Data Monetization and Commercial Use of Personal Data is a live legal question for any company holding a large dataset of Kenyan customers, transaction histories, location data, browsing behaviour, cannot simply decide to sell or license that data for profit. Kenya’s Data Protection Act, 2019, treats commercial use of personal data as a restricted activity requiring a specific legal basis, not something that falls out automatically from having lawfully collected the data in the first place. For fintech, telco, retail, and adtech businesses sitting on valuable datasets, understanding exactly where that line sits is a live commercial question, not an abstract compliance exercise.
The Core Restriction
This matters most acutely for sectors where personal data has obvious secondary commercial value, mobile money transaction histories, telecom usage patterns, retail loyalty programme data, and location data from ride-hailing or delivery apps are all examples where a company holding the data may see monetisation potential well beyond the original purpose for which the data was collected, and it is precisely that gap between original purpose and secondary use that section 37 targets. Section 37 of the Data Protection Act, 2019 prohibits using personal data for commercial purposes unless the person has either sought and obtained express consent from the data subject, or is authorised to do so under written law and the data subject was informed of that use at the point of collection. Where personal data is used for commercial purposes, the controller or processor must, where possible, anonymise the data so the data subject is no longer identifiable. The Cabinet Secretary, in consultation with the Data Commissioner, is empowered to prescribe further practice guidelines on commercial use.
Breach of this restriction falls under the Act’s general penalty provision: a fine not exceeding Kshs 3,000,000, or imprisonment not exceeding 10 years, or both.
What Counts as Commercial Use
The Data Protection (General) Regulations, 2021 give the restriction operational teeth in Part III, titled Restrictions on the Commercial Use of Personal Data. A data controller or processor is considered to use personal data for commercial purposes where that data is used to advance commercial or economic interests, including inducing another person to buy, rent, or lease something. This is a deliberately broad test, targeted advertising, data-driven lead generation, and third-party data licensing for marketing purposes all fall within it, not just an outright sale of a dataset.
Two categories are excluded from direct marketing use entirely, regardless of consent mechanics: sensitive personal data and personal data belonging to minors. A company cannot cure the restriction on marketing with children’s data or sensitive categories (health, biometric, genetic, financial account details, and similar) simply by obtaining consent, the Regulations treat these as off-limits for direct marketing use as a category, not a consent-dependent question.
Notice, Opt-Out, and a Separate, Lighter Penalty Track
Where direct marketing using personal data is permitted, the Regulations require prior notice to the data subject of the intended commercial use, and the data subject retains the right to object. Any opt-out mechanism must be simple, easily understandable, and placed somewhere conspicuous and easily visible, a buried unsubscribe link or a multi-step opt-out process would likely fail this standard. A data subject may also make a standing request to restrict a controller or processor from disclosing their personal data to third parties for direct marketing purposes.
Notably, the Regulations attach a separate, considerably lighter penalty specifically to non-compliant direct marketing conduct, a fine not exceeding Kshs 20,000 or imprisonment not exceeding six months, or both, distinct from the Act’s general Kshs 3,000,000 penalty. This creates a two-tier enforcement structure worth understanding precisely: a marketing-specific consent failure may be prosecuted under the lighter Regulations penalty, while a broader unauthorised commercial exploitation of personal data outside the marketing context sits under the Act’s heavier general penalty. Which track applies is a fact-specific question, and companies should not assume the lighter figure caps their exposure for anything beyond the narrow direct-marketing scenario the Regulations describe.
Data Localisation and Cross-Border Monetisation
A business model built on licensing Kenyan user data to an offshore analytics or advertising partner runs into a second, separate constraint: cross-border transfer rules. A transferring entity must, before moving personal data out of Kenya, confirm the transfer rests on appropriate safeguards, either a binding legal instrument providing protection essentially equivalent to the Act, inclusion on the Data Commissioner’s published list of adequate jurisdictions, or a necessity-based exception under section 48(c) of the Act.
Separately, for specified categories of processing, civil registration and legal identity systems, election administration, public finance administration systems, protected computer systems under the Computer Misuse and Cybercrimes Act, basic education, and primary or secondary healthcare, the Regulations require that at least one serving copy of the personal data be stored in a data centre located in Kenya, regardless of where else it is processed. The Cabinet Secretary can extend this localisation requirement to a processor operating outside Kenya where that processor has been notified of a breach or violation and failed to act, or has obstructed a Data Commissioner investigation.
Practical Implication for a Data Monetisation Strategy
A viable data monetisation model in Kenya generally needs to be built around one of two foundations: genuine anonymisation robust enough that data subjects are no longer identifiable, which takes the data outside the personal data regime entirely and removes the section 37 restriction, or a properly structured consent and notice architecture that satisfies both the Act’s consent requirement and the Regulations’ opt-out and notice mechanics. Relying on a blanket terms-of-service clause obtained at signup, without the specific commercial-use disclosure the Act requires at the point of collection, is a common but fragile basis for a monetisation programme, and is exactly the kind of gap that becomes visible only when a complaint or audit surfaces it.
Complaints and Enforcement
A data subject who believes their personal data has been used for commercial purposes without proper basis can lodge a complaint directly with the Data Commissioner, who has powers to investigate, issue enforcement notices, and refer matters for prosecution. The Data Commissioner also maintains a public register of registered data controllers and processors, updated at least every thirty days, meaning a company’s registration status and compliance history carry a degree of public visibility that pure contractual arrangements between businesses do not.
This intersects with sector-specific data handling that Kenyan regulators are already scrutinising closely. Digital credit providers and digital health platforms, both subject to their own sector regulators, are also independently bound by DPA commercial-use restrictions on top of their sector-specific rules, so a data monetisation strategy layered onto a regulated fintech or health-tech product needs to satisfy both regimes simultaneously, not just the sector-specific one.
Related Reading
See our guides to digital credit provider licensing and digital health and telemedicine regulation, both sectors where DPA commercial-use restrictions apply alongside sector-specific compliance obligations.
Source: Data Protection Act, 2019 (No. 24 of 2019); Data Protection (General) Regulations, 2021 (Legal Notice 263 of 2021).
Building a data monetisation, targeted advertising, or data licensing product? Clay & Associates Advocates advises on DPA compliance architecture, consent frameworks, and cross-border data transfer structuring. Contact us to discuss your data strategy.
This article is for general information and does not constitute legal advice. Whether a specific data monetisation practice complies with the Act and Regulations depends heavily on the exact data categories, consent mechanics, and processing purposes involved, and should be assessed individually.






