Explainer: Key facts on new SIM rules and the biometric data dispute

By , November 19, 2025

A newly updated SIM-card registration framework is stirring controversy after it surfaced that the law cites unusually sensitive biometric details, including DNA samples, retinal imagery, earlobe measurements, and fingerprint data, fueling a nationwide privacy debate.

While the regulations mention these categories, they do not instruct mobile operators to collect them. Instead, their appearance stems from an expanded legal definition that has left many Kenyans questioning what the regulations actually empower and what they do not.

The rules, formally titled the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, took effect through Legal Notice No. 90 of May 30, 2025.

An Iphone
An Iphone.Image used for representation purposes only.PHOTO/Pexels

They replace the previous SIM-registration framework with stricter verification and data-governance obligations designed to curb identity theft, SIM-box fraud, and misuse of mobile-enabled digital services.

The controversy centers on Regulation 2, which defines biometric data as personal data derived from physical, physiological, or behavioral attributes. The illustrative list includes DNA analysis, fingerprints, retinal scans, voice recognition, and other markers typically classified as highly sensitive.

This means the law acknowledges DNA and retinal scans within its definition, but this is not the same as requiring their collection. The operative provisions that follow outline what telcos must do, and none of them mandate the collection of biometric samples.

A Mobile phone.Image used to illustrate the story.PHOTO/Pexels

What operators collect

In the new rules, the telecommunications companies must: Register subscribers using original identification documents, such as national IDs, passports, or birth certificates, and authenticate these documents through relevant government databases.

At the same time, securely store registration records and update subscriber information within seven days of any change and implement data-protection and cybersecurity controls consistent with the Data Protection Act, 2019.

The Communications Authority (CA) also gains enhanced audit powers, allowing it to access operator systems, records, and infrastructure to verify compliance.

Suspending services

The regulations limit suspension or disconnection to cases where a subscriber provides false information or fails repeatedly to complete registration. Operators must issue prior notice before taking such action.
Complaints over wrongful registration must be resolved within 30 days, during which affected subscribers are entitled to a fair hearing.

Communications Authority of Kenya offices in Nairobi. PHOTO/@CA_Kenya/X
Communications Authority of Kenya offices in Nairobi. PHOTO/@CA_Kenya/X

Privacy concerns

Despite CA’s assurances, the broad definition of biometrics has unsettled data-rights groups. They argue that the gap between what is defined and what is required could leave room for future policy overreach, especially given that the Data Protection Act classifies biometric information as sensitive personal data that can only be collected under strict necessity and proportionality tests.

But amid public concerns, the communication authority has stressed that no operator has been instructed, formally or informally, to gather biometric identifiers such as fingerprints, retinal scans, or DNA samples.

“For the avoidance of doubt, CA has NOT issued any directives for the collection of biometric data by our licensees. The new SIM Card Regulations do not contain any provision requiring the collection of biometric data,” the CA said.

More Articles