Many Kenyans routinely show their M-Pesa confirmation messages after paying. In fact, some even hand over their entire phone—especially in crowded matatus. However, this common habit may violate the law.
According to lawyers at MMTK Law, the M-Pesa privacy Kenya practice infringes on constitutional and statutory privacy rights. Importantly, no Kenyan law requires customers to display their payment SMS to merchants.
“There is no statute that mandates a consumer to hand over or display their private mobile device,” says Fridah Muriithi, associate advocate at MMTK Law. She co-authored the analysis with senior associate Mary Audi.
Customers must pay for goods or services—that’s a contract. But how merchants verify payment is a business choice, not a legal duty for the buyer.
Under the Data Protection Act, 2019, personal data enjoys strong protection. An M-Pesa message contains sensitive information: name, phone number, account balance, and spending patterns. This qualifies as sensitive personal data.
“Proof of payment lies with the merchant,” Muriithi explains. Every “Lipa na M-Pesa” transaction sends a real-time alert to the seller’s till or Paybill system. That notification—not the customer’s phone—is the legal proof.
Yet, many sellers still demand to see the SMS. This act counts as “processing” personal data under the law—even if they just glance at it.
Worse, some jot down names or transaction codes. That’s data collection—and it becomes illegal when consent is forced.
“For consent to be valid, it must be freely given,” Muriithi says. If a matatu tout refuses to let you alight unless you show your phone, that’s coercion—not consent.
Merchants often cite fraud prevention. While legitimate, this reason has limits. The law demands necessity and proportionality.
“Viewing an entire SMS to confirm a Ksh 50 fare is disproportionate,” she notes. Less intrusive options exist: merchant app alerts, SMS receipts, or asking the customer to read the transaction code aloud.
The legal burden is clear: merchants must maintain proper verification systems. They cannot shift that duty onto customers by demanding phone access.
Violations carry real risks. Offenders may face civil lawsuits, fines, or compliance orders from the Office of the Data Protection Commissioner.
In short, social habit doesn’t override the law. The M-Pesa privacy Kenya issue reminds all Kenyans: your phone is private—and the law is on your side.
READ: Visa Launches GTPP Trade Platform for Vietnam-South Korea B2B Payments