NAIROBI, Kenya, Nov 19 — Kenya’s newly revised SIM-card registration rules have generated public anxiety after it emerged that the law’s definition of “biometric data” explicitly lists deeply sensitive identifiers such as DNA profiles, retinal scans, fingerprinting, voice recognition and even earlobe geometry.But while these terms appear in the definitions section of the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, they do not translate into any requirement for telecommunications operators to collect such data during SIM registration.The regulations — which came into force on 30 May 2025 via Legal Notice No. 90 — overhaul Kenya’s SIM-card registration framework, revoke the 2015 rules and introduce tighter verification, stricter record-keeping and clearer compliance timelines aimed at curbing fraud and misuse of communications services.Biometric data and what it meansThe concern stems from Regulation 2, which defines biometric data as “personal data resulting from specific technical processing” and lists DNA analysis, fingerprinting, retinal scanning, blood typing, earlobe geometry and voice recognition as examples.However:This list appears only in the definition section, not in the operative provisions.No regulation (Reg. 4–22) instructs telcos or agents to collect, store or process biometric identifiers.Registration continues to rely on document-based verification, not biometric capture.The Communications Authority (CA) has reiterated in a statement on Tuesday.“The new SIM Card Regulations do not contain any provision requiring the collection of biometric data.”Document-based registrationUnder Regulation 5, operators or accredited registration agents must only collect original identification documents, depending on the subscriber category:Kenyan adults: recognised national ID documents.Children: child’s birth certificate + parent/guardian’s ID.KDF members: Service Card.Foreign nationals: Passport or Foreign National Registration Certificate.Refugees: Refugee ID.Stateless persons: Birth certificate or ID issued under the Immigration Act.Companies: Certificate of Incorporation.Proxy registration (Reg. 9) is banned except for parents/guardians registering for minors.Strict rules for SIM-cards registered to children (Reg. 6)Parents/guardians remain the legal subscribers until the child turns 18.Telcos must periodically flag SIM cards registered to minors.Once a child reaches 18, they have 90 days to update details; failure leads to suspension.Mandatory verification against government databases (Reg. 7–8)Operators must:Verify identification details against relevant government databases;Require in-person appearance if needed;Enter and securely store registration particulars (Form 1 in the Schedule);Update subscriber records as required in Reg. 11.Failure to verify information is an offence.Updates, false information and offencesSubscribers must notify operators of any change within 30 days (Reg. 11).Operators must update records within 7 days.Providing false information is an offence (Reg. 11(3)).Any unaccredited person conducting registration commits an offence (Reg. 4(2)).General penalties (Reg. 20):Up to Sh 1 million fine, orUp to 6 months imprisonment, orBoth.Record-keeping, repositories and audits (Reg. 12–15)Operators must maintain:Lists of all registration agents;Up-to-date records linking every SIM card to the agent who registered it;A repository of registration details and copies of ID documents (Reg. 13).Additionally:Quarterly reports and annual reports must be submitted to the CA (Reg. 14).The CA may access systems, premises, files and data without restriction for compliance inspections (Reg. 15).Suspension, deactivation and customer rights (Reg. 16–18)Suspension procedure:Operators must issue a personal notice giving subscribers 14 days to comply (Reg. 16).Further notices may be published nationwide.If the subscriber does not act within 90 days, the operator must deactivate the SIM.Grounds for deactivation (Reg. 17):Non-response to suspension for 90 days;Subscriber request;Proven false information.False registration complaints (Reg. 18):Anyone may lodge a complaint using Form 2.CA has 30 days to investigate.Operators must offer the accused subscriber a fair hearing before deactivation.Data protection obligations (Reg. 19)The law reinforces strict safeguards:Telcos must secure all personal data and report their security strategies within 60 days of the regulations’ commencement.They must verify the accuracy of subscriber databases as the CA may require.All obligations operate alongside the Data Protection Act, 2019.Transition rules for existing subscribers (Reg. 21)All pre-2025 subscribers must be brought into compliance within 6 months of commencement.Non-compliant users must be notified and eventually suspended.Subscribers have rights to request reviews and appeal decisions to the CA within 30 days.The 2025 Regulations significantly tighten documentation, verification, audit and compliance requirements — but they do not require telcos to collect fingerprints, DNA, retinal scans or any other biometric samples.The controversial biometric definitions sit purely in the interpretation clause and have no operational effect on the SIM-registration process as prescribed.