Kenya has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

The Kenya Information and Communications (Consumer Protection) Regulation provides a comprehensive consumer protection framework that applies to online transactions.

It is reported that the de minimis threshold, that is the minimum value of goods below which customs do not charge duties, is USD 20, below the 200 USD threshold recommended by the International Chamber of Commerce (ICC).

According to Section 3 of the National Payment System Act, the Central Bank is empowered to designate a payment system. In addition, Section 12 prohibits unauthorized companies from conducting the business of a payment service provider. Furthermore, pursuant to Art. 43 of the National Payment System Regulations, e-money issued shall be subject to an individual transaction limit that shall not exceed seventy thousand shillings (approx. USD 560) and an aggregate monthly load limit of one million shillings (approx. USD 7,990), provided that the Central Bank may approve higher limits for specific categories of e-money issuers. The limits may be amended by the Central Bank from time to time.

The import standards mark (ISM) mark must be applied to all products which have impact on health and safety, including electrical appliances and accessories. It is the seller’s responsibility to ensure that shipments to Kenya happen only after issuance of the ISM. The Conformity Assessments of the ISM mark is conducted by third party laboratories.
Products containing the QMark do not have to go through inspection for compliance upon entry into another Partner State of the East African Community.

According to the Communications Authority of Kenya, an application for Type Approval must be made using the Application Form for Type Approval/ Type Acceptance of ICT Equipment. It is reported that the homologation procedure in Kenya is more complicated than in most African countries. Depending on regulations and type of equipment, the authority may require product samples for further examination or simply issue an exemption letter. The validity period of conformity documents can be unlimited (exemption letters) or limited to 6 months (certificates of conformity) after which the authority automatically issues an unlimited certificate.

The Environmental Management and Coordination (Extended Producer Responsibility) Regulations impose obligations for importers of used electronic goods such as licences, registration for compliance schemes and reporting to ensure that the products comply with the Extended Producer Responsibility (EPR), amongst other requirements.

It is reported that there is a requirement to obtain a Certificate of Conformity from a Kenya Bureau of Standards appointed pre-export verification of conformity (PVoC) partner. To import any commodity into Kenya, an importer has to enlist the services of a clearing agent who will process the import documentation through Kenya Customs electronically on the Simba 2005 system and clear the goods on the company's behalf. It is the seller’s responsibility to ensure that shipments to Kenya happen only after issuance of a Certificate of Conformity. In addition, products containing the QMark do not have to go through inspection for compliance upon entry into another Partner State of the East African Community.

Section 13 of Act No. 12 creates the offence and outlaws hate speech, and Section 62 makes an offense for any media enterprise to publish words intended to incite feelings of contempt, hatred, hostility, violence or discrimination against any person, group or community on the basis of ethnicity or race. A media enterprise can be fined up to one million shillings (USD 8,800) for publishing hate speech.
In addition, under the "Guidelines for the Prevention of Dissemination of Undesirable Bulk Political SMS and social media content via Electronic Communications Networks", intermediaries (bulk messaging and social media service providers) can be held liable for spreading falsehoods, hate speech and insults. Art. 13.6 of the Guidelines establishes that it shall be the responsibility of the Administrator of a social media platform to moderate and control undesirable contents and discussions that have been brought to their attention on their platform. In this respect, Art. 13.7 provides that social media service providers shall be required to pull down accounts used in disseminating undesirable political contents on their platform that have brought to their attention within 24 hours.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Kenya's law and jurisprudence. Save for the provisions in Section 35 of the Copyright Act, there is no clear of limitation of liability for “hosting, caching, linking, or mere conduits” in Kenya. The now-defunct Electronic Transactions Bill of 2007, borrowing extensively from the EU Commerce Directive, would have provided limitations on criminal and civil liability for third parties, where they acted as mere conduits, in caching processes, and when used as information location tools.

Regulation 5 of the Registration of SIM-Cards Regulations requires every telecom operator to register its users including provision of personal data such as names, national identity cards.

Kenya has a safe harbour regime in place for intermediaries for copyright infringements. The Copyright Act (Section 35A) has provisions on the limitation of liability of Internet Service Providers (ISP) in copyright infringement. The limitations may be relied upon by ISPs where:
- They do not initiate the transmission of the copyright;
- They do not select the addressee of the content;
- They perform their functions in an automatic, technical manner without selection of materials;
- They do not interfere with the lawful use of technology to obtain information on the use of the copyright material;
- They do not have actual knowledge that the content or activity related to the material is infringing the rights of a third party;
- They are not aware of the facts or circumstances of the alleged copyright infringing activity unless the infringing nature of the material is apparent; and
- They remove or disable access of copyright infringing content upon receipt of a valid takedown notice.

Pursuant to Section 42 (1) and (2) of the National Intelligence Service Act 2012, the Director General of Intelligence may obtain warrants from the High Court of Kenya to obtain any information, monitor communication in order to preserve national security.
Despite the law requires a warrant, an investigation by Privacy International in March 2017 revealed that the National Intelligence Agency (NIS) has direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content. Direct access describes situations where state agencies have a direct connection to telecommunications networks which allows them to obtain digital communications content and data (mobile and/or internet) without prior notice or judicial authorisation and without the involvement of the telecommunications provider or internet service provider that owns or runs the network.

Section 6 of the Official Secrets Act requires “any person who owns or controls any telecommunications apparatus used for the sending or receipt of any data to or from any place outside Kenya” to provide such data to the government. Such requests may be authorized by the president’s cabinet security, rather than through the courts. Those who refuse risk a one-year prison term, a fine of 1 million shillings (USD 8,800), or both.

Section 31 of the Data Protection Act No. 24 of 2019 requires performance of protection impact assessment in cases where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.