Advertisement
Case Digest Court Crimes Featured News News Slider News Trending News

Pepinos Pizza Inn Fined KES 250,000 for Unsolicited Marketing: Why This ODPC Ruling Matters to Every Kenyan

Wanjiku Gitonga 0
Pepinos Pizza Inn Fined KES 250,000 for Unsolicited Marketing: Why This ODPC Ruling Matters to Every Kenyan

In a country where a phone number is often all it takes to pay, order food, book a service or access credit, personal data has quietly become one of our most valuable assets. Yet for many Kenyans, the price of convenience has been relentless promotional messages, unsolicited calls and the uneasy feeling that our information is being passed around without our knowledge.

A recent determination by the Office of the Data Protection Commissioner (ODPC) has firmly pushed back against this culture, and sent a strong warning to businesses that privacy rights are not optional. In a landmark decision, the ODPC ordered Pepinos Pizza Inn to pay KES 250,000 in compensation for violating a customer’s data privacy rights by sending unsolicited promotional text messages without consent.

This ruling is more than a fine. It is a statement.

Where This Case Comes From: Data Protection Law in Action

Kenya’s data protection regime is anchored in Article 31 of the Constitution, which guarantees every person the right to privacy. To give life to this constitutional promise, Parliament enacted the Data Protection Act, 2019, establishing clear rules on how personal data should be collected, used, stored and shared.

The Act also created the Office of the Data Protection Commissioner, a regulator empowered to investigate complaints, issue enforcement notices and, as this case demonstrates, award compensation to individuals whose rights have been infringed.

This is the legal backdrop against which ODPC Complaint No. 0474 of 2025 was decided.

The Dispute: From a Simple Transaction to a Legal Battle

The complainant, Quincy Jesee Kiptoo, lodged a complaint with the ODPC after receiving promotional text messages from Pepinos Pizza Inn, messages he says he never consented to.

According to the complaint, Mr. Kiptoo’s contact details were obtained during a routine transaction, including an M‑PESA payment. At no point, he argued, was he informed that his phone number would later be used for advertising or promotional purposes.

Pepinos Pizza Inn defended itself by claiming that consent was implied during the transaction. The restaurant argued that by providing his phone number as part of payment, the complainant had effectively agreed to receive marketing messages.

The ODPC was not persuaded.

The Ruling: Why Pepinos Pizza Inn Was Found Liable

In a detailed determination, the Data Commissioner found Pepinos Pizza Inn liable for infringing the complainant’s rights under the Data Protection Act.

The ODPC held that the restaurant had violated:

  • Section 26(a) of the Act, which requires data subjects to be informed of the purpose for which their personal data is collected and used; and
  • Section 37, which prohibits the unlawful commercial use of personal data without proper consent.

Crucially, the Commissioner rejected the argument that consent could be inferred from a routine transaction. The ruling reaffirmed that consent must be “express, unequivocal, free, specific and informed.”

An M‑PESA payment, the ODPC emphasized, does not automatically translate into permission to send promotional messages.

The restaurant was also faulted for failing to provide a clear, user‑friendly opt‑out mechanism, reinforcing the principle that even where marketing is permitted, individuals must be given an easy way to say no.

As a result, the ODPC ordered Pepinos Pizza Inn to:

  • Pay KES 250,000 in compensation to the complainant;
  • Comply with an enforcement notice under Section 58 of the Act; and
  • Face the possibility of further legal consequences if non‑compliance continued.

Why This Decision Is a Big Deal for Data Protection in Kenya

This ruling sends a clear and powerful message: business convenience does not override personal privacy.

For years, many companies have treated phone numbers and email addresses as fair game the moment a customer interacts with them. This decision firmly shuts that door. It confirms that:

  • Consent cannot be hidden in transactions;
  • Silence is not consent;
  • And “we got the number during payment” is no defence.

The award of monetary compensation is particularly significant. It signals that data protection violations are not merely regulatory issues, they are personal harms with real remedies.

How Brands and Advertisers Get Our Contact Information

Most Kenyans share their contact details daily, often without a second thought. Businesses typically collect phone numbers through:

  • M‑PESA and other mobile money transactions;
  • Point‑of‑sale systems and delivery orders;
  • Loyalty programs and customer sign‑ups;
  • Online forms, bookings and mobile apps; or
  • Third‑party marketing and data service providers.

What this ruling makes clear is that collection does not equal permission. A phone number given for payment or delivery cannot legally be repurposed for advertising unless the customer is clearly informed and actively agrees.

What This Means for Consumers: Protecting Your Data

If you have ever felt powerless against endless promotional messages, this decision offers reassurance, and options.

As a data subject, you have the right to:

  • Be informed how and why your data is used;
  • Object to direct marketing;
  • Withdraw consent at any time;
  • Request deletion of your personal data; and
  • Lodge a complaint with the ODPC if your rights are ignored.

This case proves that complaints work. The law is not theoretical, it can deliver real accountability.

What Service Providers Must Do Going Forward

For businesses, the message is equally clear: compliance is no longer optional.

Service providers must:

  • Obtain clear, explicit consent before sending marketing messages;
  • Separate consent from routine transactions;
  • Provide simple and visible opt‑out options;
  • Keep proper records of consent; and
  • Train staff on data protection obligations.

Failure to do so risks financial penalties, enforcement action and reputational damage.

A Final Word: Privacy Is Personal, and Enforceable

The Pepinos Pizza Inn decision marks an important moment in Kenya’s data protection journey. It reminds us that behind every phone number is a person, with rights, boundaries and dignity.

As digital transactions continue to shape our lives, this ruling draws a line in the sand: your data is not a marketing free‑for‑all.

At Legal Express Kenya, we will continue to track these decisions, unpack what they mean and tell the stories that matter. If this case resonated with you, stay with us, because the law is evolving, and so are your rights. Read more HERE

Wanjiku Gitonga

Website:

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *