The CA Wants Your Most Personal Markers for a SIM Card, and the Industry Is Scrambling to Understand What That Means

Kenya’s proposal to fold DNA analysis, blood type, and detailed physiological markers into routine SIM registration has unsettled a sector used to narrow identifiers. What began years ago as a simple check of names and ID numbers now touches the deepest layers of individual biology. The Communications Authority’s draft rules present this expansion as a compliance step, yet the scale alters the relationship between citizens, operators, and the state.

The regulations require operators to collect far more than surface-level identifiers. They describe an array of biological traits, from fingerprints and retinal scans to vocal patterns. Such data sits high on global risk lists because it cannot be replaced once exposed. Analysts say the country’s telecommunications firms were never built to manage vaults of genetic and physiological records. Most observers note the gap between the sensitivity of the information and the systems expected to protect it.

A burden of responsibility the sector has not carried before

Operators must store subscriber biometrics, update them, and submit records to the regulator every quarter. They must also provide system access for verification. These obligations move operators closer to custodians of national identity while still functioning as commercial entities with competitive pressures and varying levels of technical maturity.

A senior analyst described the situation as an overreach that loads private companies with risks they cannot fully control. For telcos, the concern is not only the immediate cost of compliance. It is the blow to trust if customers believe their most sensitive traits are held in multiple private databases. Kenya’s Data Protection Act emphasises minimal collection for a specific purpose, yet the draft rules point in a different direction. That tension now sits at the centre of industry debate.

Where law, practice, and public expectation pull in different directions

The Office of the Data Protection Commissioner has long advised that firms should collect the smallest possible amount of personal data. Sensitive biological information is meant to be restricted further, used only when absolutely necessary and discarded once its purpose is met. By contrast, the proposed regulations treat biometric records as standard registration material to be retained and reported.

Legal experts say this creates a structural mismatch. The rules delegate identity-management duties to companies without providing a clear framework for how those duties intersect with the state’s own protections. Operators would be managing databases that governments in other jurisdictions reserve for centralised agencies with specialised security mandates.

An industry that had been moving toward privacy now faces a reversal

Kenyan banks, fintech firms, and mobile money providers have spent years reducing the amount of personal information in circulation. Banks mask account identifiers. Fintechs have adopted tokenisation. Safaricom attempted to hide phone numbers used in Till and PayBill systems, although that feature stalled under regulatory limits. Airtel has tried to restrict collection to what is strictly necessary and to anonymise data wherever possible.

These efforts built a narrative of restraint. The draft rules undercut it. Firms that had been trimming their exposure now confront a framework that expands it, creating a contradiction that affects how subscribers perceive the industry’s integrity.

The broader tension now shaping Kenya’s digital future

The debate over Kenya’s SIM data regulations is not only about compliance. It reflects the direction of national identity in a digital economy where boundaries between private systems and public oversight are shifting. Operators sit at the centre of this tension. They are being asked to secure the most intimate attributes of millions of people while also remaining efficient, competitive businesses.

Nothing about Kenya’s digital landscape appears settled. The regulations have opened a negotiation about the limits of data collection, the responsibilities of commercial actors, and the safeguards required when biological identity becomes part of everyday infrastructure. The stakes now move beyond the mechanics of registration and into a discussion about how a connected nation defines personal privacy in an era of expanding identification tools.

Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent.

Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke