Overview of Kenya’s New Gambling Regulatory Framework
The rapid rise of gambling activities in Kenya is undeniable. This has majorly been propelled by punters’ prospects of attaining economic benefits. Due to this rise, the government has subsequently reigned in on the sector heavily to regulate various aspects around it such as licensing, taxation, marketing, anti-money laundering and data protection among many others.
The Gambling Control Act, 2025 (the “Act”) was recently enacted to usher in a more robust and coherent framework for gambling regulation in Kenya. To give effect to the Act, the government has also proposed additional regulations constituting: the Gambling Control (Licensing) Regulations, 2026; the Gambling Control (Conduct of Gambling Operations) Regulations, 2026; the Gambling Control (National Lottery) Regulations, 2026; the Gambling Control (Advertising) Regulations, 2026; the Gambling Control (Gambling Appeals Tribunal) Regulations, 2026; and the Gambling Control (Foreign-Based Operators) Regulations, 2026 (Collectively herein referred to as “Proposed Regulations”).
Data Protection Obligations Under the Act and Proposed Regulations
The Act and the Proposed Regulations lay a significant emphasis on data protection and keenly direct operators to adhere to provisions of the Data Protection Act (Cap. 411C). This is timely and necessary given that gambling players such as betting platforms and online casinos interact with millions of Kenyans on a daily basis and process their personal data. Section 11 of the Act prescribes for the cabinet secretary in charge of the sector to make guidelines for the operation of facilities used for gambling. A key issue of note is that such guidelines must outline data protection and information arrangements adopted by the respective facilities. Additionally, Section 68 of the Act requires that every licensed online gambling operator’s control system must include robust online security of information and be compliant to the Data Protection Act (Cap. 411C).
To complement the Act, the Proposed Regulations also contain an array of data protection considerations for operators. If passed into law, they will require applicants for various gambling licenses to provide documentation such as data protection certificates, data protection policies, privacy statements and privacy-compliant terms and conditions before their applications can be approved. Licensed operators, on the other hand, will be expected to keep data protection reports as part of the records that they maintain for inspection.
The Proposed Regulations further underscore that operators shall be mandated to encrypt the personal and financial data of players or punters when such data is at rest or in transit. Key among the proposals is also the requirement for the confidentiality of winners to be protected and not be disclosed without written consent, a court order or a legal requirement.
The Act, Proposed Regulations and recent regulatory actions highlight that gambling licensees can no longer take a back seat on data protection. The players have no option but to be proactive in adhering to not just the provisions of the new gambling laws but also to foundational laws such as Article 31 of the Constitution of Kenya and Data Protection Act (Cap. 411C).
The Data Protection Act (Cap. 411C) has wide tentacles that cover the activities of gambling operators in Kenya. Notably, it applies to the processing of personal data by a data controller or processor whether through automated or non-automated means. The law also applies to any data controller or processor who is established or resident in Kenya and processes personal data while in Kenya. Additionally, its application extend to data controllers or processors who are not established or resident in Kenya processes personal data of data subjects located in Kenya. Betting and gambling operators fall under this wide ambit as they collect and process millions of personal data on a daily basis.
Practical Implications and Enforcement Trends in Data Protection
Some of the rights of data subjects that gambling operators must be keen to adhere to include the right to be informed of the use of personal data, the right of access, the right to object the processing of data, the right to correction of false or misleading data, the right to erasure and the right to portability. In addition to these rights, Section 25 of the Data Protection Act (Cap. 411C) provides for certain principles that guide data protection compliance for all controllers and processors. These include lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, data privacy and integrity & confidentiality.
The above legal framework on data protection is in no way only theoretical. It is very much practical and applicable. As recently as 2025, the Office of the Data Protection Commissioner issued rulings against Betika and Sportpesa. The liability against Betika came about because the company’s failure to facilitate a data subject’s right to erasure by deleting his account at request. According to the ODPC’s determination, they had instead asked the subject for unnecessary information in breach of the data minimization principle too. The circumstances were similar in the case against Sportpesa too where the company was penalized by the ODPC due to its delay in facilitating a data subject’s request for account closure in a timely manner.
The two cases reveal an increasing enforcement trend by the ODPC and emphasizes the need for gambling operators to keenly adhere with the increasing statutory demands on data protection.
Call to Action for Stakeholders:
1. Prioritize Data Protection Compliance - ensure full alignment with the Data Protection Act (Cap. 411C) and embed privacy-by-design in all systems and processes.
2. Strengthen Internal Controls and Security - implement robust data security measures including encryption, access controls and regular data protection audits.
3. Enhance Responsiveness to Data Subject Rights - establish efficient mechanisms to promptly handle requests such as data access, correction and erasure to avoid regulatory penalties.
4. Engage in public participation on the Proposed Regulations to share any recommendations or improvements with the rightful authorities.
Contact us!
At CM Advocates LLP, we provide stakeholders in the gambling sector with tailored advice and compliance support as Kenya transitions into this new regulatory framework. For further guidance or assistance in navigating the transition to the new Gambling Regulatory Authority, please contact our Betting, Lotteries and Gaming Practice Group at law@cmadvocates.com or the contributor below.
Contributor
Brandon Otieno, Senior Associate
Email: botieno@cmadvocates.com
Head Office – Nairobi, Kenya
I&M Bank House, 7th Floor, 2nd Ngong Avenue
E: law@cmadvocates.com
Mombasa & Nyali Offices – Kenya
Links Plaza, 4th Floor, Links Road, Nyali
E: mombasaoffice@cmadvocates.com
Regional Coverage
Uganda | Tanzania | Rwanda | Zambia | Ethiopia | South Sudan