Happening Now: NTV KENYA LIVE | Senate Proceedings
A Safaricom customer carries out an M-Pesa transaction.
Many Kenyans have normalised doing their transactions via mobile money, particularly M-Pesa. After making the payment, they instinctively hold up the phone to the seller to see the confirmation message, often without much thought.
In fact, some customers will hand over the entire phone as is common in overcrowded places, such as in matatus. However, this practice infringes on data protection and privacy rights, as stated in the Kenyan Constitution.
According to advocates at Muri Mwaniki Thige & Kageni LLP (MMTK Law), no law in Kenya obliges a customer to show their M-Pesa confirmation message as proof of payment.
“There is no statute that mandates a consumer to hand over or display their private mobile device to a third party for inspection,” says Fridah Muriithi, an associate advocate at MMTK Law, who collaborated on the legal analysis with Mary Audi, a senior associate at the firm.
“While a customer has a contractual obligation to pay for goods or services, the method of verifying that payment is a matter of commercial practice, not a statutory requirement,” she explains.
“In fact, the legal framework, particularly the Data Protection Act, 2019, leans toward protecting a customer’s privacy rather than granting merchants a right to inspect personal devices.”
The widespread nature of the practice, she adds, does not change its legal standing.
“Social normalisation does not create a legal obligation on the customer, nor does it remove the merchant’s duty to protect personal data.”
Legally, proof of payment does not lie with the customer’s phone.
“Proof of payment is the merchant’s own confirmation, such as a receipt or a notification on the M-Pesa Till or Paybill system,” Muriithi says.
“Every Lipa na M-Pesa transaction sends a concurrent message to the merchant’s device or system. That notification is the primary legal evidence.”
In other words, once the money has hit the merchant’s till or Paybill, the transaction is complete, whether or not the customer displays their SMS.
“An M-Pesa confirmation message is dense with personal data,” says Muriithi.
“It includes direct identifiers such as a customer’s name and phone number, financial data like account balance, which is classified as sensitive personal data, and transaction metadata that can reveal spending habits.”
Coerced consent
Under the Data Protection Act, demanding to view a customer’s M-Pesa message is not a harmless act.
“When someone asks to see a customer’s M-Pesa confirmation message, this generally amounts to processing of personal data,” Muriithi explains. “Processing includes consulting, using, or even recording that information.”
In some cases, touts or merchants jot down names or transaction codes—a practice that constitutes collection and recording of personal data under the law. The issue becomes more serious when consent is coerced.
“For consent to be valid, it must be freely given,” Muriithi says. “In situations where a customer is compelled to show the message in order to access a service or be allowed to alight from a matatu, that consent is not valid.”
Verification becomes unlawful when it goes beyond what is necessary.
“Viewing an entire M-Pesa SMS to confirm a small payment is disproportionate,” Muriithi says.
Fraud prevention
Merchants often justify the practice as a safeguard against fraud. While fraud prevention is recognised in law, it has limits.
“It may be a legitimate interest, but it must meet the test of necessity and proportionality,” says Muriithi.
“Given that merchants already have less intrusive ways to verify payment, reliance on fraud prevention alone often fails that test.”
The alternatives, the advocates say, are readily available.
“Merchants should rely on their own M-Pesa Business App notifications, SMS receipts, or simply ask the customer to read out the transaction code,” Muriithi says.
Legally, she adds, the burden lies with the merchant to maintain a functional verification system—not with the customer to surrender their privacy.
Merchants or service providers who routinely demand to view customers’ messages may face consequences.
“They could be exposed to civil liability for unlawful processing of personal data and regulatory sanctions from the Office of the Data Protection Commissioner, including fines and compliance orders,” she says.
Follow our WhatsApp channel for breaking news updates and more stories like this.
