The 2025 SIM-card registration regulations list sensitive biometric identifiers like DNA and retinal scans — but do not require telcos to collect them. Here is a detailed explainer of what the new rules mandate, how verification works, suspension timelines, penalties, and your rights under the law.
Newly revised SIM-card registration regulations have sparked public concern over the scope of personal data referenced in the law — particularly the inclusion of highly sensitive biometric identifiers such as DNA, retinal scans, earlobe geometry and fingerprints.
While the regulations mention these categories, they do not instruct mobile operators to collect them. Instead, their appearance stems from an expanded legal definition that has left many Kenyans questioning what the regulations actually empower and what they do not.
The rules — formally titled the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025 — took effect through Legal Notice No. 90 of 30 May 2025. They replace Kenya’s previous SIM-registration framework with stricter verification and data-governance obligations designed to curb identity theft, SIM-box fraud and misuse of mobile-enabled digital services.
The controversy centres on Regulation 2, which defines biometric data as personal data derived from physical, physiological or behavioural attributes. The illustrative list includes DNA analysis, fingerprints, retinal scans, voice recognition and other markers typically classified as highly sensitive.
This means the law acknowledges DNA and retinal scans within its definition — but this is not the same as requiring their collection. The operative provisions that follow set out what telcos must do, and none of them mandate taking biometric samples.
What mobile operators must collect
Under the new rules, telcos must:
- Register subscribers using original identification documents — such as national IDs, passports or birth certificates;
- Authenticate these documents through relevant government databases;
- Securely store registration records and update subscriber information within seven days of any change;
- Implement data-protection and cybersecurity controls consistent with the Data Protection Act, 2019.
The Communications Authority (CA) also gains enhanced audit powers, allowing it to access operator systems, records and infrastructure to verify compliance.
When service can be suspended
The regulations limit suspension or disconnection to cases where a subscriber provides false information or fails repeatedly to complete registration. Operators must issue prior notice before taking such action.
Complaints over wrongful registration must be resolved within 30 days, during which affected subscribers are entitled to a fair hearing.
Why privacy advocates are concerned
Despite CA’s assurances, the broad definition of biometrics has unsettled data-rights groups. They argue that the gap between what is defined and what is required could leave room for future policy overreach, especially given that the Data Protection Act classifies biometric information as sensitive personal data that can only be collected under strict necessity and proportionality tests.
CA’s clarification
Amid public unease, the CA has repeatedly stressed that no operator has been instructed — formally or informally — to gather biometric identifiers such as fingerprints, retinal scans or DNA samples.
“For the avoidance of doubt, CA has NOT issued any directives for the collection of biometric data by our licensees.”
“The new SIM Card Regulations do not contain any provision requiring the collection of biometric data.” By Phidel Kizito, Capital News
