In a significant determination for digital privacy rights, the Office of the Data Protection Commissioner (ODPC) has ruled on Complaint No. 1724 of 2025, involving the unauthorized use of personal identifiers in social media advertisements.
The case, Ian Itolondo Mutoro vs. Waithera Imani (alias Cera Imani) t/a Eshe Community, highlights the stringent requirements for consent under Kenya’s data protection framework.
The dispute began on November 6, 2025, when the Complainant, Ian Itolondo Mutoro, lodged a formal grievance with the ODPC. He alleged that on September 23, 2025, the Respondent published promotional videos on Instagram and TikTok to market ESHE. These videos prominently featured Mutoro’s full name and photograph.
Mutoro asserted that this processing occurred without his knowledge or consent. He further argued that the publication:
- Unlawfully associated him with a commercial product.
- Created a misleading public impression that he endorsed or was affiliated with the ESHE brand.
- Violated the core principles of lawfulness, fairness, and purpose limitation.
Upon receiving the complaint, the ODPC notified the Respondent on December 15, 2025, seeking a formal response and evidence of a lawful basis for processing Mutoro’s data for marketing purposes. The Office specifically requested information regarding the mitigation measures adopted by the Respondent to address the grievance.
ESHE claimed that the Mutoro had previously requested to be featured on the ESHE digital application as a medical professional to receive client leads. They argued that the video was shared with him in advance without objection and that his professional details were already publicly available.
Key findings by the ODPC
- ODPC found that while the Complainant may have consented to being listed on a digital application, this did not constitute express, informed consent for commercial advertising on external social media platforms.
- Under Section 32(1) of the Data Protection Act, the burden to prove consent lies with the data controller; the Respondent failed to provide verifiable evidence of such consent.
- The processing was determined to be for a commercial purpose as defined by Regulation 14(1), as it was intended to advance economic interests and attract clients.
The Data Commissioner found the Respondent liable for violating the Data Protection Act and the following orders were issued:
- The Respondent was ordered to pay the Complainant Ksh. 50,000 for damages, including emotional distress.
- The Respondent was directed to pull down the Complainant’s personal data from social networks within 14 days and provide proof of compliance to the Office.
This case serves as a critical reminder to businesses and influencers (Data Controllers) that using an individual’s identity for promotional or marketing purposes requires explicit authorization under the Data Protection Act.
Read the full judgement HERE.