The 2013 general election marked the entry of data-driven campaigning into Kenyan politics as political parties begun collecting and storing voter data. More sophisticated techniques were deployed in 2017 as politicians retained the services of data analytics firms such as Cambridge Analytica, accused of digital colonialism and undermining democracies. It is alleged that political parties engaged in regular targeting and more intrusive micro-targeting, facilitated by the absence of a data protection legal framework. The promulgation of the Data Protection Act, 2019, ostensibly remedied this gap. This paper analyses whether, and to what extent, political parties can rely on the same—or similar— regular targeting and micro-targeting techniques in subsequent elections. While regular targeting differs from micro-targeting as the latter operates at a more granular level, both comprise of three steps—collecting a voter’s personal data, profiling them, and sending out targeted messages. This paper considers the legality of each of these steps in turn. It finds that going forward, such practices will likely require the consent of the data subject. However, the Act provides for several exceptions which political parties could abuse to circumvent this requirement. There are also considerable loopholes that allow open access to voter data in the electoral list as well as the personal data of the members of a rival political party. The efficacy of the Data Protection Act will largely rest on whether the Data Protection Commissioner will interpret it progressively and hold political parties to account.