Platinum Credit Ordered to Compensate Subscriber Sh400,000 Over Spam Calls

Read Time:2 Minute, 29 Second

Platinum Credit has been ordered to pay Sh400,000 to a mobile subscriber after the Office of the Data Protection Commissioner (ODPC) found the lender sent persistent promotional messages and calls without consent.

Data Commissioner Immaculate Kassait said the firm violated Article 31 of the Constitution, which guarantees privacy, as well as provisions of the Data Protection Act on lawful processing. The ODPC issued an enforcement notice alongside the compensation order, citing the breach of privacy rights.

The regulator also recommended prosecuting the lender’s directors for providing false or misleading information during the investigation. Under Section 57(3) read with Section 73 of the Data Protection Act, directors face penalties of up to Sh3 million, jail terms of up to 10 years, or both.

This ruling comes amid a surge in spam alerts and unsolicited digital-lending offers. The Communications Authority of Kenya has flagged consumer frustration over spam, unauthorized subscriptions, and premium services as a priority for enforcement.

Platinum Credit is not new to ODPC scrutiny. In April 2025, it was among three lenders—Whitepath and Rocketpesa—fined a combined Sh2.25 million for privacy violations. In that case, Platinum Credit’s penalty also stood at Sh400,000 for contacting consumers without consent.

The ODPC’s actions align with a 2022 audit of 40 digital credit providers, including major players such as Tala, Branch, Zenka, and FlashPesa, which found that more than 50% of 555 complaints targeted lenders for data misuse.

Non-compliance risks license revocation under Central Bank of Kenya (CBK) regulations, which cap interest rates and prohibit debt shaming.

Kenya’s growing digital lending sector, which serves millions through mobile apps, has seen repeated fines for violations of privacy and consent.

In September 2023, Mulla Pride Ltd, which operates the KeCredit and Faircash apps, was fined Sh2.975 million for sourcing third-party contacts to send threatening debt-recovery messages, violating Sections 25 and 41 of the Data Protection Act.

Similarly, Cloudloan was fined Sh900,000 in 2023 for unauthorized contact mining, aggressive third-party reminders, and data sharing, a fine later upheld by the High Court in August 2025.

Whitepath, audited in late 2024, was penalized Sh750,000 for failing to notify guarantors about data collection, infringing the “right to be informed” under Section 29. Rocketpesa incurred Sh1.1 million in April 2025 for similar unsolicited outreach.

These breaches primarily violate core principles of the Data Protection Act, including Section 25 on purpose limitation, accuracy, and storage minimization; Section 32 on direct collection; and Section 44 on child data protections, which are often overlooked in guarantor profiling.

Article 31 of the Constitution underpins all these protections, guarding against unwarranted intrusions.

The Communications Authority has highlighted spam and unauthorized digital-lending practices as a top enforcement focus for 2025, while the CBK’s regulations empower authorities to suspend licenses for repeated breaches.

Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.