NAIROBI, Kenya — Microfinance institution Platinum Credit has been ordered to pay a mobile subscriber Sh400,000 in compensation for persistently sending unsolicited loan advertisements and calls without his consent.
The Office of the Data Protection Commissioner (ODPC) found the digital lender liable following a complaint filed by Samuel Waweru on November 27, 2024, regarding unwanted promotional contact.
The ODPC determined that Platinum Credit had violated Article 31 of the Constitution, which guarantees the right to privacy, alongside several critical provisions of the Data Protection Act governing the lawful handling of personal data.
Data Commissioner Immaculate Kassait announced the enforcement action in her official determination.
“The Respondent is hereby ordered to pay the Complainant Sh400,000 as compensation; an enforcement notice is hereby issued to the Respondent,” Data Commissioner Immaculate Kassait said in her determination.
Directors face potential prosecution
In addition to the financial penalty, the ODPC has recommended the prosecution of Platinum Credit’s directors. The recommendation stems from the regulator’s finding that the directors furnished the ODPC with misleading information during the investigation.
“A recommendation for prosecution is hereby made against the Respondent’s directors for furnishing to the Data Commissioner information which they knew to be false or misleading, an offence under Section 57(3) as read with Section 73 of the Act,” Ms Kassait added.
Directors found guilty under these sections face stiff penalties, including fines of up to Sh3 million or imprisonment terms of up to 10 years, or both.
Industry-wide spam concerns
The ruling addresses a widespread concern among Kenyan mobile phone users who have recently complained about an overwhelming surge in spam, including trivia alerts, betting notifications, motivational quotes, and digital lending offers.
Last month, the Communications Authority of Kenya (CA) acknowledged the public frustration, calling the issue a priority.
“We have also noted consumer frustration over spam messages, unsolicited subscriptions, unauthorised use of phone numbers and unauthorised premium services,” the CA said in a statement. “These concerns are a priority for the Authority.”
Consumer rights under the Data Protection Act
The Data Protection Act mandates strict conditions for direct marketing:
- Data controllers must have obtained customer consent and legally collected the data.
- The customer must be notified that marketing is a specific purpose of data collection.
- Marketers must provide a clear and working opt-out mechanism without charging the customer.
Also Read: Cyberattack paralyzes Kenyan ministry websites, replaces pages with extremist propaganda
Furthermore, the law explicitly grants consumers the authority to halt the use of their data for promotional purposes.
“A data subject may request a data controller or data processor not to process all or part of their personal data, for a specified purpose or in a specified manner, such as direct marketing purposes,” the Act states.
Aggrieved subscribers can file a complaint with the ODPC online, which is required to investigate the matter within 90 days.
