Kenya’s financial sector has embraced digital transformation like never before. Mobile lending apps, instant loans, and online banking have made credit accessible to millions. Yet this rapid growth has come with a serious downside: exploding data privacy violations and aggressive enforcement by the Office of the Data Protection Commissioner (ODPC).
Digital lenders have faced repeated fines for accessing borrowers’ phone contacts without consent, sending unsolicited messages, and using third-party information for aggressive debt recovery. One prominent digital lender was hit with a KSh 5 million fine after nearly 150 complaints about unauthorised contact mining. The same company later received additional penalties for listing individuals as guarantors without permission and subjecting them to unwanted collection calls. Other lenders have been ordered to pay hundreds of thousands in compensation for sharing customer details with family members or employers during loan defaults.
The financial sector now accounts for a significant share of ODPC determinations. Complaints often centre on unlawful data collection, excessive processing through apps, failure to honour deletion requests, and harassing recovery tactics. Fines have reached millions of shillings, and compensation awards to affected customers are becoming common. The Central Bank of Kenya has also tightened links between licensing and data protection compliance, making strong privacy practices a licensing requirement for digital credit providers.
These cases highlight a clear pattern. Many institutions still rely on broad “accept terms” consents that fail to meet legal standards. Apps sometimes request unnecessary permissions for contacts, SMS, or location data. Debt collection frequently crosses into sharing sensitive financial information with unauthorised third parties. Such practices not only attract regulatory penalties but also erode customer trust at a time when Kenyans are becoming more aware of their privacy rights.
With enforcement activity increasing and total penalties across sectors exceeding KSh 26 million in recent determinations, the message is unmistakable. Data protection is no longer a soft legal issue — it directly impacts licences, reputations, and bottom lines. Financial institutions that invest in proper consent mechanisms, limit data collection to what is strictly necessary, and handle debt recovery responsibly will stand out as trustworthy partners in Kenya’s digital economy.
Customer trust is now built on how responsibly you handle personal data. In 2026 and beyond, those who ignore this reality risk costly enforcement actions and losing the very borrowers they seek to serve.
