For digital lenders and financial institutions, the “Wild West” era of unregulated marketing has officially hit a regulatory wall. In a precedent-setting ruling against Platinum Credit Limited, the Office of the Data Protection Commissioner (ODPC) has imposed a KES 900,000 penalty for unlawful marketing and failure to honor a customer’s right to be forgotten.
This decision sends a clear, expensive message to the market: ignorance is no longer a defense. Whether the spam SMS comes from your head office or a third-party agent, the liability—and the financial penalty—stops with you.
Case Brief: PB v. Platinum Credit Limited (Case 1673 of 2024)
The Complaint:
A complainant (PB) lodged a grievance with the ODPC alleging that Platinum Credit continued to send unsolicited promotional texts and marketing calls despite his explicit objections. The complainant provided:
- Screenshots of unsolicited messages.
- Call logs of marketing attempts.
- Proof of requests to be removed from the database (Right to Erasure).
The Defense:
Platinum Credit attempted to shift liability to its third-party sales agents. However, they failed to produce a valid Data Processing Agreement or prove the agents were acting outside of their instructions.
Key Legal Findings: Where the Lender Failed
The ODPC’s decision highlights four critical areas of violation under Kenyan Data Protection Law:
1. Unlawful Processing (Section 30 Violation)
The Respondent used personal data for direct marketing without express consent. The ODPC clarified that consent must be obtained before marketing begins; it cannot be implied or assumed.
2. Violation of the “Right to Object”
The right to object to direct marketing is absolute. The Respondent failed to stop processing within the statutory 14-day period after the objection was raised.
3. Failure to Honor the “Right to Erasure”
When a data subject asks to be “forgotten,” the Data Controller must act. Platinum Credit ignored the request and continued processing the data, a direct violation of the Act.
4. Controller Liability for Agents
This is a crucial precedent: You cannot blame the middleman. The ODPC ruled that the Data Controller (the lender) is liable for the actions of its agents unless a strict contract proves otherwise.
Implications for Credit Companies & Fintechs
For businesses operating in Kenya’s financial sector, this ruling signals a shift in enforcement. To avoid fines and compensation orders, companies must immediately review their operations.
1. Heightened Consent Protocols
- Action: Review your customer onboarding flow. Do you have a clear, “opt-in” checkbox for marketing?
- Risk: Reliance on third-party databases or “implied consent” is now a direct path to regulatory penalties.
2. Strict Agent Supervision
- Action: Audit your third-party contracts. Do you have robust Data Processing Agreements with every marketing agency and field agent?
- Risk: Without these agreements, your firm is liable for every rogue SMS sent by an agent.
3. Operationalizing “Opt-Outs”
- Action: Ensure your systems can process a “Stop” or “Unsubscribe” request within 14 days or less.
- Risk: Technical delays in updating your database are not a valid defense in court.
Conclusion: Is Your Firm Compliant?
The KES 900,000 award in PB v. Platinum Credit is not just a penalty; it is a precedent. The ODPC has signaled it is willing to award damages for the “distress” caused by privacy violations. For digital credit providers, the cost of compliance is now far lower than the cost of a public ODPC ruling.
Strategic Advisory & Compliance
The Platinum Credit ruling underscores that data compliance is no longer a procedural formality but a critical component of corporate governance and risk management. For financial institutions and credit providers, the cost of regulatory oversight now extends beyond fines to include significant reputational damage and civil liability.
Masibo Law LLP advises Data Controllers and Processors on navigating this evolving regulatory landscape. Our Commercial & Technology practice supports institutions in:
- Mitigating Third-Party Liability: Structuring robust Data Processing Agreements (DPAs) that clearly define the scope of agency and indemnify the Controller against non-compliant actions by external vendors.
- Regulatory Defense & Governance: Developing internal protocols for handling data subject rights (erasures and objections) to ensure statutory timelines are met.
- Compliance Audits: Conducting comprehensive Data Protection Impact Assessments (DPIAs) to identify vulnerabilities in marketing and customer acquisition workflows.
Contact Us
For legal counsel regarding this ruling or to discuss your institution’s data protection framework, please contact our team.
Masibo Law LLP
- Website: masibolaw.co.ke
- Email: info@masibolaw.co.ke
- Location: Suite 837, 8th Floor, Purshottam Place, Chiromo Road, Westlands, Nairobi.
Leave a Reply