecture. Automatic outage credits, DPA 2019 alignment, and structured service-exit procedures are proportionate responses to documented market failures. Kenya's mobile sector is large enough, and competitive enough, that operators can absorb clear and predictable consumer obligations without material harm to investment.

What the framework still requires is the second half of the contract: procedural timelines that bind the regulator as well as the regulated. Consumer protection rules that create open-ended regulatory discretion at market exits will, over time, reduce the investment appetite that made Kenya's connectivity infrastructure worth protecting in the first place. Getting the shutdown-approval mechanism right before October's compliance deadline matters — not just for the companies, but for the consumers the regulations are designed to serve.

Sources & Citations

  1. CA Sector Regulations — Communications Authority of Kenya
  2. Kenya Telecom Sector Statistics FY2024/25 — Communications Authority of Kenya
  3. Kenya Data Protection Act 2019 — Kenya Law
  4. Data Protection Laws in Kenya — ODPC
  5. Kenya ICT Consumer Protection Regulations 2026 — TechWeez
  6. Safaricom KSh 9.9M Data Breach Ruling — Techweez