Data Protection Rules for Loan Apps in Kenya
Read Time:4 Minute, 39 Second
Kenya’s digital lending industry has transformed how millions of people access credit. Mobile loan apps such as Tala, Branch, Zenka, and others have opened up fast and accessible loans, serving over eight million users. Since they came under regulation, these platforms have so far disbursed Sh76.8 billion in loans over three years.
But alongside this growth, there have been persistent complaints of predatory behavior. Borrowers have reported unauthorized data sharing, privacy breaches, and debt-shaming practices, where lenders harass friends or family members of borrowers to pressure repayment.
These issues pushed regulators to tighten oversight through the Data Protection Act (DPA) of 2019 and the Central Bank of Kenya’s licensing regime for digital lenders.
The Data Protection Act (DPA)
The Data Protection Act (DPA), which came into effect on November 25, 2019, was modeled on the European Union’s General Data Protection Regulation (GDPR). It is enforced by the Office of the Data Protection Commissioner (ODPC) and sets strict requirements for lawful, fair, and transparent handling of personal data.
Companies that fail to comply face administrative fines of up to KSh 5 million or 1% of their annual turnover, whichever is higher. For the loan app ecosystem, this means tighter control of how user data is collected, processed, stored, and shared.
The DPA Principles for Loan Apps
The DPA outlines eight principles binding on DCPs (Digital Credit Providers), who act as data controllers and processors. These principles guide the conduct of loan apps in Kenya:
- Lawfulness, fairness, and transparency – Digital lenders must inform borrowers why data is being collected (e.g., for credit scoring) and get explicit, informed consent. Consent notices should use simple language.
- Purpose limitation – Data collected should only be used for the purpose stated, such as risk assessment, and not for unrelated activities like indefinite tracking.
- Data minimization – Loan apps cannot request excessive permissions such as full access to photo galleries or files without clear justification.
- Accuracy – Borrower information must be kept accurate and up to date.
- Storage limitation – Data cannot be stored longer than necessary for its purpose.
- Integrity and confidentiality – Providers must apply security measures like encryption to protect personal information from breaches.
- Accountability – DCPs in Kenya must conduct Data Protection Impact Assessments (DPIAs) when dealing with high-risk processing, such as algorithmic credit scoring.
- Privacy by design – Apps must embed privacy measures into their systems right from the development stage.
Together, these principles protect borrowers from intrusive practices while ensuring digital lenders operate transparently.
Rules for Digital Lenders
Beyond the DPA, the Central Bank of Kenya regulates the sector under the Central Bank of Kenya (Amendment) Act, 2021 and the Digital Credit Providers Regulations, 2022. These form the backbone of oversight for loan apps.
According to CBK’s 2022 Regulations, digital lenders must be licensed as DCPs and adhere to consumer protection standards. Among the specific rules:
- No unauthorized calls to contacts – Loan apps cannot contact borrowers’ friends or relatives to demand repayment.
- No threats or harassment – Posting personal data online or using threats to pressure repayment is banned.
- Consent-based data sharing – Defaulter data cannot be shared with third parties like Credit Reference Bureaus without borrower consent.
- Mandatory registration with ODPC – DCPs in Kenya must register with the ODPC if processing personal data on a large scale.
- Breach notifications – Apps must notify ODPC within 72 hours in the event of a data breach.
- Transparency in third-party relationships – Lenders must disclose if they are sharing borrower information with external service providers.
Borrowers also enjoy data subject rights under Section 26 of the DPA. These include the right to access their data, request corrections, request deletion (the “right to be forgotten”), object to processing, and request portability (moving their data to another lender).
For foreign-backed loan apps, such as Branch (U.S.-based), cross-border data transfers must comply with safeguards like Standard Contractual Clauses or ODPC’s adequacy requirements.
Enforcement and Penalties
Regulatory enforcement has tightened in recent years. The ODPC investigates complaints and issues fines, while CBK oversees licensing. By September 2025, CBK had licensed 153 Digital Credit Providers, up from 85 in 2024.
License applicants are required to maintain physical offices in Kenya, undergo security audits, and pass fit-and-proper tests for directors and shareholders. Unlicensed loan apps have faced bans, including removal from Google Play since 2023.
Penalties have been applied against violators. In 2023, Mulla Pride Ltd, the company behind KeCredit and Faircash, was fined KSh 2.97 million for shaming borrowers by contacting their friends and family. By May 2024, harassment cases dropped by 75% as enforcement became more consistent.
The ODPC reported receiving 2,675 complaints by 2023, 857 of which were formally acknowledged, many linked to loan apps. The regulator also conducts audits, issues enforcement notices, and raises public awareness of data protection rights.
Challenges and Borrower Protections
Despite regulatory progress, challenges persist. Some unregulated apps continue to rebrand under new names to evade detection. Studies, including one by CIPIT in 2021, have raised concerns about excessive permissions such as unnecessary location tracking, which raises surveillance risks.
Borrowers have recourse if their data rights are violated. Complaints can be filed through ODPC’s official portal (odpc.go.ke) or CBK’s reporting email (digitalcredit@centralbank.go.ke).
Protections also exist under the Consumer Protection Act, 2012, which requires transparent loan terms and fair treatment of consumers. Alternative Dispute Resolution (ADR) mechanisms also exist for resolving disputes more quickly outside the courts.
Jefferson Wachira is a writer at Africa Digest News, specializing in banking and finance trends, and their impact on African economies.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
Average Rating