Five years. Over 200 million touchpoints. One stubborn gap.

Kenyans know they have data rights. But most still don’t know how to use them.

That is the finding driving everything we do next.

The Journey That Got Us Here

When we launched Ficha Uchi in 2021, we were trying to solve a translation problem. “Data protection” is a technical phrase that lives in policy papers and legal frameworks. But ficha uchi — hide your nakedness — is something every Kenyan understands immediately. Just as no one walks into a matatu stage without clothing, no one should move through digital spaces without cover.

That instinct turned out to be right. Over four phases and five years, the campaign has reached over 200 million people across online platforms, community radio, and grassroots activations in counties from Nairobi to Kilifi. We have run focus groups, trained Data Champions, partnered with influencers, and gone live on radio stations in nine counties.

And the numbers show it is working — up to a point.

A landmark report from Amnesty International Kenya was published five years after the enactment of the Data Protection Act 2019. Drawing on focus group discussions and key informant interviews across 10 counties, the report found that while Kenya’s legal framework is strong, its real-world impact remains limited by low public awareness, weak enforcement, and insufficient regional presence of the ODPC. Critically, few citizens knew how to report a data violation, and none of the study’s participants had ever done so.

These findings are supported by a GeoPoll survey published in April 2026 (n=1,813) that confirmed what our own engagements have been telling us:

• 73% of Kenyans have heard of the Data Protection Act
• 90% say they want to learn more about data protection
• 54% have experienced mobile money fraud

But here is the gap that matters most:

• Only 36% say they understand very well how companies use their personal data

Awareness has scaled. Behaviour has not followed.

What Five Years of Learning Taught Us

Each phase of Ficha Uchi has added a new layer of understanding.

Phases 1 and 2 proved that scale is achievable online, and that humour and relatability are the currency of sharing. Reaching 115 million people in a single phase was not an accident, but the direct result of making data protection feel personal, funny, and real.

Phase 3 taught us something harder: reach without depth has limits. Our Kilifi hyperlocal model, built around community radio and trained Data Champions, showed that when you go deep rather than wide, something shifts. People start connecting the information to their own lives. They start asking questions. They start recognising that they have been affected.

But it also revealed the barriers that scale alone cannot overcome:

• Most people still do not know the Office of the Data Protection Commissioner (ODPC) exists, let alone that they can report violations and receive compensation
• People routinely hand over personal data in exchange for small gifts or services without thinking twice
• Cultural norms around openness make privacy feel foreign or even antisocial
• Shame stops victims from reporting scams

The regional pilot in Tanzania and Uganda confirmed that this is not uniquely a Kenyan challenge. The appetite is there across East Africa. But one month of engagement is not enough to build lasting behaviour change.

A Conversation That Reaffirmed Our Direction

Earlier this month, we had the opportunity to present the Ficha Uchi journey at the Global Data Festival and the Kenya Space Expo & Conference (KSEC) in Nairobi. This gathering brought together practitioners working in data and technology from across the world, with strong representation from governments, multilateral organisations, businesses, civil society, academia, and innovators.

The conversation that emerged was striking in its consistency.

Colleagues from Mexico and Zimbabwe described remarkably familiar landscapes: populations with low awareness of their rights, citizens who feel largely passive in the face of data collection, and a persistent gap between what the law promises and what people actually experience. The challenge, as one contributor put it, is not simply whether countries have data protection laws. The challenge is whether ordinary citizens understand how their data is collected, used, shared, and sometimes misused.

What we shared from Kenya — that awareness grows when data protection becomes personal, and that communities are not passive recipients of information but active agents involved in designing solutions — resonated widely. Local language, local context, and locally-led conversations make data protection more relevant, more relatable, and more durable.

The session reinforced something we had already learned from Kilifi: the future of data protection will not be determined in boardrooms alone. It will be shaped in communities, schools, marketplaces, and local forums where citizens learn not only their rights, but how to exercise them.

We came away from the Global Data Festival more certain than ever that the approach we are taking into Phase 4 is the right one.

The Enforcement Era Has Arrived

There is a second reason Phase 4 carries more urgency than any previous phase: Kenya’s legal landscape has fundamentally changed.

The ODPC has now issued 357 determinations, 134 enforcement notices, and 20 penalty notices. In January 2026 alone, it issued 184 compensation orders to Kenyans whose personal data was mishandled. In 2025, organisations paid over KES 30 million in compensation for privacy violations.

The cases being prosecuted are not abstract. They are about things Kenyans deal with every day.

A prominent digital lender was fined KSh 5 million after nearly 150 complaints — including reports that it contacted borrowers’ family members claiming the borrower was suicidal to pressure repayment. Three banks were fined a combined KSh 650,000 for illegally sharing a borrower’s loan details and contact information without consent. A telecoms provider was fined KSh 500,000 for continuing to send promotional messages to a former customer who had repeatedly asked to be removed — and its directors were recommended for criminal prosecution for obstructing investigators.

The Business Laws (Amendment) Act 2024, which came into effect on 1 January 2025, elevated debt harassment to a criminal offence. Lenders now face criminal liability, not just administrative fines.

Citizens have more legal power than they have ever had. Most still do not know it.

What Young Kenyans Are Actually Facing

Phase 4 is also being shaped by something we have heard consistently in every county engagement, every radio activation, and every focus group: the lived reality of digital fraud.

The loan app scenario is now almost universal among Kenyans aged 18–35. Many have used a mobile loan app or know someone who has. And many know what happens when repayment is late: the app harvests your contacts and calls your mother, your employer, or your church group to shame you about a KSh 2,000 debt. This is happening constantly, yet almost no one knows they can report it, receive compensation, and that the lender can now face criminal charges.

Beyond loan apps, 2025 introduced a new wave of fraud patterns that are directly tied to data vulnerability:

WhatsApp and Telegram job groups targeting young people desperate for income, offering KSh 1,500–6,000 a day for liking videos or completing surveys, then disappearing after collecting a small “activation fee” via M-Pesa. Fake investment apps that pulled KSh 33.6 million from Kenyans in a single three-week period. Scammers infiltrating neighbourhood and church WhatsApp groups to harvest contacts and launch fake emergency appeals using compromised admin accounts.

And at the most extreme end: around 400 Kenyans have been repatriated from scam compounds in Asia after being lured by fraudulent job adverts on Facebook and Instagram — cases that began as data and financial fraud and ended in physical trafficking.

This is the reality Phase 4 is designed to meet.

Phase 4: From Awareness to Action

The tagline for this phase is deliberate: From Awareness to Action.

Ficha Uchi Phase 4 will deepen and expand the campaign’s work with its existing Kenyan audience, specifically moving people from knowing their rights to exercising them. It will use the formats that the previous phases proved work — humour, relatability, influencers, community radio, hyperlocal engagement — but with a sharper focus on practical steps.

What does this mean in practice?

It means moving beyond awareness to helping people exercise their rights under Kenya’s Data Protection Act, 2019. It involves amplifying public understanding of the rights granted to data subjects, including the right to be informed, the right to access their personal data, the right to object to processing, the right to correction and deletion of data, and the right to lodge complaints when their privacy rights have been violated. It includes explaining how these rights apply in everyday situations, and raising awareness of the available reporting and redress mechanisms when those rights are violated.

The goal is not simply to know these rights, but to understand how they protect individuals in their daily interactions. Show people exactly how to report a violation to the ODPC, what to say, and what to expect. Create stories around the scenarios young Kenyans are actually encountering, and the real legal tools that exist to fight back. Ultimately, the objective is to build the kind of community-level presence that the Kilifi model showed can move people from passive awareness to active engagement.

The insight from the Global Data Festival, from Kilifi, from five years of campaign learning, and from the enforcement data coming out of the ODPC all point in the same direction: the message is not the problem. The gap is the bridge between knowing and doing.

Ficha Uchi is a campaign by the Open Institute. Follow the campaign on social media using #FichaUchi and visit us at https://fichauchi.org to learn more, access resources, and find out how to report a data violation.