Kenya's data regulator ordered ESHE Community to pay KES 50,000 and remove promotional TikTok and Instagram videos after publishing a doctor's photo without verified consent.
Kenya's Office of the Data Protection Commissioner has found a health and wellness platform liable for publishing a professional's full name and photograph in promotional videos on TikTok and Instagram without obtaining documented, specific consent - and ordered it to pay KES 50,000 in compensation. The determination, dated 4 February 2026 and signed by Data Commissioner Immaculate Kassait, SC, MBS, is referenced as ODPC Complaint No. 1724 of 2025.
The case, Ian Itolondo Mutoro versus Waithera Imani alias Cera Imani, trading as ESHE Community, illustrates a question that digital marketers across Africa are increasingly confronting: when does featuring someone in a branded social media post cross the line from promotional activity into an unlawful processing of personal data?
According to the determination, the complainant lodged a formal complaint with the Office on 6 November 2025. He alleged that on 23 September 2025, the respondent published a video on Instagram and TikTok promoting ESHE - a health and wellness platform available through the Apple App Store and Google Play Store - which displayed his full name and photograph. The complainant stated that he did not at any time consent to the collection, use, or disclosure of his personal data for promotional or marketing purposes on social media platforms. He said the respondent proceeded to process and publish his data without lawful authority.
The complainant submitted that the publication unlawfully associated him with a commercial product without his authorisation and consequently created a misleading public impression that he had endorsed or was affiliated with ESHE. He described the disclosure as causing emotional distress and reputational harm, and said that his identity was exposed to the public in circumstances beyond his control.
The publication also, according to the complainant, exposed him to risks of impersonation, misrepresentation, and further unauthorised use of his personal data by third parties. He submitted that the respondent's actions violated the principles of lawfulness, fairness, transparency, purpose limitation, and consent as provided under the Data Protection Act and the Data Protection (General) Regulations, 2021.
The complainant sought six forms of redress: immediate removal of the video and any related content containing his personal data; investigation of the respondent for unlawful processing and disclosure; enforcement action under the Act; compensation for emotional, reputational, and potential social harm suffered; preventive measures to avert recurrence; and written confirmation from the Office upon completion of corrective action.
The Office notified the respondents of the complaint by a letter dated 15 December 2025, referenced ODPC/CIE/CON/2/1 (927). The respondent submitted a response, averring that the individual referenced in the complaint had, prior to the publication, expressly consented to being featured on the ESHE digital application and in related promotional activities.
The respondent states that, at the material time, the complainant requested to be included on the application as a medical professional and, further, requested to receive referrals and client leads through the platform. Consequently, the respondent argued, his inclusion was for purposes aligned with his own professional exposure and client acquisition.
The respondent also avers that the ESHE application is a publicly accessible platform available to users via the Apple App Store and Google Play Store, and therefore visibility of professionals listed on the platform is inherent to its operation. With respect to the video itself, the respondent states that the complainant was aware of the content prior to publication, that the video was shared with him in advance, and no objection was raised at that time.
Further, the respondent submits that the complainant's professional information, including his name, photographs, and practice details, is publicly available through independent sources, including general internet search engines and publicly accessible professional listings. The respondent adds that, at no point, was there any intention to misuse personal data, cause distress, mislead the public, or infringe upon the complainant's privacy or data protection rights.
Nonetheless, without admission of liability, the respondent states that it is willing to remove the referenced video and any related content from all platforms as a goodwill measure, solely to avoid further dispute and bring the matter to an amicable conclusion. The respondent also avers that it continues to review and strengthen its internal processes on content approval, documentation of consent, and data protection compliance.
The complainant's rejoinder struck at the core of the respondent's defence. According to the determination, the complainant avers that the respondent has failed to demonstrate the existence of any explicit, informed, and voluntary consent for the use of his image and personal details in the promotional video published by ESHE. The respondent merely alleges prior consent without producing any documented, verifiable, or auditable record to support such a claim.
The complainant further submits that the respondent's assertion that it is "reviewing and strengthening internal processes" relating to content approval, documentation of consent, and data protection compliance confirms that, at the material time, its processes were inadequate and contributed directly to the misuse of the complainant's personal data. Consequently, the respondent cannot rely on post-incident improvements to sanitize unlawful processing that had already occurred.
On the right to object, the complainant states that upon discovering the publication, he immediately contacted the ESHE Chief Growth Officer to object to the processing and to request removal of the video. However, his objection was dismissed and the content remained accessible on TikTok and Instagram. Consequently, the respondent disregarded the complainant's statutory right to object to processing under the Data Protection Act, 2019.
The TikTok and Instagram videos, according to the complainant, caused significant emotional and reputational harm. Moreover, persons who viewed the video approached him with inappropriate and uncomfortable commentary, resulting in embarrassment and psychological distress. He submits that the video contained false and misleading statements, including an inappropriate, inaccurate representation of his professional role.
The determination works through two distinct legal questions: whether valid consent existed, and whether the processing was for commercial purposes.
On consent, the Office applied Section 2 of the Data Protection Act, which defines consent as "any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject." Section 32(1) places the burden of proof on the data controller or processor to establish a data subject's consent for a specified purpose.
The Office found that the respondent did not provide any documentary, verifiable, or auditable evidence demonstrating that the complainant gave express, informed, and specific consent for the use of his name and image in social media promotional videos on TikTok and Instagram. The Office notes that consent to be listed on a digital application does not, without more, amount to consent for commercial advertising on external social media platforms. Each processing purpose requires distinct, specific, and informed consent.
The respondent's own admission that it was reviewing and strengthening its consent management practices confirmed to the Office that, at the material time, its consent management practices were inadequate.
On commercial purposes, the Office applied Section 37(1)(a) of the Act, which provides that a person shall not use personal data for commercial purposes unless express consent has been obtained from the data subject. Regulation 14(1) of the Data Protection (General) Regulations, 2021 defines commercial use as processing that advances commercial or economic interests, including inducing persons to join, subscribe to, or obtain products or services, or to enable a commercial transaction. The purpose of the publication was to market the ESHE platform and attract users and clients. The Office therefore finds that the respondent used the complainant's personal data for commercial and promotional purposes within the meaning of Section 37 and Regulation 14.
The Data Commissioner's final determination, dated 4 February 2026, contains four operative orders. The respondent is found liable. The respondent is ordered to pay the complainant KES 50,000 (Kenya Shillings Fifty Thousand) as compensation. The respondent is directed to pull down the complainant's personal data from the social networks within fourteen (14) days and furnish proof of the same, or an Enforcement Notice shall issue. Parties have the right to appeal this determination to the High Court of Kenya within thirty (30) days.
The compensation figure draws on Section 65 of the Act, which provides that a person who suffers damage by reason of a contravention of a requirement of the Act is entitled to compensation for that damage from the data controller. Section 65(4) states that "damage includes financial loss and damage not involving financial loss, including distress."
The case carries practical implications well beyond Kenya. The central legal question - whether consent to appear on a digital platform constitutes consent to appear in social media promotional content - is one that brands and creators face globally, and regulators are answering it consistently in the negative.
Sweden's consumer watchdog has been documenting persistent non-compliance in influencer marketing, with enforcement cases numbering in the dozens from a single operation. Austria's IAB Creator Hub published the country's first influencer marketing rulebook in March 2026, specifically addressing GDPR compliance and consent documentation requirements. IAB Polska's guide for nano and microinfluencer campaigns, released in March 2026, similarly addresses legal and tax obligations for content creators. These are not isolated national discussions - they reflect a structural tightening of consent rules across markets.
The ESHE case adds an African data protection enforcement action to this pattern. Kenya's Data Protection Act, enacted in 2019, mirrors several key principles from the GDPR: purpose limitation, consent specificity, and data subject rights including the right to object. The Office of the Data Protection Commissioner was established under Section 5 of the Act and is mandated to regulate the processing of personal data, ensure principles set out in Section 25 are applied, and protect the privacy of individuals.
What the determination makes explicit is the concept of purpose-specific consent. Registration on a professional platform is not a blanket licence for the platform to use that registration in external advertising campaigns on TikTok or Instagram. Marketers who maintain databases of professionals, patients, customers, or any other individuals and draw on those records to create social media promotional content face this same constraint under data protection frameworks from Nairobi to Berlin.
The respondent's argument that the complainant's information was publicly available - searchable via internet search engines and professional listings - was not accepted as a defence. The Office determined that the respondent did not introduce private or confidential data into the public domain, but also found that public availability does not constitute consent for commercial processing. That distinction is critical for digital marketers who build audience segments from publicly accessible professional data.
The evidence burden question is equally significant. Under Section 32(1) of Kenya's Act, it is the data controller who must establish that consent was obtained. Informal understandings, verbal agreements, and the mere absence of objection prior to publication are not sufficient. The respondent's own conduct after the complaint - removing content as a goodwill measure - did not, in the Office's view, absolve it of the underlying statutory breach.
For advertising professionals working with influencer and content marketing campaigns, the ESHE determination serves as a reminder that consent documentation is not a bureaucratic formality. It is the legal foundation on which the entire campaign rests. If documentation cannot be produced when a regulator asks for it, the processing is treated as if consent never existed.
Who: Ian Itolondo Mutoro (complainant, a medical professional) and Waithera Imani alias Cera Imani, trading as ESHE Community (respondent, operator of a health and wellness digital platform). The determination was issued by Data Commissioner Immaculate Kassait, SC, MBS.
What: Kenya's Office of the Data Protection Commissioner found ESHE Community liable for unlawfully processing and publishing the complainant's name and image in promotional videos on TikTok and Instagram without obtaining express, specific, and documented consent. The respondent was ordered to pay KES 50,000 in compensation and to remove the complainant's personal data from social networks within 14 days.
When: The video was published on 23 September 2025. The complaint was lodged on 6 November 2025. The final determination was dated 4 February 2026.
Where: The case was adjudicated by Kenya's Office of the Data Protection Commissioner in Nairobi, under the Data Protection Act, 2019 and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. The promotional content appeared on TikTok and Instagram.
Why: The respondent could not produce documentary, verifiable, or auditable evidence of consent for use of the complainant's name and image in external social media promotional content. Kenya's Data Protection Act places the burden of proof on the data controller. Consent to appear on a professional listing platform does not extend to consent for commercial advertising on third-party social media channels. The lack of documented, purpose-specific consent for the commercial processing constituted a violation of the Act's lawfulness, fairness, transparency, purpose limitation, and consent principles.
