Kenyan digital lender Whitepath fined $2,000 for unlawful data use in second privacy violation

Kenya’s Office of the Data Protection Commissioner (ODPC)  has fined digital lender Whitepath KES 250,000 ($2,000) for violating data privacy laws. Court records show that the regulator found that Whitepath, which operates Instarcash and Zuricash loan apps, listed an individual as a guarantor without their consent and subjected them to debt collection calls after the borrower defaulted.

The fine—the company’s second in two years—adds to growing regulatory pressure on Kenyan digital lenders, who are scrutinized for aggressive debt collection tactics and mishandling customer data.

According to court documents seen by TechCabal, Dennis Caleb Owuor received an unexpected debt collection call from a Whitepath representative in November 2024. The caller claimed Owuor was listed as a guarantor for a defaulting borrower, despite Owuor having no prior agreement to such an arrangement. When he questioned the claim, the caller failed to provide any justification but continued to demand repayment. Despite Owuor’s instructions to stop, the calls persisted, prompting him to escalate the matter to the ODPC, alleging illegal privacy breaches and harassment.

Whitepath failed to respond to the regulator’s inquiries, but  Kenya’s Data Protection Act allows enforcement regardless. The ODPC ruled that Whitepath had no legal basis to process the complainant’s data, as listing someone as a guarantor requires explicit consent— which was never obtained. The company also violated data protection laws by failing to notify them that their data was being used.

In addition to the fine, the regulator directed Whitepath to erase the complainant’s data and provide proof of compliance.

This is not Whitepath’s first data privacy violation. In April 2023, the ODPC fined the lender KES 5 million ($39,000) after nearly 150 complaints alleging unauthorised access to borrowers’ contact lists and sending unsolicited messages. The penalty came after Whitepath ignored an earlier enforcement notice.

Whitepath did not immediately respond to a request for comment.

The case highlights ongoing regulatory action against digital lenders using unethical data practices, including extracting contact details from borrowers’ phones, sharing debtor information publicly, and employing aggressive collection tactics.

While enforcement is increasing, concerns remain over whether current penalties are sufficient. A KES 250,000 ($2000) penalty may not significantly deter a firm that disregarded a KES 5 million fine in 2023. Stronger regulatory measures, including larger fines and criminal liability for repeat offenders, may be required to ensure compliance and protect consumer rights.