In Kenya, the creation of digital credit apps has opened access to small-loans for many who are under-banked. However, alongside this growth have come serious concerns about misuse of personal data, unethical recovery practices, and breaches of privacy rights. The combination of sensitive data collection, weak enforcement, and aggressive debt-collection tactics has made this a major consumer-protection issue.
Mobile/digital credit providers in Kenya have been flagged for various data protection and harassment practices:
- In 2022 the Office of the Data Protection Commissioner (ODPC) reported that by 30th September it had received 1,030 complaints; of those, 555 were admitted, with 299 relating to digital lenders.
- Some lenders were found to be accessing borrowers’ phone contacts, sending messages to those contacts, sharing data with third-parties, or posting personal data of defaulters.
- One lender, White path Company Limited (owner of several apps) was fined Kes. 5 million after about 150 complaints for mining contacts and sending unsolicited messages.
- Another provider, Mulla Pride Ltd (apps: Ke Credit, Fair Cash) was fined Kes 2.9 million for using names/contacts obtained from third parties to shame borrowers.
- There have been reports of apps requesting access to messages, location, calendar, contacts and then using that data for credit scoring or post-default pressure.
While digital credit can promote access, many apps operate with little transparency, and misuse of personal data is widespread.
Mechanisms of Data Collection & Abuse
What data is collected?
Many of these loan apps request wide permissions when installed:
- Access to contacts and call logs.
- Access to messages, mobile money transaction history, location, calendar.
- Some share data with third-party analytics / marketing firms or credit bureaus without clear consent.
How misuse happens
- Debt-shaming tactics: Borrower defaults, app uses contact list to message friends/family of borrower, or threatening calls to contacts.
- Unauthorized sharing of borrower data with third party debt collectors or marketing firms.
- Lack of informed consent: Borrowers may not understand the extent of data being collected or how it’s used.
- Unlicensed or rogue apps: Some apps operate without being properly regulated/licensed, thus operate with fewer safeguards.
Regulatory & Legal Responses
Key laws & rules
- The Data Protection Act, 2019 (Kenya) lays out rights of data subjects, obligations of data controllers/processors including breach-notification duties.
- The Central Bank of Kenya (CBK)’s Digital Credit Providers Regulations 2021: Lenders must be licensed as Data Controllers and Processors, they must avoid unauthorised calls to contacts, must not harass borrowers, must obtain consent for third-party data sharing.
- The ODPC has powers under Section 63 of the Data Protection Act to impose penalties for non-compliance.
- Platform rules: Google (Play Store) updated policy in 2023, banning personal-loan apps from accessing photos/contacts unless essential.
What borrowers Should Do
- Check licensing: Before borrowing from a mobile-loan app, verify whether it is a licensed DCP (digital credit provider) under CBK regulations.
- Review permissions: When installing the loan app, look at what permissions you are granting (contacts, SMS, location) and whether those are reasonable for a loan-app.
- Read the privacy policy: Though often lengthy, see whether the app clearly states how your data will be used, with whom data will be shared, and what rights you have.
- Limit access: If an app is requesting access to data not clearly required (e.g., contacts, photos), you may consider declining or using a different provider.
- Protect your contacts: Be mindful of which apps have access to your address book; avoid granting unnecessary permissions when possible.
- Report abuses: If you receive harassing messages/calls from a lender or your contacts are being targeted, lodge a complaint with the ODPC.
- Budget carefully: Borrow only what you can repay, understand the interest and penalty structure, and avoid rolling over short-term apps into deeper debt.
Conclusion
The rise of mobile-loan apps in Kenya has created both opportunities and risks. On one hand, they provide quick access to credit. On the other, they have been implicated in serious breaches of data protection, harassment of borrowers and misuse of contacts and device data. The regulatory framework is evolving, with enforcement actions increasingly visible, but gaps remain. Borrowers must remain vigilant, understand their rights, and take care in choosing loan apps and controlling the data they share. At RISKHOUSE INTERNATIONAL, we have a team of professionals with the expertise to offer continuous data protection training, data protection impact assessment (DPIA), data protection compliance among others. We would be happy to serve you! Contact us at info@riskhouse.co.ke .