Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Quincy Jesee Kiptoo complained that Pepinos Pizza Inn sent unwarranted promotional messages via text without his consent. The ODPC found that the mere M-PESA payment transaction did not constitute express, unequivocal consent for direct marketing. The Respondent was deemed liable for infringement of the Complainant's rights.

Facts

The Complainant, an adult male residing and working in Nairobi, alleged that the Respondent, trading as Pepino's Pizza and operating a restaurant business, unlawfully processed his personal information and began sending him unwarranted promotional messages without his consent. Specifically, the Complainant averred that he received promotional messages advertising pizza and chicken offers on his personal number on 6th March 2025, and similar messages followed on 20th and 24th March 2025.

The Complainant contended that these messages were sent without his prior consent and that the Respondent failed to obtain a lawful basis for processing his personal data, including his phone number. He further asserted that none of the promotional messages provided him with an opportunity to opt-out, withdraw consent, or object to the processing of his data for direct marketing purposes, which he considered his absolute right under the law. The continuous sending of unsolicited, intrusive promotional messages caused him undue emotional distress, anxiety, inconvenience, and disrupted his peace of mind.

The Complainant contended that consent, as defined under the Data Protection Act, must be unequivocal, free, specific, and informed, and that a mere commercial transaction (like making a purchase) cannot satisfy this threshold. He argued that he was never informed of the existence of the Respondent’s privacy policy at the time of the transaction (29th May 2022) and was unaware that the Respondent had a website, meaning he was denied a reasonable opportunity to review the policy prior to or during the transaction. Furthermore, he complained that the messages lacked a clear, visible, accessible, free of charge, and user-friendly opt-out mechanism as required by law. The Complainant sought the immediate removal and deletion of his personal details from all Respondent's platforms and monetary compensation of KES 550,000 for emotional distress, invasion of privacy, and annoyance.

The Respondent acknowledged receipt of the complaint alleging unsolicited promotional messages. The Respondent operates the website pepinospizza.co.ke, which contains a publicly accessible Privacy Policy outlining how customers’ personal data is collected, used, disclosed, and safeguarded.

The Respondent contended that the Complainant had previously engaged with its services as a paying customer. They stated that the Complainant made a dine-in order for a six-piece meal with fries on 19th May 2022, which was paid for via M-PESA. The Respondent asserted that its Privacy Policy provides that sharing one's contact information (such as through a payment transaction) implicitly consents to receiving promotional messages, including marketing offers by email, SMS, and push notifications.

The Respondent further claimed that its Privacy Policy outlines a straightforward process to opt-out of promotional communications, and the Complainant had sufficient information at his disposal to object to the processing of his personal data for marketing purposes, yet failed to exercise the opt-out options as outlined. The Respondent maintained that they had never received any formal request for data deletion or objection to direct marketing from the Complainant prior to the lodging of the complaint. They accordingly requested that the complaint be dismissed as it lacked legal basis.

The Office of the Data Protection Commissioner (ODPC) addressed three issues: whether the Complainant's rights were violated, whether the Respondent fulfilled its obligations under the Act, and whether the Complainant was entitled to remedies.

The ODPC’s determination focused on the requirement for express, unequivocal, free, specific, and informed consent for processing personal data for commercial purposes.

1. Violation of the Right to Information/Consent: The ODPC found that the Respondent failed to inform the Complainant at the point of making an M-PESA payment that his personal data would be further collected and used for sending promotional text messages, thereby acting in breach of Section 26(a) of the Act, which guarantees the right to be informed about the specific purpose for which data is used. By omitting to provide this crucial information and proceeding to utilize the data for an undisclosed purpose, the Respondent acted in contravention of the Act.
2. Unlawful Processing for Commercial Purposes: The ODPC determined that the Respondent’s assertion that a routine M-PESA transaction amounted to implicit consent for marketing was untenable. The mere fact that the Complainant conducted an M-PESA transaction did not, in itself, satisfy or imply the consent contemplated by the Act. The Respondent failed to demonstrate any lawful authorization for processing the data for direct marketing, which clearly fell within the scope of using personal data for the advancement of commercial interests. In the absence of such consent or lawful authorization, and given that the Complainant was not informed of the intended use of his data for marketing, the Respondent acted in breach of Section 37(1) of the Data Protection Act.