Skip links

Deceptive Data Harvesting Tricks

“Exploiting Gaps under the Data Protection Act in Kenya”?


Njoki Kimemia Legal and Data Protection South-End Tech Limited

The Kenya Data Protection Act outlines principles for lawful data processing, including consent, purpose limitation, and data subject rights. However, despite these efforts, local and global entities still use deceptive practices and tricks to harvest personal data from Kenyans.

This blog provides examples of deceptive practices and entities using trickery to harvest personal data.

1. SIM Card Registration: – One notable case in Kenya involves the deceptive measures employed during SIM card registration. In an attempt to combat cybercrime and terrorism, the Kenyan government required citizens to link their SIM cards to their National Identification Numbers (NINs). However, concerns arose when it was discovered that agencies involved in the registration process were collecting additional personal data beyond what was necessary, infringing on individuals’ privacy rights.

2. National Integrated Identity Management System (NIIMS) aka ‘Huduma Number’: – Huduma Number, a national identification system in Kenya, has raised concerns regarding data protection practices. The system requires citizens to provide sensitive information, including biometric data, in exchange for a unique identification number. However, it has been reported that the government has been unlawfully collecting and sharing citizens’ data without obtaining their consent. Furthermore, there have been concerns that the system could be used for political profiling, monitoring, and even voter manipulation.

3. Facebook and Cambridge Analytica: –The infamous Facebook-Cambridge Analytica scandal serves as a vivid example of the consequences of deceptive data practices. Cambridge Analytica, a political consulting firm, exploited Facebook’s lax data collection policies to harvest the personal data of millions of users without their consent. This case not only highlighted the lack of transparency in data collection but also the potential for misuse and abuse of personal information.

4. World Coin: – Worldcoin is a digital currency platform that aims to provide financial inclusion for everyone, especially those without bank accounts. However, the platform has come under fire for its data collection practices. Worldcoin asks users to provide sensitive personal information, including government-issued IDs, social security numbers, and even facial scans, under the guise of “know your customer” (KYC) regulations. This information is then stored and processed by Worldcoin, posing a risk to users’ privacy and security.

5. YouTube– is under investigation in the USA after back-to-back reports allegedly showed that YouTube is still targeting personalized ads on videos “made for kids.” YouTube is under the Federal Trade Commission’s (FTC) consent decree requiring Children’s Online Privacy Protection Act (COPPA) compliance after already being hit with a $170 million penalty in 2019 for violating the child privacy law.

YouTube collects data related to your interactions with Google Search and other websites that you surf on the World Wide Web. The personal information that you give them when you register an account on their website like name, email address, and contact number. They will collect data about your geographic location and may search things sensors like GPS and IP address. Then they use this information they have about you to display the relevant ads. So if you type in recipes for cakes, they may display ads about bakery equipment.

Implications and Addressing Deceptive Measures

These cases raise concerns about the enforcement of data protection laws in Kenya caused by deceptive means of data collection and processing. While the country does have the Data Protection Act, which regulates the processing of personal data, it has not been effectively enforced, and data protection practices remain lax. As a result, citizens face a significant risk of their sensitive personal data being collected, processed, and potentially misused, without their knowledge or consent.


While the Data Protection Act provides a legal framework, stricter monitoring and accountability are required to ensure compliance and deter deceptive practices. A comprehensive approach involving the Office of the Data Protection Commissioner, awareness campaigns, and penalties for non-compliance is crucial to address these concerns.

Data protection laws play a crucial role in maintaining individuals’ privacy and countering deceptive measures in data collection and processing. While Kenya’s Data Protection Act is a step forward, further enhancements are needed to address the deceptive practices observed in certain instances, as demonstrated by real-life cases. Drawing insights from GDPR can provide Kenya with a roadmap towards fostering a more transparent and ethical data culture, ultimately protecting the rights and privacy of its citizens.

Please do not hesitate to contact us for your Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254115867309; or email

This website uses cookies to improve your web experience. Privacy Policy