The Office of the Data Protection Commissioner (ODPC) has ordered CJ’s Restaurant to compensate a customer with KSh75,000 for unlawfully sending promotional text messages without obtaining prior consent.
Complaint No. 1498 of 2025
In its determination under ODPC Complaint No. 1498 of 2025, the Data Commissioner ruled that CJ’s processed the complainant’s personal data — specifically his mobile phone number — for marketing purposes without establishing a lawful basis as required under Kenya’s Data Protection Act.
The complainant, Steve Onwonga Omwenga, told the regulator that he received three unsolicited promotional SMS messages in September 2025 advertising festive free delivery services.
He maintained that he had never provided his phone number to CJ’s Restaurant nor consented to receive marketing communication.
After receiving the third message, Omwenga emailed the restaurant objecting to the messages and seeking resolution but did not receive a response.
CJ’s Restaurant Response
In its defence, CJ’s Restaurant admitted sending the messages as part of a general customer outreach campaign.
The company stated that after receiving the complaint, it conducted an internal review and confirmed that three messages had been sent. It subsequently ceased further communication and permanently deleted the complainant’s number from its database.
The restaurant also apologised and offered a KSh10,000 dining voucher as a goodwill gesture. Additionally, it said it had introduced consent-based marketing controls, opt-out mechanisms, staff training, and initiated steps toward formal data protection compliance.
ODPC Findings
However, the ODPC found that CJ’s Restaurant failed to demonstrate that it had obtained prior, express consent as required under Section 30 of the Data Protection Act.
The Office held that the processing of the complainant’s data was unlawful, unfair, and non-transparent. It noted that Omwenga had not been informed that his number would be used for marketing purposes and had not been given an opportunity to opt out before receiving the promotional messages.
While acknowledging the restaurant’s corrective measures, the Data Commissioner emphasized that post-incident mitigation does not absolve an organisation from liability for unlawful data processing that has already occurred.
Consequently, CJ’s Restaurant was found liable and ordered to pay KSh75,000 in compensation.
