Tanzania’s Landmark Progress: Safeguarding Children’s Privacy Rights in the Digital Age

In a significant milestone for digital privacy in Tanzania, the Personal Data Protection Commission (PDPC) has issued its first-ever judgment specifically protecting children’s privacy rights under the Personal Data Protection Act (PDPA). Delivered on 19 August 2025, the ruling focused on a newborn’s image posted on a business Instagram account without parental consent and marks a historic moment for children’s personal data protection in the digital age. The case (Complaint No. PDPC/CMP/002/2025) arose when a businesswoman posted a photo of a newborn on her Instagram business page, captioned “Tupunguze zawadi za pampers na vitenge, it is a baby girl.” The image went viral with over 1,100 shares on Christmas Day 2024. Despite repeated requests from the child’s mother to remove the image, the respondent refused.

The PDPC ruled in favour of the complainant. It held that the photograph of the newborn constituted “sensitive personal data” under the PDPA and that using it without parental consent for commercial purposes was unlawful. The respondent was fined, ordered to pay damages, and instructed to remove the image, affirming the child’s right to erasure and the Commission’s jurisdiction over such data protection complaints.

The Legal Landscape: Establishing Foundations for Protection

Tanzania’s Personal Data Protection Act (PDPA), signed into law in November 2022, reflects the country’s dedication to privacy rights enshrined in Article 16 of its Constitution. The Act made Tanzania the 35th African nation to implement standalone data protection legislation, extending privacy safeguards to over 63 million citizens. This comprehensive framework imposes specific obligations when handling children’s personal data, recognising their vulnerability in digital environments.

The legislation introduces strict consent requirements and transparency obligations that are particularly important for children. Under the PDPA, personal data must be processed lawfully, fairly, and transparently, with explicit consent needed for collection and use. In the case of children, these protections are even more vital, as minors cannot give legal consent and require parental or guardian approval for data processing activities.

Commercial Exploitation: A Growing Concern

The commercial use of children’s personal data has become a significant issue in the global digital economy. Recent cases have shown how companies can either unintentionally or intentionally exploit children’s data for commercial purposes without adequate consent mechanisms. Social media platforms, advertising firms, and entertainment services frequently gather large amounts of data from young users, including photos, location details, behavioural patterns, and personal preferences. This information becomes a valuable commercial resource, utilised for targeted advertising, product development, and market research. Nonetheless, the power imbalance between corporations and children makes such practices especially problematic. 

The monetisation of children’s data goes beyond obvious commercial purposes. Educational technology platforms, gaming apps, and even seemingly harmless photo-sharing sites can collect personal details that later become part of complex data broker networks. Children’s images, once gathered, might be used in ways far from their original context, appearing in advertisements, training artificial intelligence systems, or being sold to third-party marketers.

Essential Precautionary Measures

Organisations handling children’s data in Tanzania are required to implement robust safeguards to comply with evolving legal standards. First and foremost, verifiable parental consent must be obtained before collecting any personal information from children under 18. This consent should be informed, specific, and easily revocable. It means clearly communicating the intended use and audience of any data or image and avoiding vague or broad consent. Instead, consent should be precise and well-informed, ensuring parents or guardians fully understand how the information will be used.

It is equally important to allow easy withdrawal or deletion of consent. Parents should be able to revoke their permission without difficulty, and any related content must be erased promptly when requested. The Personal Data Protection Act (PDPA) explicitly requires that erasure be honoured swiftly, as highlighted in this ruling.

Data minimisation principles become essential when handling children’s information. Organisations should gather only the data strictly necessary for their stated aims and avoid building detailed profiles of young users. Regular audits of data collection methods can help ensure compliance and spot potential vulnerabilities.

Technical safeguards should include stronger security measures for children’s data, recognising that breaches involving minors pose greater reputational and legal risks. This encompasses encryption of stored data, secure transmission protocols, and limited access controls that restrict who within an organisation can view children’s personal information.

Children’s data must be handled with the highest sensitivity. Their images and personal details are classified as “sensitive personal data” and require especially careful treatment. Even innocent contexts like community notices or casual social media posts become subject to regulatory oversight when minors are involved.

Ultimately, businesses must stay informed about evolving legal standards and best practices in child data protection. Tanzania’s PDPA is still evolving, and the High Court has previously pointed out ambiguities in its provisions, calling for greater clarity. Staying updated ensures compliance and shows respect for children’s rights in the digital age.

Learnings from Global Best Practices

Tanzania’s approach aligns with international trends towards stronger protections for children’s privacy. The European Union’s General Data Protection Regulation has set high standards for children’s consent processes, while the United States continues to strengthen its Children’s Online Privacy Protection Act (COPPA). Global commentary, such as the UN’s General Comment No. 25 on children in the digital age, highlights the increasing online risks that demand more robust safeguards for minors. These international frameworks serve as valuable models for implementation in Tanzania. The recognition that children require special protection in digital environments reflects a growing understanding of developmental psychology and the dynamics of power. Children lack the cognitive ability to fully grasp the implications of sharing personal information, making them particularly vulnerable to exploitation and long-term harm from inappropriate data use.

Corporate Responsibility and Ethical Obligations

Beyond legal compliance, businesses operating in Tanzania face increasing ethical responsibilities to safeguard children’s privacy. This involves designing products and services with privacy-by-default principles, regularly conducting impact assessments for services used by minors, and being transparent about data collection methods. Companies should also consider the long-term effects of their data practices on children’s development and future privacy. Personal data collected during childhood can follow individuals throughout their lives, potentially influencing their educational, professional, and personal opportunities for decades to come.

Looking Forward: Building a Protective Framework

Tanzania’s developing privacy jurisprudence demonstrates a strong commitment to safeguarding children’s rights in an increasingly digital world. The effectiveness of these protections will ultimately rely on robust enforcement, public awareness, and corporate adherence. Parents, educators, and advocacy organisations play vital roles in ensuring children understand their privacy rights and can exercise them confidently.