Your Phone Number Was Never Just a Number: What M-Pesa’s Phone Masking Means for Kenyans

Picture this: it’s a Thursday evening, a customer at a local supermarket or grocery store in Kenya, is shopping for their groceries. They tap their phone to pay via M-Pesa, confirmation SMS arrives, transaction done. A month or two later, their  phone rings; a financial services agent, armed with their name and number, offers a loan they never asked for. They never gave that company their contact. They never signed a consent form. All they did was buy groceries.

This is not an isolated incident. For years, it was the quietly accepted cost of participating in Kenya’s mobile economy. Every M-Pesa payment was, in effect, an involuntary handover of personal data: your full phone number, displayed in the merchant’s confirmation SMS, available to anyone who thought to harvest it.

That changed on March 24, 2026 following approval from the Central Bank of Kenya (CBK), Safaricom rolled out a phone number masking feature across M-Pesa’s peer-to-peer, Paybill, and Till payment channels. A sender’s number, previously displayed in full, now appears partially concealed for example, 0712***678 while only the sender’s first and last names remain visible. A quiet but significant shift: for the first time, millions of Kenyans can pay for something without surrendering a persistent personal identifier to whoever is on the other end.

This move is framed as a direct implementation of the Data Protection Act, 2019 (DPA), specifically its mandate that data controllers collect only information that is strictly necessary for the purpose at hand.

The Problem that Predated the Solution

Safaricom serves over 40 million subscribers. Since M-Pesa’s launch in 2007, the platform has processed billions of transactions and reshaped commerce, financial inclusion, and daily life across Kenya. But beneath this success story lay a largely unchallenged privacy problem baked into M-Pesa’s architecture: every payment was a data-sharing event.

When a customer paid via a Lipa na M-Pesa Till or Paybill number, or peer to peer payments the merchant’s/receiver confirmation SMS displayed the customer’s complete phone number alongside their name, transaction amount, and reference code.For merchants, this was useful for reconciliation. For data brokers, spam callers, and fraudsters, it was something else entirely: a continuously refreshed, self-updating contact list, built on transactions people had no idea were also data disclosures.

The consequences were tangible and widely experienced. Customers found themselves receiving promotional texts, loan offers, and targeted calls from companies whose services they had merely paid for in passing. In more serious cases, the exposed contact details enabled fraud, scam calls, and social engineering targeting M-Pesa users.

The Kenya Institute for Public Policy Research and Analysis (KIPPRA) documented this pattern, noting that while M-Pesa transformed mobile transactions, concerns persisted about how personal data collected at the point of payment was being handled. Section 25 of the Data Protection Act, 2019 which outlines data protection principles including data minimisation, purpose limitation, and storage limitation offered a legal remedy. The challenge was enforcement.

By 2024, financial services providers accounted for a third of all determinations issued by the Office of the Data Protection Commissioner (ODPC), drawn from over 5,000 consumer complaints. Among the violations cited were improper consent management, unsolicited communication, and violations of the data minimisation principle the very issue M-Pesa’s architecture had institutionalised at scale.

The fix: Data Minimisation and Purpose Limitation

The phone number masking feature operates on a  principle called pseudonymisation at the point of transaction notification. Rather than transmitting a complete phone number to the recipient’s confirmation SMS, Safaricom’s system now reveals only partial digits, sufficient to confirm a transaction was received but insufficient to directly identify or contact the sender through third-party channels.

The CBK’s approval letter to Safaricom explicitly endorsed the update as consistent with the  Data Protection Act, 2019 (DPA), specifically its data minimisation mandate: that data controllers collect only information strictly necessary to complete a transaction. For recipients requiring the full sender details for legitimate purposes such as resolving a disputed transaction may forward the M-Pesa confirmation message to the USSD code 334 within 24 hours. This mechanism preserves transactional accountability while restricting unnecessary exposure of personal identifiers.

Why

Why This Matters to  LDRI as advocates for Data rights 

At LDRI, our Digital Services programme is built on a conviction: that digital services infrastructure only serves citizens when  built on a foundation of responsible data practices and citizen engagement, not just efficiency. The M-Pesa masking update is precisely the kind of change our work has been pushing towards — a moment where a legal principle (data minimisation under the DPA) finds practical expression in a product used by tens of millions of people.

But a product change, however welcome, is not the same as a systemic shift. The gap we continue to work on is the one between what the law requires, what platforms implement, and what citizens actually know and can exercise. In our experience working with communities across Kenya and Zambia, most people using digital services like M-Pesa,  have no idea of the risks to their personal data being transmitted across merchants, what data protection laws have to say and how they can exercise their data rights.

A right you don’t know you have is a right you cannot use. Closing that gap is where LDRI focuses its energy.

This is the gap that citizen engagement and transparent communication must fill. Our work involves developing engagement frameworks that connect institutions like Safaricom and the ODPC with the communities most affected by their data decisions, particularly marginalised groups who are disproportionately exposed to digital harms and least likely to have access to formal complaints mechanisms.

Looking Forward: The Masking Was the Beginning Not The Finish Line

Hiding a phone number is one thing. Deciding what happens to it afterwards is another.

The Data Protection Act gives Kenyans the right to erasure; the legal expectation that data collected about them will not be held indefinitely, repurposed quietly, or passed along without their knowledge. Safaricom’s masking addresses the exposure problem at the point of transaction. But the data doesn’t disappear after the SMS arrives. Transaction histories, location logs, call metadata, and SIM-linked identifiers continue to exist in systems that, for most users, remain a black box. Masking without explicit deletion schedules is a half-measure, the identifier is hidden from the merchant, but it may still live in a database long after it has served any legitimate purpose.

This is where the next frontier lies. The question is no longer only who sees your number when you pay, but who holds your data, for how long, and under what conditions. Vulnerable populations — those targeted for financial scams, political harassment, or predatory lending — face the sharpest edge of this gap. A masked number offers real protection; unguarded transaction metadata in the wrong hands still does not. Technical safeguards such as anti-scraping technologies, monitoring for suspicious access patterns, and prompt breach notifications are crucial complements to identifier masking.

Comparative Practices and Recommendations

Globally, operators have adopted innovative measures to protect sensitive customer data while maintaining service functionality:

• Rwanda’s MTN implements data anonymisation for third-party API access while retaining operational usability.
• EU mobile operators comply with GDPR, using pseudonymisation and access restrictions to prevent unnecessary exposure of phone numbers or transaction data.

For Safaricom, these practices suggest actionable steps:

1. Expand masking and pseudonymisation across all publicly accessible systems and third-party integrations.
2. Implement and communicate to users clear data retention schedules and deletion protocols to ensure data is not retained longer than necessary.
3. Adopt robust anti-scraping and anomaly detection systems to prevent automated harvesting of data.
4. Enhance customer transparency, communicating data use policies, consent mechanisms, and privacy rights under the DPA.
5. Localise sensitive data storage within Kenya to strengthen national data sovereignty and reduce foreign control risks.

Nevertheless, these tasks are not directed only to safaricom,they are the shape of what a mature digital rights ecosystem looks like. One where regulators enforce, operators comply and citizens know enough to hold both to account. The masking feature by safaricom  proved that this movement is possible. The task now is to make it inevitable.

Conclusion

Kenyan’s who have transacted via M-pesa  and received unsolicited calls or messages have done nothing wrong. They participated in an economic infrastructure that did not have their rights in mind. Safaricom’s M-Pesa phone number masking is a step towards the correction of that design failure.It is a practical embodiment of what the Data Protection Act intended: that citizens should not be compelled to trade their personal identifiers simply to participate in the economy. The law provided the foundation; years of documented consumer harm provided the pressure; the CBK’s approval provided the regulatory clearance. The result is a change that directly benefits millions of Kenyans who had no mechanism to protect their contact details from being harvested at the point of payment. What follows now is ensuring that this moment translates into a new standard of expectation for platforms, regulators and citizens who increasingly  understand that their data is not a by-product of using a service but a right worth protecting.

At LDRI, that work continues. If you are working on digital rights, data governance, or citizen engagement in Kenya or Zambia, we invite you to connect with our Digital Services team.