Kenya’s Workplace of the Knowledge Safety Commissioner (ODPC) has fined digital lender Whitepath KES 250,000 ($2,000) for violating information privateness legal guidelines. Court docket information present that the regulator discovered that Whitepath, which operates Instarcash and Zuricash mortgage apps, listed a person as a guarantor with out their consent and subjected them to debt assortment calls after the borrower defaulted.
The nice—the corporate’s second in two years—provides to rising regulatory strain on Kenyan digital lenders, who’re scrutinized for aggressive debt assortment ways and mishandling buyer information.
Based on courtroom paperwork seen by TechCabal, Dennis Caleb Owuor acquired an sudden debt assortment name from a Whitepath consultant in November 2024. The caller claimed Owuor was listed as a guarantor for a defaulting borrower, regardless of Owuor having no prior settlement to such an association. When he questioned the declare, the caller failed to offer any justification however continued to demand compensation. Regardless of Owuor’s directions to cease, the calls persevered, prompting him to escalate the matter to the ODPC, alleging unlawful privateness breaches and harassment.
Whitepath failed to reply to the regulator’s inquiries, however Kenya’s Knowledge Safety Act permits enforcement regardless. The ODPC dominated that Whitepath had no authorized foundation to course of the complainant’s information, as itemizing somebody as a guarantor requires specific consent— which was by no means obtained. The corporate additionally violated information safety legal guidelines by failing to inform them that their information was getting used.
Along with the nice, the regulator directed Whitepath to erase the complainant’s information and supply proof of compliance.
This isn’t Whitepath’s first information privateness violation. In April 2023, the ODPC fined the lender KES 5 million ($39,000) after practically 150 complaints alleging unauthorised entry to debtors’ contact lists and sending unsolicited messages. The penalty got here after Whitepath ignored an earlier enforcement discover.
Whitepath didn’t instantly reply to a request for remark.
The case highlights ongoing regulatory motion towards digital lenders utilizing unethical information practices, together with extracting contact particulars from debtors’ telephones, sharing debtor info publicly, and using aggressive assortment ways.
Whereas enforcement is growing, considerations stay over whether or not present penalties are enough. A KES 250,000 ($2000) penalty could not considerably deter a agency that disregarded a KES 5 million nice in 2023. Stronger regulatory measures, together with bigger fines and prison legal responsibility for repeat offenders, could also be required to make sure compliance and shield client rights.
