)
)
Kenya is stepping up efforts to protect children online with fresh rules that require service providers to verify the age of users before granting access to certain digital content.
While this sounds like a win for online safety, the use of government-issued IDs for age checks raises serious privacy and inclusion concerns.
What does this mean for young Kenyans navigating the digital space?
)
)
)
)
What’s Changing Online?
The Communications Authority of Kenya (CA) is seeking to introduce new guidelines demanding that all licensed service providers, mobile operators, social media platforms, apps, and internet providers verify user ages before giving access to services that may not be suitable for children under 18.
Within six months, companies must deploy age-verification systems designed to keep minors away from harmful content like violence, exploitation, and inappropriate material, while still respecting children’s rights to access information and freedom of expression.
According to a Communication Authority official who spoke to Business Daily, "Initially, service providers may accept user-entered ages, but ultimately everyone will be required to verify their identity through government-issued ID."
Mobile operators will have to register SIM cards using accurate age data, and application providers will embed safety features “by design” into their products.
Reporting mechanisms for online abuse or harmful content will also be strengthened.
READ ALSO: TikTok bans 60,000 Kenyan accounts, 360,000 videos
)
Why Age Verification Matters
The internet is a powerful tool for learning, creativity, and connection, especially for Kenya’s youth, who are among the most active digital users.
But it’s also a place where children face risks: exposure to child sexual abuse materials, cyberbullying, radicalisation, and more.
Age verification aims to create safer online spaces by limiting children’s access to inappropriate services.
The Privacy and Inclusion Challenge
However, requiring government-issued IDs for age verification introduces new risks:
Privacy Concerns
Sharing ID details online can expose users to data breaches, identity theft, and misuse if service providers don’t enforce strong data protection measures.
According to Ian Olwana, a seasoned data governance and information security expert, government-issued IDs carry a lot of data beyond age, which is what service providers are supposed to verify.
He explained that using such a document for age verification online goes against the principles of data minimisation, which requires data controllers or processors to only collect the information needed.
"ID cards have a lot of information that should not be in the hands of social media giants looking to train AI and exploit every available data," he expressed.
He suggested that a good alternative would be using a phone number to verify age because in Kenya, an ID is required to register a SIM card.
This means any person with a phone number must have been registered, hence should be of age. There is also the option of self-declaration with an AI pattern check that assesses things like behaviour or facial recognition.
READ ALSO: 9 ways the Kenyan ID controls your life
Excluding Vulnerable Users
Many young Kenyans, especially in rural areas or informal settlements, may lack easy access to official IDs. Strict ID checks risk locking out those who need digital services most.
)
Surveillance Risks
Tying online activity to official IDs could enable unwanted government or corporate surveillance, threatening digital freedoms and anonymity.
“We know that agencies like KRA, SHA, and HELB have been exploring AI tools to assess taxation and fund distribution,” the Olawana explained.
KRA has also turned to social media monitoring in its efforts to conduct lifestyle audits against suspected tax cheats.
The expert argued that linking social media accounts to a person’s Maisha number and other official databases would make it easier for government agencies to monitor citizens without manual investigation.
“Right now, Kenya lacks specific laws that directly prohibit state surveillance,” he noted. “We rely heavily on the Kenya Data Protection Act, but it doesn’t fully prevent abuse or misuse.”
READ ALSO: KRA to monitor M-Pesa paybills for tax evasion with new ETR system
)
Data Security Worries
Users need clear communication about how their data is collected, stored, and shared to build confidence in these systems.
"The risk in the case is data sovereignty, we need the data to be within a space that allows us control over it or at least have laws that are similar to ours. We are aware that social media platforms have very weak privacy policies for African jurisdictions due to geopolitics, and they even allocate a budget for penalties in anticipation. Our enforcement is not reliable when it comes to big tech," he said.
There is also the risk of cross-border transfer of data. According to the law, personal data leaving Kenya should happen only through consent or an adequacy decision.
Olwana also raised concerns about the cross-border transfer of personal data involved in social media operations. “When data moves across borders, it becomes almost impossible to maintain transparency, which automatically undermines fairness. This creates significant challenges for Kenyan users whose data may be processed outside the country.”
To address such risks proactively, Section 31 of the Data Protection Act mandates conducting a Data Protection Impact Assessment (DPIA) for certain high-risk operations, and a Transfer Impact Assessment (TIA) for cross-border data transfers.
)
These assessments aim to identify potential risks, outline necessary safeguards, and highlight any residual risks before the operation begins. “These tools are critical,” the expert notes, “as they help organisations understand the impact of their data processing activities on user privacy and ensure that appropriate protections are in place.”
The Constitution and Data Protection Act offers safeguards, but enforcement remains a challenge, especially among smaller or less transparent service providers.
Finding the Right Balance
Protecting children online requires a careful balancing act between safety, privacy, and inclusion. The CA’s guidelines emphasise transparency, accountability, and data protection “by design” to tackle these risks.
Service providers must develop age-verification systems that are secure, respect user privacy, and offer alternative verification methods for those without formal IDs.
Parents, educators, and users themselves also play a crucial role in promoting safe digital habits. Empowered consumers who understand their rights can help shape a safer internet environment.
The success of these new rules depends on effective enforcement and how users engage with their digital rights.