On July 10, 2025, Uganda's Personal Data Protection Office secured the country's first criminal conviction under the Data Protection and Privacy Act 2019. The case involved a digital lending company whose director had used a borrower's personal data, name, photograph, and phone number, to create a threatening video circulated on WhatsApp. The director was convicted for operating without PDPO registration and for processing personal data without consent. The fine was modest. The precedent is not. The PDPO's acting director was explicit: this conviction is the beginning of assertive enforcement, not an isolated case.
Business SMS in Uganda is governed by the Uganda Communications Commission (UCC) for telecommunications requirements and by the Data Protection and Privacy Act 2019 (DPPA) for how personal data, including phone numbers, is collected, processed, and used. Sender ID registration is required per operator and typically takes two weeks. Standard A2P SMS channels do not support two-way messaging, requiring programs that depend on replies or inbound keywords to design around alternative mechanisms. The PDPA applies to all organizations processing personal data of Ugandan residents, including those based outside the country.
Uganda sits at the center of Telerivet's East Africa account cluster. Research organizations running longitudinal programs, development sector operators coordinating field staff, and PAYGo operators managing rural energy customers all use SMS as the primary channel for reaching a population that is highly mobile-connected but primarily on feature phones or low-cost Android devices. Getting the compliance architecture right before the program launches matters in Uganda now in a way it did not three years ago.
The mobile market and sender ID registration
Uganda's mobile market is dominated by two operators. MTN Uganda holds approximately 55 to 60% of subscribers and is the primary route for most A2P programs. Airtel Uganda holds the remainder. Lycamobile has launched as a fourth licensed network but has limited market presence for business messaging. Africell Uganda exited the consumer market in 2021 and is no longer an active route.
Alphanumeric sender IDs are supported in Uganda and must be registered separately with MTN and Airtel before any commercial messages can use them. Registration is handled through your SMS provider, who submits the application to each operator. The process takes approximately two weeks from submission of a valid application. The sender ID must be a maximum of 11 characters, with no spaces permitted, though hyphens and underscores are acceptable.
Unlike most other East African markets where sender ID registration carries a one-time or per-application fee, Uganda charges a monthly maintenance fee, currently around UGX 250,000 (approximately $65 to $70) per sender ID. This recurring cost is worth factoring into program budgeting, particularly for organizations running multiple brands or programs under different sender names.
Generic sender IDs are typically rejected. Terms like "ALERTS," "INFO," or "NOTIFY" do not pass review because they cannot be clearly associated with a specific registered organization. Your sender ID should reflect your organization's name or a recognizable abbreviated form of it, supported by documentation.
Unregistered messages do not necessarily fail silently in Uganda, but they may arrive as random numeric strings that recipients cannot identify, significantly reducing response rates and trust. For programs where recipients need to recognize and act on the message, a registered alphanumeric ID is essential.
Two-way SMS and the Android Gateway solution
Standard A2P SMS channels in Uganda do not support inbound replies. This is the same constraint documented in Rwanda, and it has the same design implication: any workflow built around reply-based opt-outs, acknowledgment logging, or inbound keywords needs an alternative architecture.
USSD is extensively used in Uganda for mobile money and financial services, with over 36.7 million active mobile money users on MTN Mobile Money (*165#) and Airtel Money (*185#) as of Q1 2026. The population is comfortable with USSD menu navigation, making a USSD-based opt-out or response mechanism a practical alternative to SMS reply for interactive program elements. A web link in the message body is a second option where smartphone penetration is sufficient.
For programs that genuinely require two-way SMS conversation, the Telerivet Android Gateway is the designed solution. An Android device with a local Ugandan SIM routes messages as P2P traffic rather than A2P. Recipients can reply to that number and the replies are processed by the platform in real time. Two-way acknowledgment logging, opt-out capture, and inbound keyword workflows all function through this route in a market where the standard carrier infrastructure does not support them.
This is the architecture used by research organizations running longitudinal survey programs in Uganda, where a field respondent needs to reply to a check-in or answer a follow-up question. The same pattern applies to PAYGo solar programs that need payment confirmation replies and to field workforce coordination programs where a worker's acknowledgment of a safety message matters.
Design for one-way by default, and add interaction deliberately. Many organizations assume every SMS program can simply ask recipients to reply. In Uganda, that assumption often breaks because of the underlying A2P infrastructure. Before designing reply-based workflows, decide whether the interaction belongs on SMS, USSD, WhatsApp, or an Android Gateway route. Building around the infrastructure from the outset is much easier than redesigning the workflow after launch.
The Data Protection and Privacy Act 2019
Uganda's DPPA was enacted in 2019 and supplemented by the Data Protection and Privacy Regulations in March 2021. The Personal Data Protection Office, established within the National Information Technology Authority of Uganda (NITA-U), is the enforcement authority. The PDPO operates a registration portal and requires many organizations acting as data controllers, processors, or collectors to register and renew that registration annually. Organizations should determine whether registration applies to their activities under the current PDPO framework.
The DPPA has explicit extraterritorial scope. It applies to any organization that processes personal data of Ugandan residents, regardless of where that organization is established. Following the Nano Loans conviction in July 2025, the PDPO moved further to enforce this reach against major global platforms. In a July 2025 decision, the PDPO ordered Google to register with the office, appoint a data protection officer, and document its cross-border transfer compliance framework. Similar enforcement action was taken against Meta regarding WhatsApp data flows. These orders illustrate the PDPO's intention to apply the Act to organizations processing Ugandan personal data from outside Uganda, and the acting director confirmed they represent the beginning of systematic enforcement rather than isolated cases.
For international organizations running SMS programs in Uganda, this enforcement direction has a direct practical implication. Phone numbers collected from Ugandan program participants are personal data under the DPPA. Organizations that are required to register with the PDPO should ensure that registration is completed before processing personal data covered by the Act, regardless of where the organization's servers are located or where it is incorporated.
Consent under the DPPA must be freely given, specific, informed, and unambiguous. Purpose limitation applies: data collected for one program purpose cannot be reused for a different one without fresh consent. Data subjects have rights of access, correction, and objection to processing, and organizations must have a process for responding to those requests.
Cross-border data transfers are permitted where the recipient country has data protection standards equivalent to those in the DPPA, where the data subject has specifically consented to the transfer, or where another lawful transfer mechanism under the Act applies. Organizations that store Ugandan program data on servers outside Uganda must document the legal basis for that transfer and be prepared to produce that documentation on PDPO request.
Administrative fines under the DPPA can reach 2% of gross annual turnover. The Nano Loans criminal conviction in July 2025 added a personal liability dimension: the case demonstrates that individual officers may face personal criminal liability in certain circumstances, not just organizational fines. That shifts the risk calculation considerably for senior operators overseeing programs that handle Ugandan personal data without adequate compliance documentation.
Sending guidelines and the DND situation
Uganda does not operate a national Do Not Call or Do Not Disturb registry equivalent to Nigeria's 2442 system or Kenya's network-level DND filters. Ugandan mobile subscribers can dial 1965# to block unsolicited SMS on-network, but this is a consumer self-help mechanism rather than a centralized regulatory filter that business programs must check. Suppression list management is entirely the program's responsibility. Every opt-out received through any channel must be captured and checked before every subsequent send.
There are no legally mandated sending hours in Uganda. Best practice across the East Africa market is to send between 8 AM and 8 PM East Africa Time (UTC+3) and to avoid Sunday mornings, national holidays, and significant national commemoration dates. Uganda has a number of public holidays and national days that carry cultural weight beyond their formal status, and messaging during those periods without careful consideration of content and context risks both carrier filtering and reputational damage.
For transactional and operational messages, including payment confirmations, service alerts, and notifications triggered by user action, the time restrictions that apply to promotional content are not relevant in the same way. Operational messages from health programs, field coordination workflows, and PAYGo payment systems can be sent when operationally required.
Uganda in the East Africa compliance picture
Uganda's compliance profile is most similar to Rwanda within this cluster. Both markets have standard A2P two-way SMS constraints requiring alternative design choices. Both have data protection laws with extraterritorial reach that apply to international development sector and research organizations. And both have enforcement environments that shifted materially in 2025.
Kenya and Tanzania have more developed carrier-level sender ID enforcement mechanisms. Kenya's Safaricom dominance creates a single-carrier compliance priority. Tanzania's TCRA monitoring framework from October 2024 provides substantially greater visibility into SMS traffic than previously, with a particular focus on fraud detection. Uganda's UCC framework is less technically prescriptive than either, but the DPPA enforcement trajectory in 2025 suggests that data protection compliance is now the more pressing risk for organizations operating in this market.
BYOC architecture is particularly relevant for multi-market East Africa programs. An organization running programs in Kenya, Tanzania, Uganda, and Rwanda simultaneously is managing four separate sender ID registrations, four separate data protection frameworks, and at least two markets where the Android Gateway is the practical solution for interactive workflows. The program logic, consent records, and suppression lists should sit in a layer above the connectivity, not embedded in a single carrier's system.
Frequently asked questions
Does Uganda's DPPA apply to my organization if I am based outside Uganda? Yes. The DPPA explicitly applies to any entity that processes personal data of Ugandan residents, regardless of where the organization is established. The PDPO's 2025 enforcement actions against Google and Meta illustrate the Act's extraterritorial reach. International NGOs, development organizations, research institutions, and commercial operators running programs in Uganda should determine whether PDPO registration applies to their processing activities and act accordingly.
How do I register a sender ID in Uganda? Registration is done through your SMS provider, who submits the application to MTN Uganda and Airtel Uganda separately. The sender ID must be 11 characters maximum with no spaces. Setup takes approximately two weeks. There is a monthly maintenance fee of approximately UGX 250,000 per sender ID, which is billed on an ongoing basis rather than as a one-time charge.
Why can't recipients reply to my business SMS in Uganda? Standard A2P SMS channels in Uganda do not support inbound replies. This is a carrier-level constraint on the A2P routing infrastructure, not a legal restriction. The Telerivet Android Gateway provides a practical solution by routing through a local SIM as P2P traffic, which supports full two-way messaging.
Is there a national DND registry in Uganda I need to check? No. Uganda does not maintain a centralized do-not-disturb or do-not-call registry that business programs must query. Suppression list management is entirely the program's responsibility. Consumers can block unsolicited SMS through a network self-help code, but there is no centralized register equivalent to Nigeria's 2442 system.
What are the penalties for DPPA violations in Uganda? Administrative fines can reach 2% of gross annual turnover. The July 2025 Nano Loans case demonstrated that individual officers may face personal criminal liability in certain circumstances, not just organizational fines. The PDPO has signaled that enforcement will continue to escalate.
This article provides general operational information and should not be considered legal advice. Organizations should consult qualified legal or data protection professionals regarding their specific compliance obligations under Ugandan law.
Talk to our team about building a compliance-ready SMS program for Uganda and across East Africa.