By Benadeta Mwaura - Reporter
Opinion, 19 November 2025 - The Communications Authority of Kenya (CA) recently issued a notice under the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, requiring telcos to collect not just basic identification (like names or ID numbers), but highly sensitive biometric and physiological data.
We’re talking DNA analysis, blood type, earlobe geometry, voice recognition, retinal scans — data that many consider deeply personal.
Critics argue this is a major threat to privacy. As one tech analyst put it: “It is a big risk to spread such sensitive data to more hands.”
However, in a detailed statement released on Tuesday, the Communications Authority of Kenya (CA) dismissed such concerns as unfounded, making it clear that no mobile operator has been directed to collect biometric data under the new SIM-card registration rules.
“For the avoidance of doubt, the CA has not issued any directive requiring licensees to collect biometric data from subscribers,” the regulator emphasised.
It confirmed that fingerprints, retinal scans, or any other biological identifiers are not required under the regulations gazetted in May 2025.
Public anxiety had stemmed from a broadly worded section of the rules that defines “biometric data” to include everything from blood type and voice patterns to earlobe geometry.
Privacy campaigners warned that the wording could pave the way for invasive surveillance, while many citizens feared they might soon need to submit to physical identification simply to keep their phone lines active.
The CA insists this reading is incorrect. The wide definition, it explained, is included solely to strengthen data-protection standards and guide operators on what constitutes sensitive personal information.
The actual purpose of the revised regulations is to impose stricter security requirements on telecom companies, ensuring they protect customer data in full compliance with the Data Protection Act and the Kenya Information and Communications Act.
The Authority further reassured the public that no subscriber can be disconnected without due cause.
A line may be suspended only if a user submits false details or repeatedly fails to complete registration, and even then, operators must follow transparent procedures and give advance warning.
Ultimately, the CA says the new measures have a straightforward objective: to reduce SIM-related fraud, identity theft, and online crime by ensuring every mobile line is linked to a properly verified individual.
Far from threatening privacy, the regulator argues, the rules will bolster public confidence in Kenya’s rapidly expanding digital economy, especially as mobile money and e-government services become ever more central to daily life.
Privacy vs Security: A Tough Trade-Off
True, the rules mandate that operators must keep the data “secure and confidential,” following the Data Protection Act.
But many worry that telcos and regulators might not be prepared to handle such a volume of sensitive data safely.
There’s also concern over how often this data must be submitted to the regulator: the rules say telcos should give the CA access to systems, files, and records quarterly.
Critics say this could essentially turn telcos into identity managers, collecting and storing data that’s more often associated with health or criminal systems than telecoms.
They also stormed X, complaining about the invasive nature of the new rules, warning that requiring DNA, blood types, and other biometric data for SIM registration could turn ordinary telecommunications into a tool for mass surveillance.
More from Kenya
Many argued it violated privacy rights, calling it excessive and unnecessary, while some voiced their disbelief humorously, asking if the next step would be giving a blood sample just to top up mobile data.
New Rules, New Risks
Legally, these new regulations are grounded in the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025. These rules replace older ones (from 2015) and expand the kind of data that must be collected.
Under the new regulations, SIM registration must include verification with government databases, ensuring that the subscriber’s identity is accurately recorded and cross-checked. Proxy registration is largely prohibited, meaning individuals can no longer register a SIM card on someone else’s behalf except in very limited, specific circumstances.
Operators are required to maintain a secure repository of all registration data, including copies of IDs and other sensitive verification documents.
Providing false information can result in SIM deactivation, and any violations of the regulations carry strict penalties, including fines of up to KSh 1 million or imprisonment for six months. These measures are intended to tighten control over subscriber identity and enhance security within the telecommunications sector.
The Pushback
Many observers are deeply uneasy about the new SIM registration rules. Data protection experts warn that the demand for DNA and other biometric information directly clashes with established data protection principles, particularly the principle of data minimization, which stipulates that only information absolutely necessary should be collected.
Telecom operators face their own set of challenges. While they must comply with the regulations, there is widespread concern about the cost of implementation, especially for smaller operators who may lack robust systems to safeguard highly sensitive data. Meanwhile, subscribers are increasingly worried that they do not fully understand what they are consenting to or the risks associated with providing genetic and biometric data.
This debate extends far beyond technical compliance. It touches on civil liberties, trust in institutions, and the future of digital identity in Kenya.
If fully implemented, Kenya could become one of the first countries to require genetic data for SIM registration.
For those already concerned about surveillance, it raises serious questions: who else might have access to this sensitive information? On the other hand, proponents argue that these measures could help fight crime, cyber-fraud, and even terrorism, making SIM cards safer and more traceable.
Legal Wrinkles
Already, there are legal tremors. In another but related privacy case, Kenya’s High Court struck down a regulation to force IMEI registration because of privacy risks. That ruling could embolden privacy advocates in the SIM-DNA debate.
Looking ahead, the Communications Authority (CA) is likely to move forward with enforcing the new SIM registration rules. Telecom operators will need to build or strengthen systems to securely store and transmit sensitive biometric data, while civil society and data protection watchdogs are expected to closely scrutinize how the CA accesses and uses this information. For ordinary Kenyans, the new regulations present a stark choice: comply by providing highly sensitive personal data, or risk losing access to essential mobile services.
In Kenya today, your SIM card might be more than a phone number, it could become a piece of your biological identity. And as the debate intensifies, it asks a bigger question: How much of ourselves are we willing to give up in the name of security?
For many, this feels like a slippery slope. For others, it’s a necessary step in modernizing digital trust. Either way, the SIM‑DNA story is shaping up to be one of the most important privacy flashpoints in Kenya’s digital future.
The opinion expressed in this article are those of the author and do not necessarily reflect the views of Dawan Africa
