Kenya Recording Laws: One-Party Consent Rules and Penalties (2026)

Is Kenya a One-Party or Two-Party Consent State?

Kenya is effectively a one-party consent jurisdiction in practice, though no statute uses those exact terms. A person who participates in a conversation may record it without committing a criminal offence, and courts have generally admitted such recordings as evidence under the balancing test in Article 50(4) of the Constitution.

The key rule under Section 17 of the Computer Misuse and Cybercrimes Act (CMCA) 2018 is authorization: intercepting or recording a communication "without authorization" is a criminal offence. A participant who records their own conversation is authorized by virtue of being a party to it. A third party who intercepts a communication they are not part of has no such authorization.

The Data Protection Act (DPA) 2019 adds a consent layer on top of the criminal framework. Even where a recording is not a criminal offence, processing the resulting data without a lawful basis under the DPA can give rise to civil liability and administrative fines. For phone calls and in-person conversations, the safest practice is to inform all parties that recording is taking place.

This article covers Kenya's federal legal framework. It does not address the laws of other East African states; for those, see the regional articles on this site.

Overview of Recording Laws in Kenya

Kenya does not have a single, dedicated wiretapping or recording-consent statute. There is no formal "one-party consent" or "two-party consent" framework written into Kenyan legislation. Instead, the legality of recording conversations, phone calls, and video in Kenya is governed by overlapping constitutional provisions, cybercrime legislation, and data protection rules.

The primary legal sources that affect recording in Kenya are:

• The Constitution of Kenya (2010), particularly Article 31 (right to privacy) and Article 33 (freedom of expression)
• The Computer Misuse and Cybercrimes Act (CMCA) No. 5 of 2018, which criminalizes unauthorized interception of electronic communications under Section 17
• The Data Protection Act (DPA) No. 24 of 2019, which regulates the collection and processing of personal data including recordings
• The Kenya Information and Communications Act (KICA), Chapter 411A, which governs telecommunications-operator interception
• The National Intelligence Service Act No. 28 of 2012, which authorizes state surveillance under judicial oversight
• The Prevention of Terrorism Act 2012 (revised 2023), which grants additional interception powers for counter-terrorism

The CMCA was amended in 2024 (assented to by President Ruto on October 15, 2025), adding new offences around SIM-swap fraud and cyber harassment, though the Section 17 interception provision was not changed. On March 6, 2026, the Court of Appeal struck down CMCA Sections 22 and 23 (false-publications offences) as unconstitutional in Bloggers Association of Kenya (BAKE) v Attorney General, Civil Appeal 197 of 2020, [2026] KECA 430 (KLR). Section 17 was not at issue in that ruling and remains in force.

Because Kenya lacks a clear single recording-consent law, the purpose and context of a recording often matter more than the act of recording itself.

Constitutional Right to Privacy Under Article 31

The foundation of recording law in Kenya is Article 31 of the Constitution of Kenya (2010). This provision establishes that every person has the right to privacy, which includes the right not to have:

• Their person, home, or property searched
• Their possessions seized
• Information relating to their family or private affairs unnecessarily required or revealed
• The privacy of their communications infringed

Subsections (c) and (d) are the most relevant to recording. They protect individuals from having their private communications intercepted or their personal information disclosed without authorization. Any recording that captures private conversations or personal information could potentially violate these constitutional guarantees.

Article 31 applies broadly. It covers phone calls, in-person conversations, digital messages, and any other form of private communication. The Constitution does not define specific penalties for privacy violations. Individuals whose privacy rights are violated may seek remedies through the courts, including injunctions and damages.

The right to privacy under Article 31 is not absolute. Article 24 of the Constitution permits limitations on fundamental rights where those limitations are reasonable and justifiable in an open and democratic society. This means recordings may be lawful when they serve a legitimate purpose, such as preventing crime or protecting public safety.

2024 Finance Bill protests context. The constitutional protection of communications was strained during the June-July 2024 Finance Bill protests. The Communications Authority of Kenya ordered all television and radio stations to stop live coverage of the demonstrations, invoking Articles 33(2) and 34(1). Internet access was disrupted for over six hours on June 25, 2024, in what rights groups documented as an infringement of the Article 33 right to freedom of expression and the Article 35 right to access information. Police in plainclothes conducted surveillance and abducted social media influencers who had been vocal in supporting the protests. Safaricom was reported to have cooperated with security agencies through software enabling tracking of private consumer mobile data. These documented events are relevant context for any journalist or member of the public recording in public spaces during protests.

The Computer Misuse and Cybercrimes Act 2018

The Computer Misuse and Cybercrimes Act (CMCA) No. 5 of 2018 is the primary criminal statute for unauthorized electronic recording and interception in Kenya. Enacted on May 30, 2018, the CMCA addresses offences relating to computer systems and electronic communications.

Section 16 and Section 17: Interference vs. Interception

The existing article's earlier version referred to both provisions under a single "Section 17" heading. They are distinct offences:

Section 16 (Unauthorized Interference) criminalizes intentional acts causing unauthorized interference to computer systems, defined as impairing the confidentiality, integrity, or availability of a computer system. This targets disruption of systems rather than recording.

Section 17 (Unauthorized Interception) is the provision directly relevant to recording. It prohibits intentionally and without authorization intercepting, or causing to be intercepted, the transmission of data to or from a computer system over a telecommunications system. "Interception" is defined broadly to include monitoring, modifying, viewing, or recording non-public transmissions of data over telecommunications systems.

Penalties for unauthorized interception under Section 17:

Offence	Fine	Imprisonment
Unauthorized interception	Up to KES 10 million (approx. USD 77,000)	Up to 5 years
Interception threatening public safety or national security	Up to KES 20 million (approx. USD 154,000)	Up to 10 years

The key element in both sections is "without authorization." Authorized law enforcement interception under a valid court order is exempt. A participant recording their own conversation is treated as authorized by virtue of being a party to it.

Lawful Interception Framework: Sections 52 and 53

For law enforcement, Sections 52 and 53 establish the statutory framework for court-authorized surveillance:

• Section 52 (Real-Time Traffic Data): Police may apply for court orders enabling real-time collection of communication metadata (traffic data) for up to six months, extendable where investigation risks "frustration or serious prejudice."
• Section 53 (Content Data Interception): Court-authorized real-time collection of actual communication content for up to nine months, with proportionality standards protecting the privacy of other users.

In BAKE v AG [2026] KECA 430, the Court of Appeal upheld Sections 52 and 53 but stressed that judges must act as "vigilant gatekeepers" before authorizing intrusive surveillance orders.

The BAKE v AG Ruling (2026)

In Bloggers Association of Kenya (BAKE) v Attorney General & 6 Others, Civil Appeal 197 of 2020, [2026] KECA 430 (KLR) (6 March 2026), a three-judge Court of Appeal bench (Kiage, Muchelule, Korir JJA) struck down CMCA Sections 22 and 23 as unconstitutional. Those sections had criminalized the publication of "false, misleading or fictitious information" online and had been used to arrest journalists, bloggers, and government critics. The court held the provisions were "so broad, wide, untargeted, akin to unguided missiles, and likely to net innocent citizens," in violation of Articles 33 and 34 of the Constitution.

This ruling does not affect Section 17 (interception). Section 17 was not challenged in the BAKE case and remains fully in force. The Office of the Director of Public Prosecutions has filed an appeal to the Supreme Court seeking reinstatement of Sections 22 and 23.

The CMCA Amendment Act 2024

The Computer Misuse and Cybercrimes (Amendment) Act 2024, assented to on October 15, 2025, added:

• Section 42A: A new offence of SIM-swap fraud (up to 10 years imprisonment or KES 5 million fine)
• Sections 23-27: Enhanced penalties for cyber harassment
• Section 8: New powers for the National Computer and Cybercrimes Coordination Committee (NC4) to block websites and apps without judicial oversight (this provision has attracted constitutional criticism from civil society)

The Amendment does not alter Section 17 (unauthorized interception).

Other Relevant CMCA Provisions

Section 27 (cyber harassment) criminalizes willingly communicating content likely to cause apprehension or fear of violence, or that is indecent or grossly offensive. Courts may issue restraining orders. Penalty: fine or imprisonment up to ten years.

Section 37 criminalizes the wrongful distribution of obscene or intimate images, including non-consensual sharing of intimate recordings. See "Non-Consensual Intimate Images" below.

The Data Protection Act 2019

The Data Protection Act (DPA) No. 24 of 2019 is Kenya's comprehensive data privacy law, giving effect to Articles 31(c) and 31(d) of the Constitution. It establishes the Office of the Data Protection Commissioner (ODPC) as the regulatory authority.

How the DPA Applies to Recording

The DPA defines "processing" broadly to include the collection, recording, organization, storage, retrieval, use, disclosure, dissemination, and destruction of data. Audio recordings, video recordings, photographs, and CCTV footage all constitute personal data under this definition because they contain information that can identify individuals.

Data controllers and processors must comply with these principles when recording:

• Consent: Personal data may not be processed without the consent of the data subject. The data controller or processor bears the burden of proving that consent for a specific purpose was granted.
• Purpose limitation: Data must be collected for a specified, explicit, and legitimate purpose and not further processed in a manner incompatible with that purpose.
• Data minimization: Data collected must be adequate, relevant, and limited to what is necessary for the stated purpose.
• Transparency: Data subjects must be informed about the collection and use of their data.

DPA Penalties

Type of Penalty	Amount
General criminal penalty	Fine up to KES 3 million or imprisonment up to 10 years, or both
Administrative fine (ODPC)	Up to KES 5 million or 1% of annual turnover, whichever is lower
Obstruction of Data Commissioner	Fine up to KES 5 million or imprisonment up to 2 years, or both

ODPC Enforcement in Practice

The ODPC has been active. As of May 31, 2025, it had received 7,611 complaints, resolved 7,497, and issued 247 determinations, 112 enforcement notices, 19 penalty notices, and 134 compensation orders. The ODPC has also issued 20 recommendations for prosecution and issued combined penalty notices totalling KES 9.375 million in its first major enforcement actions.

Two enforcement cases illustrate the DPA's application to recording:

Liquid Telecom call recording (February 2026). In Andrew Alston v Liquid Telecommunications Kenya Ltd (ODPC Complaint No. 1125/2025, determined February 4, 2026), the ODPC found that Liquid Telecom violated DPA Sections 26(a) (right to be informed) and 40(1)(b) (right to erasure) by secretly recording an employee's voice on an exit consultation call without consent. The employee explicitly refused permission and requested deletion, which the HR representative acknowledged. Despite this, Liquid Telecom retained the recording and transferred it to its sister company (Liquid Mauritius) to use as evidence in arbitration proceedings. The ODPC awarded the employee KES 700,000 compensation and issued an Enforcement Notice. Liquid Telecom had a right of appeal to the High Court within 30 days.

CCTV neighbor surveillance (2025). The ODPC ordered a Nairobi couple to pay their neighbor KES 200,000 after their CCTV system captured the neighbor's home for nearly four years, violating DPA Section 25 (lawfulness, fairness, and proportionality). The ODPC ruled that while security is a legitimate purpose for CCTV, it must be pursued proportionately and within the confines of the law.

ODPC Guidance on Recorded Media

In November 2025, the ODPC published Guidance Notes on the Processing of Publications of Recorded Media, addressing consent requirements, public-interest exceptions, and obligations for journalists and businesses handling recorded audio and video content.

Participant Recording and Court Admissibility

One of the most practical questions about recording in Kenya is whether a participant in a conversation can legally record it and later use that recording as evidence in court.

The General Rule

Kenyan courts generally treat secret third-party recordings as potentially unlawfully obtained evidence because they are made without the knowledge and express consent of the parties involved. However, courts have drawn an important distinction between third-party surveillance and participant recording.

A recording made by someone who was present during the conversation and participated in it is generally admissible. Courts reason that a participant already has direct knowledge of the conversation, and the recording merely preserves what they would otherwise testify about from memory. In practice, Kenya operates as a one-party consent jurisdiction: participant recordings are made without criminal liability under Section 17 of the CMCA, and courts typically admit them.

Key Court Decision

In Mbugua v Echo Network Africa (Employment and Labour Relations Petition E064 of 2022, decided February 23, 2024), the court examined whether an employer could use a secretly recorded phone conversation to justify terminating an employee. The court held that private communications are confidential and require express consent from the owner. Because the employer failed to show how it obtained the recording and lacked the employee's consent, the court found a violation of the right to privacy. This case illustrates the opposite scenario: an employer using a third-party recording without consent, which courts treat unfavorably.

The Balancing Test Under Article 50(4)

Article 50(4) of the Constitution creates a balancing test that allows courts to admit otherwise unlawfully obtained evidence if its relevance and impact on justice outweigh privacy concerns. Courts may admit a recording if:

• The evidence is highly relevant to the case
• Excluding it would cause a greater injustice than admitting it
• The recording was not obtained through extreme or abusive means

This balancing approach makes the admissibility of recordings in Kenya highly contextual. The outcome depends on the specific facts, the type of case, and the court's assessment of competing interests.

Recording Phone Calls in Kenya

There is no express statutory rule about recording phone calls. The CMCA Section 17 criminalizes unauthorized interception of data transmitted over a telecommunications system. For a participant who records their own call, the "without authorization" element is not satisfied because the participant is a party to the communication.

For businesses that record customer calls for quality assurance or training purposes, the DPA 2019 requires that callers be informed the call is being recorded, and the recording must be limited to what is necessary for the stated purpose. The Media Council (Code of Media Practice) 2025 separately requires that media practitioners inform any party to a call of the intent to record or broadcast, unless public interest justifies otherwise.

Recording In-Person Conversations

For in-person conversations, the same participant-recording framework applies. A participant who records a face-to-face conversation does not violate Section 17 of the CMCA because they are recording a conversation to which they are a party, not intercepting a transmission "without authorization."

However, the DPA 2019 applies to the recording as a processing activity. If the recording captures identifiable individuals, the recorder is acting as a data controller and must have a lawful basis (typically consent or legitimate interest) for processing. Storing and sharing the recording raises additional DPA compliance obligations.

Hidden recording devices placed by a non-participant -- such as a covertly placed microphone or camera -- would constitute unauthorized interception under Section 17 and a violation of Article 31 of the Constitution.

Recording Police and Government Officials

Recording police officers and government officials conducting their duties in public is an area where Article 33 (freedom of expression) and Article 35 (access to information) are most directly engaged.

There is no Kenyan statute that expressly prohibits the recording of police in public spaces. The constitutional right to seek and receive information under Article 33 supports the right of members of the public and journalists to document police conduct in public. Recording a public official exercising public functions in a public place does not engage the same privacy interests protected by Article 31, because officers acting in their official capacity in public have a reduced expectation of privacy in that conduct.

The Official Secrets Act, Cap. 187 prohibits photographing or recording at designated sensitive areas including military installations and specified government buildings. This provision does not prohibit recording police conducting public-order operations on public streets.

Practical context from 2024. During the June-July 2024 Finance Bill protests, the Communications Authority of Kenya ordered television and radio stations to stop live coverage of demonstrations. Authorities detained and abducted journalists and social media influencers who documented protests. Rights organizations documented these as violations of Articles 33 and 35 of the Constitution. For journalists, the Media Council (Code of Media Practice) 2025 provides some professional protection for recordings made in the public interest.

The CMCA Section 22 and 23 provisions, which had been used to prosecute journalists for online content, were struck down by the Court of Appeal in March 2026 in BAKE v AG [2026] KECA 430. While those sections did not directly address recording, their removal reduces one avenue through which authorities had pursued online journalists.

Workplace Recording and CCTV Surveillance

Employers in Kenya who wish to record employees or install surveillance systems must comply with both the Data Protection Act and constitutional privacy protections.

CCTV in the Workplace

The use of CCTV cameras in Kenyan workplaces is lawful, but only if it meets the requirements of the Data Protection Act 2019. Employers must:

• Identify a lawful basis for processing under the DPA before installing cameras
• Post clear CCTV signage that includes the identity of the company (as data controller), contact information for the data protection officer (if applicable), the purpose of the surveillance, and information about data subject rights
• Limit surveillance to what is "adequate, relevant, and limited to what is necessary" for the stated purpose
• Develop a comprehensive CCTV Data Protection Policy
• Conduct a Data Protection Impact Assessment for extensive surveillance systems

The 2025 ODPC enforcement case involving the Nairobi couple (KES 200,000 fine for CCTV that overreached into a neighbor's property) applies with equal force to workplace CCTV that captures areas beyond the legitimate surveillance zone.

Audio Recording in the Workplace

Audio surveillance raises heightened privacy concerns compared to video-only CCTV. Recording employee conversations without knowledge or consent is likely to violate both the DPA and the Article 31 constitutional right to privacy. The Andrew Alston v Liquid Telecommunications Kenya Ltd ruling (ODPC Complaint No. 1125/2025, February 4, 2026) confirms that even a single voice recording made during an exit consultation, without consent and in defiance of the employee's explicit refusal, exposes an employer to KES 700,000+ compensation orders and enforcement notices.

Employers who record calls for quality assurance or training must obtain explicit consent from employees and inform all callers that the call is being recorded.

Penalties for Employer Non-Compliance

Employers who violate the DPA through unauthorized surveillance face administrative fines of up to KES 5 million or 1% of annual turnover, whichever is lower. Additionally, affected employees may bring civil claims for violation of their constitutional privacy rights and pursue compensation through the ODPC.

Recording in Public Spaces

The rules for recording in public places in Kenya differ from those governing private conversations.

Photography and Filming

Commercial photography and organized filming in public spaces generally require permits. The Official Secrets Act, Cap. 187 prohibits photographing or sketching military installations, government buildings, and other designated sensitive areas. Violations can result in criminal prosecution.

CCTV in Public Areas

Businesses and property owners who install CCTV cameras that capture public areas must comply with the Data Protection Act. The household exemption under the DPA applies only when cameras are installed in a fixed position, do not point toward neighboring property, do not capture a neighbor's residence, and do not monitor movements into or out of another person's home. Once surveillance extends beyond these boundaries, full DPA compliance is required, as confirmed by the 2025 ODPC CCTV enforcement case.

Non-Consensual Intimate Images and Voyeurism

Kenya does not have a standalone voyeurism statute, but two legal frameworks address non-consensual recording and distribution of intimate content.

CMCA Section 37 criminalizes the wrongful distribution of obscene or intimate images, including non-consensual sharing of intimate recordings. The section establishes criminal liability for publication or distribution. As of May 2026, no court decisions have been reported under Section 37 specifically; a number of cases are believed to have been resolved out of court.

Constitutional protection. In MWK v Attorney General, a female minor whose intimate images were forcefully taken and shared on social media by Kenya police officers successfully pursued a constitutional claim. The court awarded MWK KES 4 million in damages and found the actions to be gross violations of constitutional rights to dignity (Article 28), privacy (Article 31), and protection against degrading treatment (Article 29). This case demonstrates that even where statutory remedies under Section 37 are untested, constitutional remedies are available.

The absence of a dedicated non-consensual intimate image law beyond Section 37 is a recognized gap in Kenyan law. The Data Protection Act 2019 provides a supplementary pathway: covert recording and distribution of intimate content without consent constitutes unlawful processing of sensitive personal data and can attract both ODPC enforcement and civil compensation.

Deepfake and AI-Generated Content

Kenya does not yet have enacted legislation specifically targeting deepfakes or AI-generated synthetic media. The CMCA Section 37 (intimate images) provides partial coverage where AI is used to generate and distribute synthetic intimate content without consent.

The Artificial Intelligence Bill 2026 (Senate Bills No. 4 of 2025), tabled before Parliament as of May 2026, proposes to directly address this gap. Under the draft Bill, using AI to replicate a person's image, voice, or likeness without consent -- where it results in harm, defamation, or misinformation -- would be a criminal offence. Proposed penalties: KES 5 million fine or two years imprisonment. Technology providers would also be required to clearly label AI-generated content.

The Bill is before Parliament for debate and has not yet been enacted. Until it passes, deepfake content in Kenya falls under the existing patchwork: CMCA Section 37 (intimate images distributed without consent), constitutional privacy protections under Article 31, and potentially DPA 2019 obligations where biometric-equivalent voice or image data is processed without consent.

Cross-Border Data Transfers and Kenya as a Regional Hub

Kenya has established itself as East Africa's leading technology hub, making cross-border recording and data transfer questions practically significant for multinational businesses.

DPA 2019 Cross-Border Framework

Under the Data Protection Act 2019, recordings constituting personal data may only be transferred to a foreign country, territory, sector, or international organization that provides an adequate level of data protection. The ODPC determines adequacy. Ratification of the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) serves as an indicator of adequacy. Standard contractual clauses and binding corporate rules provide alternative transfer mechanisms.

EU Adequacy Dialogue

In May 2024, Kenya and the European Union launched an adequacy dialogue -- the first such dialogue between the EU and any African country. If Kenya achieves an EU adequacy decision, personal data including recordings may flow freely between Kenya and the EU without additional safeguards. The ODPC has stated that an adequacy decision is likely to attract foreign direct investment and deepen Kenya's role as a regional data processing hub.

ODPC Cross-Border Transfer Guidance

On April 15, 2026, the ODPC opened a public consultation on draft Guidance Notes on Cross-Border Data Transfers, with the consultation period closing on May 15, 2026. The guidance addresses lawful transfer mechanisms, adequacy assessments, and obligations of data exporters. Businesses operating recording or surveillance systems that transmit data outside Kenya should monitor the finalization of this guidance.

Practical Implications

Multinational companies that record calls or collect surveillance data in Kenya and transmit it to servers outside Kenya must conduct an adequacy assessment before each transfer, implement appropriate transfer mechanisms where adequacy has not been established, include cross-border transfer provisions in DPA privacy notices, and comply with the CMCA Section 53 framework if real-time interception of content data is involved.

Government Surveillance and Lawful Interception

Kenya has several statutory frameworks that authorize government agencies to intercept communications under specific conditions.

National Intelligence Service Act 2012

Under Section 42 of the National Intelligence Service (NIS) Act No. 28 of 2012, the Director-General of the NIS may apply ex parte to a High Court judge for a surveillance warrant when there are reasonable grounds to believe the warrant is necessary for national security purposes. Section 36 of the NIS Act permits limiting the Article 31 privacy right for persons suspected of committing an offence, to the extent that their communications may be investigated, monitored, or interfered with.

Prevention of Terrorism Act 2012

Under Section 36 of the Prevention of Terrorism Act 2012 (revised 2023), a police officer of or above the rank of Chief Inspector may apply ex parte to a Chief Magistrate or the High Court for an interception order, with prior written consent from the Inspector-General of Police or the Director of Public Prosecutions. Unauthorized interception under this Act carries imprisonment up to 10 years or a fine up to KES 5 million, or both.

CMCA Sections 52 and 53 (Real-Time Surveillance Orders)

As noted above, the CMCA provides the general police framework for real-time data collection:

Section	Data Type	Maximum Duration	Court Oversight
Section 52	Traffic data (metadata)	6 months (extendable)	Court order required
Section 53	Content data (communications)	9 months	Court order required, proportionality standard

In BAKE v AG [2026] KECA 430, the Court of Appeal upheld both sections but emphasized that judicial oversight must be substantive: "judges must act as vigilant gatekeepers before authorizing intrusive surveillance orders."

Kenya Information and Communications Act

Section 31 of KICA, Chapter 411A, makes it an offence for a licensed telecommunications operator to intercept subscriber messages, disclose message contents, or reveal subscriber account details outside the course of business. Penalty: fine up to KES 300,000 or imprisonment up to three years, or both.

Business Compliance Checklist

Organizations operating in Kenya that record calls, use CCTV, or collect audio or video data should take the following steps to comply with Kenyan law:

1. Register with the ODPC. Data controllers and processors who handle personal data (including recordings) must register with the Office of the Data Protection Commissioner.

2. Obtain consent. Before recording any conversation, phone call, or meeting, obtain clear, informed consent from all participants. Document this consent. For calls, inform callers at the start of the call that recording is taking place.

3. Post notices. For CCTV and other continuous recording systems, post visible notices identifying the data controller, explaining the purpose of recording, and informing individuals of their data subject rights.

4. Limit data collection. Record only what is necessary for the stated purpose. Avoid recording in areas where individuals have a heightened expectation of privacy (restrooms, break rooms, changing areas).

5. Review the ODPC Recorded Media Guidance. The ODPC published Guidance Notes on the Processing of Publications of Recorded Media in November 2025. Organizations handling media recordings should ensure their policies align with this guidance.

6. Conduct impact assessments. For extensive surveillance systems, conduct a Data Protection Impact Assessment as required by the DPA.

7. Establish retention policies. Define how long recordings will be stored and when they will be deleted. The DPA requires that personal data not be kept longer than necessary.

8. Secure recordings. Implement appropriate technical and organizational measures to protect recorded data from unauthorized access, disclosure, or destruction.

9. Assess cross-border transfers. If recordings are transmitted outside Kenya, conduct an adequacy assessment and implement appropriate transfer safeguards. Monitor the ODPC's finalised Cross-Border Data Transfer Guidance (consultation closed May 2026).

10. Train employees. Ensure staff understand recording policies, consent requirements, and the consequences of unauthorized recording.

Penalties Summary

Law	Offence	Fine	Imprisonment
CMCA 2018, Section 17	Unauthorized interception	Up to KES 10 million	Up to 5 years
CMCA 2018, Section 17 (aggravated)	Interception threatening public safety	Up to KES 20 million	Up to 10 years
CMCA 2018, Sections 22-23	False publications online	[Struck down -- unconstitutional, BAKE v AG, March 2026]	[Struck down]
DPA 2019	General data protection offence	Up to KES 3 million	Up to 10 years
DPA 2019	Administrative fine (ODPC)	Up to KES 5 million or 1% turnover	N/A
KICA, Section 31	Telecom operator interception	Up to KES 300,000	Up to 3 years
Prevention of Terrorism Act, Section 36	Unauthorized interception (terrorism context)	Up to KES 5 million	Up to 10 years
AI Bill 2026 (pending)	Deepfake / synthetic voice-image without consent	Up to KES 5 million (proposed)	Up to 2 years (proposed)

---

This article presents general legal information about recording laws in Kenya as of May 2026. It does not constitute legal advice. Kenya's legal framework is evolving rapidly: the CMCA was amended in October 2025, the Court of Appeal issued a landmark ruling in March 2026, and the AI Bill 2026 is before Parliament. For advice on a specific recording situation, consult a lawyer licensed to practice in Kenya.