Kenya’s data protection regulator has ordered Café Javas to pay compensation to a customer who received marketing messages without giving permission.
The decision was made by the Office of the Data Protection Commissioner after a complaint from Steve Onwonga Omwenga. He said the restaurant began sending him promotional SMS alerts in September 2025 even though he had not agreed to receive advertisements.
The regulator awarded him KSh75,000, about Shs2 million, for the violation.
Investigators found that the messages were part of a wider marketing campaign run by CJ’s Limited, the company behind Café Javas, which recently opened operations in Nairobi.
Omwenga argued that he had never given clear consent for his phone number to be used for advertising and that his efforts to stop the messages were not handled quickly.
In its defence, the company admitted the messages were sent but said it later removed his number from its system, apologised and offered him a voucher. However, the regulator said the main issue was that the company did not first obtain proper consent.
Under Kenya’s Data Protection Act, businesses must get clear permission before using a person’s personal data for marketing. The ruling emphasised that companies must be able to prove that consent was given before sending promotional messages.








