Kenya’s data protection authority has levied a fine of KES 250,000 (approximately $2,000) against loan application provider Whitepath for unlawfully designating a user as a guarantor without their consent and subjecting them to harassment. The Office of the Data Protection Commissioner (ODPC) found that Whitepath, which operates the loan applications Instarcash and Zuricash, breached privacy regulations by processing personal data without a legitimate legal basis.
This ruling came to light following a complaint from Dennis Caleb Owuor, who began receiving debt collection calls in November 2024 from representatives of Whitepath. The callers insisted that he was a guarantor for a borrower who had defaulted on their loan. “I had no idea that I was listed as a guarantor for anyone,” Owuor stated during his testimony to the regulators. Despite his objections, Whitepath persisted in demanding payment and failed to clarify how he had been designated as a guarantor.
After exhausting all avenues to halt the harassment, Owuor lodged a formal complaint with the ODPC. When the regulatory body reached out to Whitepath regarding the allegations, the company did not respond. The ODPC concluded that Whitepath lacked the legal justification to process Owuor’s personal information or to designate him as a guarantor without obtaining explicit consent. Furthermore, the company did not comply with the requirement to inform individuals when their data is being utilized.
In addition to the financial penalty, the ODPC mandated that Whitepath delete all of Owuor’s personal data and provide proof of compliance with this directive. This incident is not Whitepath’s first encounter with Kenya’s data protection authorities. Since its inception in 2019, the loan application has been under increasing scrutiny. In April 2023, the company faced a significantly larger fine of KES 5 million (around $39,000) after approximately 150 customers reported unauthorized access to their contact lists and the sending of unsolicited messages. This penalty was imposed after Whitepath disregarded a prior enforcement notice.
This ruling is part of a broader regulatory initiative aimed at curbing abusive practices by digital lenders in Kenya, which have included the public disclosure of defaulters’ information, aggressive debt collection tactics, and unauthorized extraction of borrowers’ contact details from their mobile devices.
In recent years, Kenya has progressively tightened its regulation of digital credit providers. In December 2024, amendments to the Central Bank of Kenya (CBK) Act reclassified digital lenders as Non-Deposit Taking Credit Providers (NDTCs), subjecting them to stricter compliance requirements. These reforms, which must be fully enacted by June 28, 2025, include caps on interest rates, enhanced data protection regulations, and a minimum capital requirement of KES 100 million for operators.
In early 2023, Google took action by removing nearly 500 loan applications from its Play Store after implementing a policy that requires digital lenders to present proof of licensing from the Central Bank of Kenya. This policy change followed the introduction of Kenya’s Digital Credit Providers regulations, which mandated that entities offering loans digitally obtain a license from the CBK.
The digital lending sector has experienced rapid growth in Kenya, with data from the CBK indicating that while over 730 companies applied for licensing, only 85 had received approval as of October 2024. Similar regulatory trends are emerging across the African continent. In Nigeria, the Federal Competition and Consumer Protection Commission (FCCPC) reported an 18.8% increase in approved loan applications, rising from 320 in October 2024 to 380 in February 2025, underscoring the increasing popularity of digital credit.
A recent investigation by Technext also revealed a vulnerable MongoDB database linked to BestFin Nigeria, which contained over 300GB of unprotected personal data belonging to 846,000 individuals, highlighting the data security challenges that the sector faces. As digital lending platforms continue to proliferate across Africa, Kenya’s regulatory framework may provide valuable insights into how to protect consumers while promoting financial inclusion through technological advancements.
