Ride-hailing services are a key precept of Kenya’s transport ecosystem, reshaping how people move, pay, and access mobility services. Platforms such as Uber, Bolt, Little, and other digital ride-hailing applications have introduced unprecedented convenience, efficiency, and flexibility into the transport sector. With this convenience comes a fast-expanding data ecosystem that continuously collects, processes, and analyses vast amounts of personal information. Every trip generates a stream of sensitive data, including real-time location tracking, pick-up and drop-off points, payment details, device identifiers, and behavioural patterns. As ride-hailing platforms increasingly operate as data-driven businesses rather than purely transport intermediaries, the question of how this data is governed has become critical. 

The Office of the Data Protection Commissioner (ODPC) has issued sector-specific guidance for transport services, including ride-hailing operators, under the Data Protection Act, 2019. This guidance provides a clear regulatory framework outlining how personal data should be collected, processed, stored, and shared. Anchored on key principles such as data minimisation, purpose limitation, lawful processing, transparency, and accountability. For ride-hailing companies, this represents a significant shift in how they must structure their operations. Data can no longer be treated as an unlimited asset for commercial exploitation but must instead be handled within clearly defined legal and ethical boundaries. 

Salient Features of the Guidance Note  

One of the most significant concerns highlighted in the Guidance is the risk associated with continuous location tracking. While GPS technology is essential for enabling ride-matching, navigation, and trip monitoring, it also creates the potential for excessive surveillance. If not properly regulated, platforms may retain detailed movement histories of users long after a trip has ended. This raises concerns about the creation of behavioural profiles that could be used for purposes beyond service delivery. The ODPC emphasises that such data must only be collected to the extent necessary and retained only for as long as is strictly required. 

Closely linked to this is the issue of algorithmic profiling and automated decision-making. Ride-hailing platforms rely heavily on algorithms to determine pricing, allocate drivers, assess risk, and rank users or drivers. While these systems improve efficiency, they also introduce opacity into decision-making processes. Passengers and drivers may not fully understand how fares are calculated or why certain trips are assigned or denied. The guidance underscores the need for transparency and lawful justification for such processing, ensuring that individuals are not subject to unfair or unexplained automated decisions. 

Another key area of concern is data sharing with third parties. Ride-hailing platforms typically rely on a complex ecosystem of external service providers, including payment processors, mapping services, cloud infrastructure providers, and analytics firms. Each of these relationships introduces additional layers of data exposure. Without strict contractual safeguards and oversight mechanisms, personal data may be transferred beyond the original purpose for which it was collected. The ODPC guidance requires operators to ensure that any third-party processing is governed by clear agreements and remains fully compliant with Kenyan data protection law, including restrictions on cross-border transfers. 

Marketing practices also fall under increased scrutiny. Ride-hailing companies often seek to use trip data to promote services, offer discounts, or target users with personalised advertising. However, the guidance makes it clear that personal data collected for the purpose of facilitating transport services cannot automatically be repurposed for marketing. Any such use must be grounded in a lawful basis, most commonly explicit and informed consent. This means users must actively opt in to marketing communications, and consent must be specific, informed, and revocable at any time. Silent enrolment or bundled consent within general terms and conditions is not sufficient. 

At the heart of the guidance is the recognition that passengers and drivers are not merely users of a service but rights holders under the Data Protection Act. Individuals have the right to be informed about how their data is collected and used, the right to access their personal data, the right to correct inaccuracies, and the right to object to certain forms of processing, including direct marketing and profiling. In certain cases, they may also request deletion of their data where it is no longer necessary for the purpose for which it was collected. These rights fundamentally shift the power dynamics between platforms and users, placing greater emphasis on transparency and accountability. 

For ride-hailing operators, compliance is not simply a legal obligation but a structural requirement that affects system design and business operations. Platforms are expected to embed data protection principles into their systems from the outset, ensuring that only necessary data is collected, stored securely, and retained for limited periods. They must also implement robust cybersecurity measures, establish clear breach notification procedures, and ensure strict oversight of all third-party data processors. Importantly, data protection must be treated as a governance issue, not merely an IT function. 

Conclusion  

Ultimately, the ODPC guidance signals a broader shift in Kenya’s digital transport economy. Ride-hailing is no longer just about moving passengers efficiently from one point to another; it is about managing sensitive personal data responsibly in a highly digitised environment. Trust is becoming a defining factor in the sustainability of these platforms. Companies that fail to respect privacy risk eroding user confidence and facing regulatory sanctions. Conversely, those that embed strong data governance practices are likely to build stronger, more resilient relationships with both passengers and drivers. Efficiency cannot come at the expense of privacy. The future of ride-hailing in Kenya will depend not only on technological innovation but also on how well platforms balance commercial ambition with the fundamental rights of the individuals they serve.