Kenya's Office of the Data Protection Commissioner (ODPC) has fined digital lender Whitepath KES 250,000 ($2,000) for violating data privacy laws. The regulator found that Whitepath, which operates Instarcash and Zuricash loan apps, listed an individual as a guarantor without their consent and subjected them to debt collection calls after the borrower defaulted.

The fine, Whitepath's second in two years, adds to growing regulatory pressure on Kenyan digital lenders, who are being scrutinized for aggressive debt collection tactics and mishandling customer data. According to court documents, Dennis Caleb Owuor received an unexpected debt collection call from a Whitepath representative in November 2024, claiming Owuor was listed as a guarantor for a defaulting borrower, despite having no prior agreement to such an arrangement.

When Owuor questioned the claim, the caller failed to provide any justification but continued to demand repayment. Despite Owuor's instructions to stop, the calls persisted, prompting him to escalate the matter to the ODPC, alleging illegal privacy breaches and harassment. Whitepath failed to respond to the regulator's inquiries, but Kenya's Data Protection Act allows enforcement regardless.

The ODPC ruled that Whitepath had no legal basis to process the complainant's data, as listing someone as a guarantor requires explicit consent – which was never obtained. The company also violated data protection laws by failing to notify the individual that their data was being used. In addition to the fine, the regulator directed Whitepath to erase the complainant's data and provide proof of compliance.

This is not Whitepath's first data privacy violation. In April 2023, the ODPC fined the lender KES 5 million ($39,000) after nearly 150 complaints alleging unauthorized access to borrowers' contact lists and sending unsolicited messages. The penalty came after Whitepath ignored an earlier enforcement notice.

Whitepath did not immediately respond to a request for comment. The case highlights ongoing regulatory action against digital lenders using unethical data practices, including extracting contact details from borrowers' phones, sharing debtor information publicly, and employing aggressive collection tactics.

While enforcement is increasing, concerns remain over whether current penalties are sufficient. A KES 250,000 ($2,000) penalty may not significantly deter a firm that disregarded a KES 5 million fine in 2023. Stronger regulatory measures, including larger fines and criminal liability for repeat offenders, may be required to ensure compliance and protect consumer rights.

The growing scrutiny of digital lenders in Kenya is a welcome development, as it aims to protect consumers from unscrupulous practices. However, it also underscores the need for more stringent regulations and enforcement mechanisms to hold companies accountable for their actions. As the digital lending space continues to evolve, it is essential that regulators and policymakers prioritize consumer protection and data privacy.