M-Pesa has revolutionized how Kenyans live, work, and trade. Since its inception, it has made banking significantly easier through integrated, transformative services such as Lipa na M-Pesa (Pochi la Biashara & Bill Manager), M-Shwari, and Fuliza. We have moved from a cash-heavy society to a digital pioneer.
In the early days of mobile money, merchants relied on dedicated gadgets to confirm payments. However, as M-Pesa was adopted by everyone from high-end bars to local kinyozis, matatus, and Mama Mboga stalls, a bad habit formed: traders adopted the payment method but ignored the privacy regulations that came with it. Today, there is a silent, toxic expectation that customers must surrender their phone screens to a merchant to verify a transaction.
This is not just a minor social friction; it is a systemic violation of the Constitution of Kenya and the Data Protection Act (2019).
The Conflict of Convenience
I have had countless “tiffs” with traders over this. The biggest culprits are often matatu conductors who insist on seeing my screen, sometimes even reaching out to grab the phone and zoom in. I’ve been met with anger from conductors who wonder why I can’t “just be like everyone else.”
In countless instances, I have declined to “cooperate,” and with that refusal has come a barrage of insults. My attempts to explain that this is an infringement on my data privacy are often met with blank stares or ridicule. It bothers me deeply how comfortable Kenyans have become with allowing merchants to violate their personal space. I often wonder: is it pure ignorance, or just a weary complicity in law-breaking?
At a petrol station off Lenana Road, I became a “marked man.” Because I refused to show my confirmation message and often told the attendants off for their intrusive demands, they eventually began avoiding my car entirely.
Why the Law is on Your Side
So, are merchants allowed to access your phone or demand to see your messages? The short answer is no. According to Safaricom’s regulations, every dealer and merchant is expected to use their own device, whether a “Merchant/Till” device or the M-Pesa Business App, for verification. Safaricom has publicly agreed that demanding to see a customer’s phone is a violation of the payer’s privacy.
Also Read: M-PESA Guide on How to Join Shiriki Pay, Add Users, and Register a Beneficiary
While these rules exist, Safaricom and the government authorities have failed to provide the necessary civic education to ensure the public knows their rights. This lack of awareness has allowed the “grab and zoom” culture to flourish unchecked.
The law is not a suggestion; it is the bedrock of our digital economy. When a merchant demands to see your phone, they are infringing on specific legal protections.
The right to privacy is a fundamental human right. Article 31 (c) and (d) explicitly state that every person has the right not to have “information relating to their family or private affairs unnecessarily required or revealed” or the “privacy of their communications infringed.” Your SMS inbox is a private communication channel. By demanding to see it, a merchant is performing an unauthorized search of your personal property.
Secondly, under Section 25, any person or entity processing your data must adhere to the principle of Data Minimization. They are entitled only to the information necessary to confirm the sale: the Transaction Code and the Amount. When they look at your screen, they see your full name, phone number, and account balance. This is excessive, unnecessary, and illegal.
Three, Section 30 of the Act mandates that personal data shall only be processed if there is a lawful basis. A merchant’s “lack of trust” in their own system is not a lawful basis to bypass your privacy. Furthermore, if a merchant uses the phone number shown on your screen to contact you later, that is a common form of harassment and a breach of Section 72, which prohibits the disclosure of personal data without authorization. Merchants are liable to prosecution; under the Act, individuals or entities can be fined up to KES 5 million or imprisoned for such violations.
Common Practice vs. Legal Requirement
Just because it is “common practice” to show a makanga your phone doesn’t make it a legal requirement. No statute in Kenya obliges a citizen to display their personal device to a private citizen for verification. The burden of proof for payment lies with the merchant’s receipt system, not the customer’s private screen.
Also Read: Safaricom Increases Fuliza Limit for Thousands of Kenyans
When a merchant claims their system is “slow,” they are asking you to pay for their technical inefficiency with your constitutional rights. The Office of the Data Protection Commissioner (ODPC) has made it clear: administrative inefficiency is not a justification for breaching privacy rights.
Complicity and Accountability
The current state of affairs is a result of a massive failure in leadership and civic education.
Whereas Safaricom has built a world-class platform, it needs to do more to protect its customers. It is not enough to have privacy policies buried in a PDF. Safaricom needs to launch a sustained nationwide campaign to educate merchants that they have no right to touch or view a customer’s phone.
Relatedly, we have seen the ODPC issue penalty notices to clubs and various schools for data breaches. It is time to turn that gaze toward the transport and retail sectors. We need enforcement. When a matatu Sacco or a retail chain makes it a policy to “grab and zoom” into customers’ phones, they should face the full weight of the law.
Lastly, as a consumer of MPESA services, note that every time you voluntarily hand over your phone, you waive your constitutional rights and contribute to a culture of non-compliance. You are essentially handing a stranger the keys to your bank branch.
In conclusion, we must move from a culture of compliance with the bully to compliance with the law. Your M-Pesa message contains more than just a receipt; it is a window into your financial health and private life. The law gives you the right to keep that window shut. Next time you pay, read out the transaction code. If a merchant insists on seeing the phone, remind them of Article 31.
Follow our WhatsApp Channel and X Account for real-time news updates.
