Capital Markets Authority- Kenya logo
Capital Markets Authority- Kenya

Capital Markets Authority Kenya: Critical Legal Risks in Privacy Policy & T&C

Our analysis of Capital Markets Authority Kenya's T&C reveals key privacy and compliance gaps that could expose the organization to regulatory fines and reputational risk. See actionable improvements.

## When We Examined Capital Markets Authority Kenya’s Privacy Policy: Four Legal Risks That Could Cost Millions

Imagine a scenario where a regulatory body’s privacy policy exposes it to GDPR-level fines—up to €20 million or 4% of annual turnover—due to vague data usage terms or missing user rights. Our analysis of Capital Markets Authority Kenya’s (CMA) Terms & Conditions reveals four critical legal and logical issues that could result in substantial financial and reputational harm.

1. Ambiguous Data Collection and Use: Unclear Legal Basis The policy states that CMA may collect and use personal information for broadly defined purposes, such as “internal record keeping” and “improving our products and services.” However, it fails to specify the legal basis for processing, a requirement under GDPR and Kenya’s Data Protection Act. This ambiguity increases the risk of regulatory action and user complaints, potentially leading to fines and litigation costs.

Legal Analysis
high Risk
Removed
Added
We may collect the following information: name and job title contactprocess personal information including email address demographic information such as postcodesolely for the specific purposes outlined in this policy, preferences and interests other information relevant to customer surveys and/or offers ... We require this information to understand your needs and provide you withonly where there is a better servicevalid legal basis under applicable data protection laws, and in particular forincluding user consent or legitimate interest as defined by the following reasons: Internal record keeping. We may use the information to improve our productsKenya Data Protection Act and servicesGDPR.

Legal Explanation

The original clause is overly broad and does not specify the legal basis for processing personal data, as required by both GDPR and Kenya’s Data Protection Act. The revision clarifies the lawful grounds for processing, reducing regulatory risk.

2. Inadequate User Consent and Opt-Out Mechanisms While the policy mentions users may restrict use of their data for direct marketing, it lacks a clear, affirmative consent mechanism and does not address withdrawal of consent for all processing activities. This gap could invalidate user consent, making all downstream processing unlawful and exposing CMA to compliance enforcement.

Legal Analysis
high Risk
Removed
Added
You may choose to restrict the collection or use ofWe will obtain your personal information in the following ways: whenever you are asked to fill in a form on the websiteexplicit, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes if you have previously agreed to us usingaffirmative consent before collecting or processing your personal information for any purpose, including direct marketing purposes, you. You may changewithdraw your mindconsent for any processing activity at any time by writing to or emailingcontacting us at [email address]using the details provided in this policy.

Legal Explanation

The original clause does not require affirmative consent for all processing activities and limits opt-out to direct marketing. The revision ensures compliance with consent requirements under GDPR and Kenya’s Data Protection Act.

3. No Data Retention or Deletion Policy The policy does not specify how long personal data is retained or the procedures for deletion upon user request. This omission contravenes both GDPR Article 5(1)(e) and Kenya’s Data Protection Act, risking regulatory fines and undermining user trust. Without clear retention limits, organizations face increased data breach exposure and legal liability.

Legal Analysis
medium Risk
Removed
Added
This privacy policy sets out how The Capital Markets Authority uses and protects anyWe retain personal information that you give The Capital Markets Authority when you useonly for as long as necessary to fulfill the purposes outlined in this websitepolicy or as required by law. You may request deletion of your personal data at any time, and we will comply unless retention is required by law.

Legal Explanation

The original policy does not address data retention or deletion, which are mandatory under GDPR Article 5(1)(e) and Kenya’s Data Protection Act. The revision provides clear retention limits and user rights.

4. Insufficient Third-Party Data Sharing Controls CMA’s policy allows sharing personal data with third parties for promotional purposes if the user consents, but lacks detail on due diligence, contractual safeguards, or cross-border transfer compliance. This exposes CMA to liability if third parties misuse data or violate privacy laws, with potential damages exceeding $100,000 per incident based on global enforcement trends.

Legal Analysis
high Risk
Removed
Added
We will not sell, distribute or leaseonly share your personal information towith third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell usafter conducting due diligence and entering into written agreements that you wish thisrequire such parties to happencomply with applicable data protection laws. Cross-border data transfers will only occur in compliance with legal safeguards.

Legal Explanation

The original clause lacks detail on third-party due diligence, contractual safeguards, and cross-border transfer compliance. The revision reduces liability and aligns with global data protection standards.

---

Conclusion: Proactive Legal Protection is Essential Our analysis shows that even well-intentioned privacy policies can harbor costly legal risks. Addressing these gaps will not only strengthen compliance with GDPR and Kenya’s Data Protection Act, but also protect against regulatory fines, litigation, and reputational loss.

  • How often do you review your organization’s privacy policy for compliance gaps?
  • Are your data processing activities clearly mapped to legal bases and user rights?
  • What would a major data breach or regulatory investigation cost your business?

This analysis is for educational purposes only and does not constitute legal advice. For actual legal guidance, consult with a licensed attorney. This assessment is based on publicly available information and professional legal analysis. See erayaha.ai’s terms of service for liability limitations.