Kenya’s data protection watchdog has penalized Wananchi Group Limited (Zuku) Ksh500,000 for repeatedly spamming a former customer with promotional messages despite multiple requests to stop.
The Office of the Data Protection Commissioner (ODPC) ruled that Zuku violated the complainant’s privacy rights by failing to erase his personal data after he terminated his subscription. The company also ignored his right to object to marketing communications, a breach of the Data Protection Act, 2019.
Customer Complaints Ignored, Email System Dysfunctional
The complainant revealed that Zuku continued to send him unsolicited messages long after he had canceled his subscription. Despite contacting the company multiple times via phone, email, and verbal requests, Zuku failed to act.
Frustrated by the lack of response, he escalated the matter by emailing Zuku on November 16, 2024, using the official email listed on their website. However, the message bounced back as undeliverable, exposing flaws in Zuku’s customer service and data privacy policies.
The complainant argued that the continued spam messages caused him stress and inconvenience, undermining trust in Zuku’s ability to handle personal data responsibly.
ODPC: Zuku Violated Data Privacy Laws
In its ruling, the ODPC found Zuku guilty of:
- Failing to erase personal data as required under the Data Protection Act.
- Ignoring the right to object to the processing of personal data for marketing.
- Lacking an effective opt-out mechanism for customers in its privacy policy.
“The complainant contends that Zuku’s ongoing misuse of his personal data violates his rights under the Data Protection Act, 2019, including the right to data erasure and the right to opt out of marketing communications,” the ODPC ruling stated.
The watchdog further noted that Zuku’s retention of personal data without justification increases the risk of identity theft and unauthorized access.
Zuku Continued Sending Messages Even After the Complaint
Shockingly, even after the complainant filed a formal complaint with the ODPC, Zuku continued sending him marketing emails. On December 15, 2024, he received a “Service Auto Suspension Notification” email from Wananchi Group, proving that the company had ignored his request to delete his data.
The complainant provided the ODPC with evidence of repeated opt-out requests and proof that Zuku’s listed customer service email was nonfunctional.
ODPC’s Ruling: Ksh500K Fine and Data Deletion Order
After reviewing the case, the ODPC issued a landmark ruling, ordering Zuku to:
✅ Pay Ksh500,000 in compensation to the complainant.
✅ Permanently delete the complainant’s personal data from its systems.
✅ Cease all communication with the complainant immediately.
✅ Provide proof of compliance within seven days of the ruling.
Zuku and the complainant both have 30 days to appeal the ruling in the High Court of Kenya.
Key Takeaways: Stronger Data Privacy Enforcement in Kenya
This ruling sets a major precedent in Kenya’s data protection landscape, sending a strong message that companies must respect consumer privacy rights.
✅ Businesses must ensure compliance with the Data Protection Act to avoid hefty fines and reputational damage.
✅ Consumers have the right to demand data deletion and take legal action against companies that misuse their personal information.
✅ Companies must implement functional opt-out mechanisms to respect customer preferences and data privacy laws.
As Kenya tightens its data protection regulations, businesses that fail to comply could face severe penalties. For consumers, this case highlights the power of enforcing digital privacy rights and holding corporations accountable.
