The study assesses how public and private sector entities manage personal data, revealing persistent gaps in enforcement, regulatory capacity, and public awareness. Although digital services including mobile money, ride-hailing apps, e-commerce, and digital lending platforms continue to expand rapidly, concerns remain around data breaches, unauthorized surveillance, and weak enforcement mechanisms that undermine data protection efforts.

Comprehensive data protection laws are now in force across Nigeria, Ghana, Botswana, Rwanda, Tanzania, Mauritius, Zimbabwe, Kenya and Uganda. Among the most recent legislative developments are Zimbabwe (2021), Rwanda and Tanzania (2022), Nigeria (2023), and Botswana (2025), reflecting a broader regional commitment to aligning with global privacy standards and strengthening regulatory oversight of digital ecosystems.

However, despite this important normative progress, implementation remains uneven. Many regulatory authorities are still developing institutional capacity, enforcement mechanisms are maturing, and organisations are at varying stages of compliance. Consequently, the existence of updated legal frameworks does not automatically ensure consistent enforcement or effective protection in practice, particularly where accountability structures, compliance culture and accessible redress mechanisms are still evolving.

Compared to last year's overall index score of 40%, the 2025 assessment recorded a slightly high score of 46%. Kenya maintained its position as the top-performing country, followed by Nigeria, Uganda, and Mauritius. Ghana and Botswana shared the same score, as did Rwanda and Tanzania, while Zimbabwe ranked lowest overall.

At the sectoral level, the Banking and Finance sector continued to lead with an overall score of 52%, up from 42% last year. This was followed by Telecommunications at 46% (up from 39%), Insurance at 44% (up from 40%), and E-commerce, which remained steady at 39%. Digital Loans scored 37%, followed by Online Betting at 36%, Government Agencies at 25%, and finally, the Health sector at 22%.

This year’s results demonstrate steady progress in most sectors, with notable improvements in financial and telecommunications services, though overall performance indicates continued challenges in strengthening data protection practices across all industries.

Across the sectors evaluated, the assessment provides a clear picture of how companies and entities are managing privacy and compliance responsibilities. In the telecommunications sector, Airtel Kenya led with a privacy score of 76%, followed by Vodacom Tanzania (74%) and MTN Uganda (70%), both showing notable improvements from last year. Other strong performers included MTN Nigeria (68%), MTN Rwanda (63%), Zuku (60%), 9Mobile (58%), Lycamobile (57%), and Emtel (56%), reflecting steady progress in privacy compliance and user data protection.

Mid-level performers such as Airtel Nigeria (53%) and Safaricom (51%) demonstrated moderate compliance but need to strengthen transparency and user rights protections. In contrast, low performers including Liquid Telecom Zimbabwe (29%), TelOne (27%), Econet Zimbabwe, Glomobile Ghana (25%), and Atcomm (5%), face significant privacy and regulatory risks due to weak data protection measures. Overall, high-scoring firms enjoy stronger consumer trust, lower regulatory exposure, and greater resilience to data breaches, while low-scoring entities risk legal penalties, reputational damage, and customer attrition. The results underscore the uneven maturity of privacy practices across the region and highlight the urgent need for stronger enforcement and organizational accountability in the telecommunications sector.

In the e-commerce sector, Jumia Uganda (63%, up from 40%) and Glovo Kenya (60%) lead in data protection, reflecting significant progress in strengthening privacy and compliance frameworks. They are followed by Jiji Uganda (58%, up from 47%), Jiji Kenya (55%), and Jiji Nigeria (54%), indicating steady improvements across the Jiji group. iStore Botswana (51%) and Jiji Kenya (50%) show moderate adherence to privacy standards, though without notable advancement. Mid-range performers such as Jumia Kenya (44%, down from 47%), Temu Mauritius (44%), and Worths Mauritius Online (42%, down from 46%) exhibit partial implementation of privacy measures but still face gaps in transparency and user data management. At the lower end, Kikuu Ghana (29%), Kara Nigeria (27%), Kikuu Uganda (26%), Vubavuba Rwanda (22%), and Apex Mart (7%) show limited compliance with data protection principles, exposing users to higher privacy risks. Overall, the results reveal a widening gap in privacy maturity within the e-commerce sector. While leading companies demonstrate growing commitment to data protection, many others lag behind, highlighting the need for stronger regulatory enforcement, better governance, and greater investment in privacy management systems.

The online betting sector exhibited significant variation in privacy and data protection performance. Betway Ghana (53%) and Betika Kenya (52%, up from 35%) led the sector, followed by 22Bet Uganda (47%), 1xBet Ghana (47%), and BetPawa Kenya (46%). These improvements indicate growing investment in compliance frameworks and greater attention to user data governance. Mid-tier performers such as Gorilla Games (43%), Fortbet Rwanda, and BetPawa Rwanda (42%) demonstrate moderate progress but continue to face challenges in implementing transparent consent mechanisms and comprehensive privacy controls.

At the lower end, AccessBet (28%), 1xBet Uganda (26%), Steven Hills Mauritius (6%), Totelepepe (6%), and Bet Xplosion Botswana (6%) reflect limited adherence to data protection standards. Such scores suggest weak privacy governance and elevated risks in handling personal and financial data. Overall, the sector shows gradual progress among leading operators but remains constrained by inconsistent compliance maturity, underscoring the need for enhanced regulatory oversight and strengthened internal privacy management systems.

The banking and finance sector showed mixed performance in privacy and data protection. UBA Nigeria (73%) led the sector, followed by NMB Tanzania (68%, up from 36%), Equity Bank Tanzania (67%), Equity Bank Rwanda (66%), and Zenith Nigeria (66%), reflecting strengthened data governance and growing compliance maturity. Mid-range performers such as Ecobank Ghana (58%), Centenary Bank Uganda (57%), Absa Bank Kenya (57%, up from 46%), and CBZ Bank (57%) show steady progress but still face gaps in transparency, consent management, and third-party oversight. Lower scores for Absa Bank Mauritius (41%), Access Bank Rwanda (37%), Bank of Kigali (35%), Empower Bank (32%), and Bank of Baroda Mauritius (31%) point to weaker privacy frameworks and limited readiness for full regulatory compliance. Overall, the results highlight an improving but uneven landscape, with leading banks advancing toward robust data protection standards while others lag, underscoring the need for stronger institutional accountability and regional regulatory alignment.

The insurance sector displayed significant variation in privacy and data protection performance. Jubilee Insurance Uganda (73%) led the sector, followed by UAP Old Mutual (70%, up from 53%), Jubilee Insurance Kenya (66%), Jubilee Allianz General Insurance Mauritius Ltd (65%), and Sicom (62%), reflecting strong progress in data governance and compliance maturity. Mid-range performers such as Mauritius Union Assurance (55%, down from 72%), Britam Tanzania (54%), Old Mutual Rwanda (51%), Britam Uganda (50%), and ICEA Lion Insurance Kenya (50%) demonstrate partial implementation of privacy frameworks but ongoing gaps in transparency and consent management. Lower scores for Vanguard Assurance (11%), BK Insurance Rwanda (10%), NIC Tanzania (8%), Sale Insurance Zimbabwe (6%), and Alliance Zimbabwe (4%) indicate weak privacy controls and elevated compliance risks. Overall, the sector shows encouraging leadership from a few insurers but generally uneven progress, underscoring the need for stronger privacy governance, regulatory alignment, and consistent data protection practices across the region.

Privacy and data protection practices among government agencies show significant variation. Uganda's NIRA led the sector with 51%, followed by eCitizen Kenya (49%), RSSB Rwanda (49%), Ghana Immigration Service (48%), BOCRA Botswana (45%), and KRA Kenya (44%, down from 47%), reflecting moderate adoption of privacy frameworks. Mid-range performers, including UBOS Uganda (43%), MauPass Mauritius (40%), SSNIT Ghana (36%), ETA Kenya (35%), IremboGov Rwanda (35%), and MRA Mauritius (35%), demonstrate partial implementation of privacy controls but ongoing gaps in consent management and data security. Low scores for TCRA Tanzania (8%), IEC Botswana (7%), Electoral Commission Uganda (6%), NCS Nigeria (6%), RRA Rwanda (5%), Tanzania Work Permit Portal (4%), and Uganda Immigration and Passport Office (3%) indicate weak privacy governance and high exposure to data protection risks. Overall, while some agencies are advancing toward better data protection, the sector remains uneven, highlighting the need for stronger regulatory oversight, enhanced governance, and investment in secure, citizen-focused data management systems.

Health facilities demonstrated generally weak compliance with data protection standards. Wellkin Hospital and Clinique Darne led the sector at 61%, followed by IHK Hospital Uganda (59%), Lagoon Hospital (52%), and Dr. Agarwal's Eye Hospital Mauritius (48%), reflecting limited but notable progress in patient data governance. Mid-range performers, including Aga Khan University Hospital (44%), LyfPlus (43%), Nakasero Hospital (38%), Gaborone Private Hospital (36%), and Lubaga Hospital (35%), showed partial adoption of privacy frameworks but continued gaps in consent management and data security. Low scores were widespread, with several hospitals below 15%, including Case Hospital (11%), both Muhimbili National Hospital (Karanda Mission) and Nyaho Medical Centre (8%), and multiple facilities scoring 5% or less, highlighting weak privacy governance and high exposure to data protection risks. Overall, while a few leading hospitals are strengthening data protection practices, the sector remains largely underprepared, emphasizing the need for stronger privacy policies, staff training, and robust enforcement of data protection regulations.

Digital lending platforms exhibited uneven compliance with data protection standards. Renmoney led the sector at 60%, followed by Cim Finance (59%), Branch Nigeria (58%), Bayport Botswana (54%), and Fair Money Nigeria and Fide Ghana (53%), reflecting stronger adoption of data governance practices. Mid-range performers included Branch International Kenya, Lend Plus, M-Kopa Ghana (50%), Zenka and Kiva (49%), Letshego (48%), Fundkiss (46%), and Carbon Nigeria (45%), indicating partial implementation of privacy frameworks but ongoing gaps in consent management and data security. Low scores were observed for Ecocash Zimbabwe (25%), eShagi (20%), Inn Bucks (7%), Zibuko Capital (5%), and MkopoWako and Twiga Loan (4%), highlighting weak privacy controls and elevated risks of unauthorized data access. Overall, while some platforms demonstrate progress in safeguarding customer data, the sector remains largely inconsistent, underscoring the need for stronger privacy policies, robust governance, and regulatory oversight.

On the other hand, over the five-year period, country performance reflects gradual improvement, periodic fluctuations, and differing levels of maturity in data protection implementation. Countries assessed earlier display more visible performance cycles, while newer entrants establish important baselines for future monitoring. 

Mauritius (added in 2023) has shown relatively stable but fluctuating performance, recovering to 40.0% in 2025 after a dip in 2024. Zimbabwe, also added in 2023, demonstrates steady incremental growth, rising from 23.1% to 28.0% over three years, signalling gradual institutional strengthening.

Kenya and Uganda exhibit more dynamic trajectories. Kenya peaked in 2023, declined in 2024, and rebounded strongly in 2025, indicating a maturing and resilient system. Uganda followed a similar pattern, with a significant rise in 2023, a temporary drop in 2024, and recovery in 2025. 

Rwanda and Tanzania, first assessed in 2024, both recorded modest but positive early gains by 2025, reflecting emerging regulatory capacity. Among 2025 entrants, Nigeria posted a strong baseline score of 44.0%, outperforming several longer-tracked countries, while Ghana and Botswana entered at 36.0%, positioning them in the mid-range of the index. 

Overall, the analysis points to steady continental progress, varied reform speeds, and growing alignment with data protection norms, even as consistency and sustained compliance remain ongoing challenges.

While the sectoral performance over the past five years, reflects uneven progress and varying levels of maturity in privacy governance. While some industries show steady improvement, others continue to face structural and compliance gaps, highlighting the need for targeted regulatory intervention. 

Telecommunications demonstrates gradual and consistent growth, improving from 35% in 2021 to 46% in 2025, suggesting increasing institutionalisation of privacy practices. In contrast, e-commerce declined sharply after peaking above 50% in 2022, stabilising at 39% in 2024–2025, raising concerns about sustainability amid rapid expansion. Online betting remains volatile, reflecting inconsistent compliance in a high-risk, data-intensive sector.

Banks and financial institutions remain the strongest and most stable performers, recovering to 52% in 2025 after a temporary dip, reflecting mature compliance systems. Insurance shows notable improvement, rising from 23% to 44%, though gaps persist. Government agencies continue to underperform despite modest recovery, while the health sector remains critically weak, reaching only 22% in 2025 despite handling highly sensitive data. Digital loan providers show fluctuating performance, with a 2025 rebound suggesting responsiveness to regulatory pressure.

Overall, no sector consistently exceeds 60%, indicating low overall maturity. Progress appears largely reactive rather than embedded, underscoring the need for sustained capacity building, stronger enforcement, and sector-specific compliance support.

The review of the 20 most widely used mobile applications shows persistent and systemic privacy risks across categories. Social networking apps remain the largest group at 40% (down from 60% last year), followed by file-sharing apps at 10%, with all other categories including mobile banking, email, web browsing, online shopping, betting, productivity, and streaming each accounting for 5%. Despite this shift, privacy protections remain weak across the ecosystem, particularly outside social media.

Fourteen apps were classified as potentially dangerous due to high numbers of embedded trackers and intrusive permissions, up from 10 last year. Tracking is highly concentrated, dominated by Google (45.5% of observed trackers) and Meta (22.7%), meaning over two-thirds of data flows are directed to just two companies. Most apps deploy multiple trackers simultaneously, enabling cross-app aggregation, profiling, and extensive third-party data sharing, often without meaningful user consent.

Recurring issues include excessive data collection, opaque third-party sharing, weak consent mechanisms, inadequate encryption, and limited user control. Commonly requested permissions such as persistent network access, background operation, camera, microphone, location, and device identifiers create cumulative privacy risks when combined over time.

Overall, the findings indicate that mobile app privacy practices remain structurally weak, with layered tracking and broad permissions undermining user autonomy and exposing individuals to profiling, data misuse, and security vulnerabilities. Stronger transparency, data minimisation, and enforcement are urgently needed to safeguard data protection rights.

Advancing effective data protection and safeguarding privacy rights demands collaborative efforts from governments, businesses, regulators, development partners, and civil society. This report emphasizes the need for more enforcement that is robust, greater transparency, and active participation to translate legal frameworks into tangible protections.