The Office of the Data Protection Commissioner (ODPC) has published draft sector-specific guidelines for the transport industry, potentially paving the way for tighter regulation of how passenger and operational data is managed within Kenya’s road transport sector.

The proposed guidelines, released on Thursday, April 16, 2026, remain open for public and stakeholder consultation, seek to ensure that transport operators comply with the Data Protection Act, 2019, especially in relation to the growing use of digital platforms and systems for collecting and processing personal information.

“This guidance has been developed to support transport operators, including public transport providers, private bus and matatu companies, matatu SACCOs, freight and logistics firms, taxi-hailing and ride-hailing platforms, rail operators, aviation service providers, and maritime operators, in ensuring legal compliance, upholding privacy rights, and mitigating the risks associated with the processing of personal data,” the regulations read in part.

The proposed rules are expected to affect a wide range of players, including matatu SACCOs, long-distance bus companies, logistics firms, and ride-hailing platforms that rely heavily on customer information for daily operations.

Under the draft framework, transport operators will be required to clearly define how they collect, store, process, and share passenger data, including phone numbers, identification details, and digital payment records.

ODPC is also pushing for stronger consent mechanisms, meaning commuters may need to be explicitly informed about how their data is used, especially in cashless fare systems and mobile booking platforms.

Digital ticketing system

The guidelines further highlight cross-border data transfers, an issue likely to impact transport and logistics companies that operate regional routes or use cloud-based systems hosted outside Kenya.

Transport firms may also be required to appoint or designate Data Protection Officers (DPOs) to oversee compliance, a move that could increase operational costs for smaller operators and Saccos.

Digital ticketing systems, stage management apps, and automated fare collection tools are also expected to come under closer scrutiny to ensure they meet minimum data protection standards.

As it stands, most transport companies have digital apps and fare collection systems that are yet to be controlled under the law on how they handle sensitive passenger data, including user prompt services.

ODPC says the draft guidelines are intended to enhance accountability and safeguard commuters’ privacy as the transport sector becomes more digitised and data-driven.

However, stakeholders are expected to raise concerns over implementation costs, especially for informal operators who may lack the technical capacity to fully comply with the new requirements.