Office of the Data Protection Commissioner (ODPC) on Wednesday released draft sector-specific guidance notes targeting Kenya’s transport industry amid rapid digital expansion.
The regulator seeks to curb risks linked to ride-hailing apps, GPS tracking, and profiling.
Stakeholders have until May 15, 2026, to submit feedback on proposed rules covering data protection policies, cross-border transfers, and compliance requirements.
The regulator said the guidance covers cross-border data transfers, data protection policies, Data Protection Officers (DPOs), and the transport sector, and has invited stakeholders to submit feedback before May 15, 2026. Submissions can be sent to compliance@odpc.go.ke.
It said the initiative is designed to support compliance with existing law while addressing emerging risks linked to digital mobility platforms.
“The Office of the Data Protection Commissioner (ODPC) has released draft sector-specific guidance notes to support compliance with the Data Protection Act, 2019,” the statement read.
ODPC said the transport sector is undergoing a rapid digital shift driven by ride-hailing applications, GPS tracking systems, and electronic ticketing platforms.
It warned that these developments have created new risks for misuse of personal data, especially as companies increasingly rely on real-time user information.
It said the rise in digital mobility services has introduced new challenges related to privacy, surveillance, and data handling practices across the sector.
A central focus of the draft guidelines is the regulation of real-time location tracking of passengers and drivers, which the ODPC described as a significant privacy concern.
“The nature of personal data processing in the transport sector raises significant privacy concerns,” the regulator noted in the draft.
The ODPC also raised concerns about profiling, where companies may analyse user data to infer sensitive information about passengers for purposes such as insurance scoring or targeted advertising.
It warned that such practices could occur without explicit consent if left unchecked.
The draft introduces a compliance framework based on seven core principles that transport operators must follow.
These include transparency, requiring companies to explain data use in plain language rather than legal jargon.
Data minimization restricts firms from collecting more information than necessary for a trip, while storage limitation requires deletion or anonymisation of data once its purpose is complete.
The principle of integrity and security requires companies to implement safeguards such as encryption and secure systems to protect against cyber threats.
Under the proposed rules, all transport operators acting as data controllers or processors must register with the ODPC.
The regulator also proposes mandatory appointment of Data Protection Officers (DPOs) in many organisations to ensure compliance and act as liaison officers with the authority.
Firms using high-risk technologies such as CCTV, dash-cams and automated driver-rating systems will be required to conduct Data Protection Impact Assessments (DPIAs).
These assessments are intended to evaluate risks before deployment of such systems to ensure they do not infringe on individual rights.
The guidelines apply to a wide range of operators, including matatu SACCOs, taxi-hailing platforms, aviation firms and maritime transport companies.
The ODPC said the proposals also cover general data protection policies and cross-border data transfers, reflecting the increasingly global nature of digital mobility systems.
Industry players are expected to align internal systems with the proposed framework once it is finalised.
The regulator invited stakeholders, including transport firms, digital mobility platforms and members of the public, to submit feedback on the draft proposals.
The consultation window remains open until May 15, 2026, after which the regulator will review submissions before finalising the guidance notes.
The regulator said the process is intended to ensure balanced rules that protect privacy while supporting innovation in the transport sector.
Analysts say the draft points to a tougher regulatory stance on data governance within Kenya’s fast-digitising transport sector.
The ODPC said the framework is designed to ensure that technological innovation does not compromise the constitutional right to privacy.
If implemented, the guidelines are expected to significantly reshape how transport operators collect, store and process personal data in Kenya’s growing digital mobility industry.