Data Protection Act makes it illegal for companies to collect personal data from Kenyans without obtaining users' informed consent. [Istockphoto]

Digital lenders are facing millions of shillings in penalties for non-compliance with the Data Protection Act, 2019.

The Office of the Data Protection Commissioner (ODPC) has embarked on an audit of 40 digital lenders following complaints from members of the public over the entities' use of their data.

"As of September 30, 2022 ODPC had received 1,030 complaints, the office admitted 555 of these cases including 299 which were on digital lenders, representing 54 per cent of all cases admitted," said a statement from the office yesterday. Some of the digital lenders set for audit include Tala, Branch, Coopesa, Fairkash, Flexi Cash, Hela Credit, Skypesa, Mokash and Zash Loan.

ODPC now says the digital lenders have two weeks to provide the regulator with the required documents or risk enforcement action under Section 61 of the Data Protection Act, 2019.

The Act makes it illegal for companies to collect personal data from Kenyans without obtaining users' informed consent.

The law also makes it illegal for companies to use personal data for direct marketing without informing the subjects. This includes online ads targeted to consumers by their browsing history as well as promotional material sent directly to consumers through SMS.

The Act also allows users who have suffered damage by having their personal data misused to seek compensation for damages including financial loss and distress. ODPC yesterday said it had issued an enforcement notice against a private hospital after an employee of the institution later inappropriately contacted a patient who had visited the hospital.

"The Data Commissioner directed the hospital to outline specific measures it will take to mitigate or eliminate the breach or contravention and to rectify and, or put in place structures within which the measures shall be implemented within 30 days," the statement said.

The latest audit by the ODPC comes in the wake of a crackdown on unlicensed digital lenders by the Central Bank of Kenya (CBK) that sought to weed out rogue players. Earlier this year, CBK gave digital lenders until September 17 to obtain operating licences or cease operations.

"The licensing and oversight of digital credit providers was precipitated by concerns raised by the public about the predatory practices of the unregulated players and in particular their high cost, unethical debt collection practices and the abuse of personal information," said CBK Governor Patrick Njoroge during a past media briefing.

A recent report by Strathmore University's Centre for Intellectual Property and Information Technology Law and Citizen Labs found that several digital lending apps in Kenya are linked to tracking and advertising software, with some linking to third-party platforms such as Facebook.

The apps, which run at start-up and even prevent the phone from sleeping, were found to read contacts, location data and obtain access to network connectivity data, all of which is used to profile borrowers.

Branch, for example, requires users to give it permission to record audio while Tala has the authority to create accounts on its users' devises, set passwords and use these accounts.