Cookie Policy (Kenya)

A Cookie Policy in Kenya establishes the obligations and procedures governing the conduct it regulates.

The primary legal basis for cookie-related obligations in Kenya is the Data Protection Act No. 24 of 2019 (DPA 2019), which came into force progressively from November 2019 and whose enforcement regulations — the Data Protection (General) Regulations 2021 and the Data Protection (Complaints Handling and Enforcement) Regulations 2021 — are administered by the Office of the Data Protection Commissioner (ODPC). The ODPC, established under Section 5 of the DPA 2019, is the independent supervisory authority responsible for monitoring compliance, receiving complaints, conducting investigations, and issuing enforcement notices and penalties against data controllers and processors who fail to meet their statutory obligations.

Cookies are small data files stored on a user's device by a web browser at the request of a website. Categories commonly deployed by Kenyan business websites include strictly necessary cookies (required for core functionality such as login sessions and shopping carts), performance and analytics cookies (tracking page views and user journeys, typically via Google Analytics or similar tools), functional cookies (remembering user preferences), and targeting or advertising cookies (enabling personalised advertising via platforms such as Meta Ads, Google Ads, and LinkedIn Ads).

Section 25 of the Data Protection Act No. 24 of 2019 establishes seven principles of data processing, including the requirement that personal data be processed lawfully, fairly, and in a transparent manner. Section 32 of the DPA 2019 requires data controllers to obtain consent before processing personal data where consent is the applicable lawful basis. For cookies that process personal data — including IP addresses, device identifiers, and browsing behaviour — consent must be freely given, specific, informed, and unambiguous under Section 33 of the DPA 2019. A Cookie Policy that merely informs users of cookie usage without providing a genuine opt-in or opt-out mechanism does not satisfy the consent standard under Kenyan data protection law.

The ODPC has noted in guidance published in 2022 and 2023 that Kenyan websites are expected to implement consent management platforms (CMPs) that allow users to accept or reject non-essential cookies before those cookies are set, consistent with global best practice. While Kenya does not have a dedicated e-Privacy or cookies regulation equivalent to the EU's ePrivacy Directive, the broad scope of the DPA 2019 — covering any processing of personal data within Kenya or involving Kenyan data subjects — captures cookie-based tracking.

A Kenya Cookie Policy must be specific about the cookies actually in use. Generic policies copied from foreign jurisdictions that reference regulations, supervisory authorities, or legal concepts inapplicable to Kenya do not satisfy the transparency requirements of Section 26 of the DPA 2019, which requires data controllers to provide data subjects with specific information including the identity of the controller, the KRA PIN of the organisation, the purpose and legal basis for processing, any third-party recipients of the data, and the data subject's rights. A Data Processing Agreement with third-party analytics and advertising providers may also be required under Section 37 of the DPA 2019.

A Cookie Policy is required for any website or mobile application operated by a person or organisation that collects data from users in Kenya or about Kenyan data subjects, in the following circumstances.

A Cookie Policy is required when a website deploys any cookies beyond strictly necessary session cookies — including analytics cookies (e.g. Google Analytics, Hotjar), advertising cookies (e.g. Meta Pixel, Google Ads conversion tracking), or social media tracking pixels. The ODPC under the Data Protection Act No. 24 of 2019 treats the collection of device identifiers and browsing data through such technologies as processing of personal data requiring a lawful basis and transparent disclosure.

A Cookie Policy is needed when a company registered through the Business Registration Service (BRS) via the eCitizen portal launches an e-commerce website targeting Kenyan consumers protected under the Consumer Protection Act No. 46 of 2012 and the Competition Authority of Kenya (CAK). The Competition Act No. 12 of 2010, enforced by CAK, addresses unfair trade practices that may include deceptive online data collection.

A Cookie Policy is required when an organisation collects user data for marketing automation, email list building, or behavioural retargeting. Processing personal data for direct marketing purposes under Section 34 of the Data Protection Act No. 24 of 2019 requires specific consent and the right of the data subject to object to such processing.

A Cookie Policy is needed when a Kenyan fintech, SACCO regulated by SASRA, bank regulated by the Central Bank of Kenya (CBK), or insurance company regulated by the Insurance Regulatory Authority (IRA) maintains a customer-facing website that collects any personal data through cookies, including login session data and account activity.

A Cookie Policy is required when an organisation's website uses third-party integrations — payment gateways such as M-Pesa, PesaPal, or DPO Group; customer relationship management (CRM) platforms; or cloud analytics services — that may transfer personal data outside Kenya. Section 48 of the DPA 2019 regulates cross-border data transfers and requires that the destination country offer adequate data protection or that adequate safeguards are in place.

A Cookie Policy is needed when a non-governmental organisation (NGO) registered under the NGO Co-ordination Board launches a donor-facing website that deploys tracking technologies to monitor visitor engagement. NGOs handling personal data of Kenyan data subjects are subject to the DPA 2019 in the same way as commercial entities.

A Kenya Cookie Policy compliant with the Data Protection Act No. 24 of 2019 and ODPC guidelines must include the following essential provisions.

Identity of the Data Controller: Full legal name of the organisation, its BRS Registration Number (for companies) or KRA PIN, physical address in Kenya, and contact details for the designated Data Protection Officer (DPO) or privacy contact. Section 26(1)(a) of the DPA 2019 requires this information to be provided to data subjects as part of the transparency obligation.

Definition of Cookies: A plain-language explanation of what cookies are, how they are set by the website, and the distinction between session cookies (deleted when the browser is closed) and persistent cookies (retained for a defined period). Users unfamiliar with cookie technology must be able to understand the disclosure without technical expertise, consistent with the transparency principle in Section 25(b) of the DPA 2019.

Categories of Cookies Used: A detailed, accurate table or list of cookie categories actually deployed on the website, including: (1) Strictly Necessary Cookies — required for core site functionality, no consent needed; (2) Performance and Analytics Cookies — e.g. Google Analytics, tracking page loads and user journeys; (3) Functional Cookies — saving language preferences and login status; and (4) Targeting and Advertising Cookies — e.g. Meta Pixel, Google Ads, LinkedIn Insight Tag. Each category must state the specific cookie names where practicable, the provider, the purpose, and the retention period.

Legal Basis for Processing: For each category of cookie that involves processing of personal data, state the lawful basis under Section 32 of the DPA 2019 — consent (Section 33), legitimate interests (Section 32(1)(f)), or performance of a contract. Consent must be obtained through a functioning consent management platform before non-essential cookies are activated.

User Rights: The Cookie Policy must explain the data subject rights under the DPA 2019: the right to access personal data (Section 26(1)(e)); the right to rectification (Section 40); the right to erasure (Section 39); the right to restriction of processing; the right to data portability (Section 42); and the right to object to processing (Section 38). Users must be told how to exercise these rights and the ODPC complaint process under Section 56 of the DPA 2019.

Cookie Management Options: Instructions on how users can accept, reject, or customise cookie preferences through the website's consent management platform. Instructions on managing cookies through browser settings for major browsers (Chrome, Firefox, Safari). A statement that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal, consistent with Section 43 of the DPA 2019.

Third-Party Cookies and International Transfers: Identification of third-party services that set cookies — Google, Meta, LinkedIn, HubSpot, Hotjar, etc. — with links to their respective privacy policies. Where personal data is transferred outside Kenya to third-party servers, state the transfer mechanism under Section 48 of the DPA 2019 — adequacy decision, standard contractual clauses, or binding corporate rules. A Data Processing Agreement under Section 37 of the DPA 2019 must be in place with each third-party processor.

Retention and Updates: State the maximum retention period for each cookie category. Commit to reviewing and updating the Cookie Policy at least annually and whenever cookie usage materially changes. Provide the date the Cookie Policy was last updated.

Contact and Complaints: Contact details of the DPO or privacy team and the process for lodging a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke. Forms-legal.com provides this Kenya Cookie Policy template as a starting point — organisations should conduct a technical cookie audit before finalising their policy to confirm the disclosure is accurate and current.