Is a debt collector calling your relatives? Kenyan law now criminalises this. Learn your rights under the Data Protection Act and the 2025 Business Laws Amendment.

By Mukamba & Company Advocates | April 2026 | Digital Lending | Data Protection | Consumer Rights

AT A GLANCE Digital lenders in Kenya have long weaponised borrowers’ contact lists, shaming family and employers into pressuring defaulters to pay. As of January 1, 2025, those tactics are no longer merely prohibited — they are criminal offences under the Business Laws (Amendment) Act, 2024. This guide explains every law that protects you, the remedies available, and the exact steps to take if a debt collector has already made that call.

A Phone Call You Never Authorised

Your phone buzzes during dinner in Boston. It is not your bank. It is your aunt in Nakuru, voice shaking. “Someone called me. They said you owe money. They said you will be arrested. They read me your loan balance down to the last shilling.”

You did not give them her number. You never listed her as a reference. But they found her anyway — harvested from your phone the moment you installed that loan app six months ago, back when the interest looked reasonable, and the approval was instant.

This is not an edge case. This is standard operating procedure for Kenya’s digital lenders. And as of January 2025, it is finally, explicitly, criminal.

The Business Model of Shame

Digital lenders in Kenya perfected a specific cruelty: debt-shaming at scale. When a borrower defaults, even by hours, their systems do not simply send a reminder — they weaponise the borrower’s entire social network.

The playbook is documented and consistent:

• Contact list harvesting: The app requests access to your phonebook during installation. Most borrowers tap “allow” without reading, desperate for the loan.
• Third-party harassment: Your friends, family, and employer receive calls and texts disclosing your debt, sometimes accompanied by threats of arrest or violence.
• Psychological pressure: One lender was reported to have told a borrower’s contacts that the borrower was suicidal and needed help repaying the loan — a calculated humiliation.
• False legal threats: Agents routinely claim imminent criminal prosecution or court action — claims that are almost always false.

THE SCALE OF THE PROBLEM By September 2022, the Office of the Data Protection Commissioner (ODPC) had already received 1,030 formal complaints — 299 involving digital lenders specifically. Thousands more victims suffered in silence, too ashamed to report. Since then, the ODPC has received over 9,000 data protection complaints in total.

The Legal Framework: Three Layers of Protection

Kenyan law now provides overlapping protections drawn from constitutional rights, data protection legislation, central bank regulations, and criminal statute. Here is what each layer means for you.

1. Constitutional Foundation

The Constitution of Kenya, 2010 provides the bedrock in two provisions:

• Article 28: Every person has inherent dignity and the right to have that dignity respected and protected.
• Article 31: Every person has the right to privacy, including the right not to have information relating to their family or private affairs unnecessarily required or revealed.

These are not aspirational values. They are justiciable rights that borrowers have successfully invoked before Kenyan courts.

2. The Data Protection Act, 2019

The Data Protection Act, 2019 (Cap. 411C) operationalises Article 31 of the Constitution with enforceable obligations on all entities that collect or process personal data:

• Section 25: Mandates that personal data be collected only with explicit, informed, freely given, and withdrawable consent. A generic “terms of service” tick-box will not meet this standard.
• Section 29: Requires every data controller to notify data subjects of how their data will be used before or at the point of collection.
• Section 63: Empowers the ODPC to impose administrative fines of up to KSh 5 million or 1% of annual turnover, whichever is lower.

KEY ENFORCEMENT PRECEDENTS (ODPC DETERMINATIONS) • Whitepath Company Limited — ODPC Penalty Notice, 11 April 2023: The ODPC received close to 150 complaints against Whitepath for mining borrowers’ phone contacts and sending unsolicited messages. After Whitepath failed to comply with an enforcement notice, the ODPC imposed the maximum fine of KSh 5 million. • Mulla Pride Limited (KeCredit and FairKash apps) — ODPC Penalty Notice, September 2023: Mulla Pride was fined KSh 2.975 million for using names and contact information obtained from third parties to send threatening messages and phone calls to borrowers. The High Court subsequently dismissed the company’s constitutional challenge to the fine: Mulla Pride Limited v Office of the Data Protection Commissioner (Petition E420 of 2023) [2025] KEHC 11287 (KLR), available at https://new.kenyalaw.org/akn/ke/judgment/kehc/2025/11287/eng@2025-07-31 • Ceres Tech Limited (RocketPesa) — ODPC Determination, 15 January 2025: The ODPC ordered Ceres Tech to pay a data subject KSh 700,000 in compensation after finding it had unlawfully processed personal data by associating the complainant with a loan they had not taken, and directed prosecution of the company’s director for obstructing the Data Commissioner. The company’s earlier judicial review application was dismissed: Ceres Tech Limited v Commissioner, Office of the Data Protection Commissioner (Judicial Review Application 25 of 2024) [2024] KEHC 12833 (KLR), available at https://new.kenyalaw.org/akn/ke/judgment/kehc/2024/12833/eng@2024-10-24

3. CBK Digital Credit Providers Regulations, 2022

The Central Bank of Kenya (Digital Credit Providers) Regulations, 2022 introduced Regulation 20, which specifically prohibits the following debt collection conduct:

Prohibited Conduct	Legal Basis
Accessing a customer’s phonebook or contact list	Reg. 20(c)
Sending threatening or obscene language to contacts	Reg. 20(b)
Posting customer data online to shame or embarrass	Reg. 20(d)
Making unsolicited calls or messages to third parties	Reg. 20(e)
Any conduct that harasses, oppresses, or abuses	Reg. 20(g)

4. Business Laws (Amendment) Act, 2024: The Game Changer

Signed into law by President Ruto on 11^th December 2024 and effective 1^st January 2025, the Business Laws (Amendment) Act, 2024 elevated harassment from an administrative infraction to a criminal offence.

The amended Microfinance Act now provides:

THE NEW STANDARD — Section 4B, Microfinance Act (as amended) “A non-deposit-taking microfinance lender in the course of debt collection shall not harass, abuse or oppress a borrower, guarantor or any person in connection with the recovery of the debt.”

Specific criminalised acts now include:

• Threats, violence, or unlawful means in debt collection
• Obscene or profane language directed at borrowers or third parties
• Disclosure of a borrower’s confidential information
• False claims of imminent arrest or legal action
• Any conduct that damages the reputation of a borrower

The critical shift: Before 2025, borrowers relied on administrative fines. Now, lenders face criminal liability. The Central Bank of Kenya can suspend licenses, bar officials from the industry, and gazette offenders publicly.

Your Rights When They Call Your Mother

If a debt collector has contacted your family, employer, or any third party without your explicit, informed, prior consent, they have almost certainly violated multiple laws simultaneously. Here is your practical framework.

Step 1: Document Everything Immediately

• Screenshot every message sent to third parties, noting the sending number and app name
• Record dates, times, and the precise content of all calls and messages
• Preserve the original loan agreement, privacy policy, and app permissions screen
• Obtain statements or screenshots from affected family members or colleagues

Step 2: Verify the Lender’s CBK Licence Status

Since 17 September 2022, all digital credit providers have been required to hold a CBK licence. Check the official directory before engaging with any demand.

Unlicensed lenders cannot legally enforce debts, and you can report them directly to the CBK. Note that Mulla Pride Ltd, which operated KeCredit and FairKash, was found to have been operating without a CBK licence at the time of the ODPC fine — these compound the illegality of their conduct.

Step 3: Demand Proof of Consent

Under the Data Protection Act, the burden of proof lies entirely with the data controller to demonstrate that consent was validly obtained. A generic clause buried in small-print terms of service does not meet the standard of consent that is freely given, specific, informed, and withdrawable.

Send a written demand to the lender’s registered data protection officer (required to be registered with the ODPC) requesting proof of consent within 14 days.

Step 4: Revoke Your Consent and Demand Data Deletion

Section 26 of the Data Protection Act gives you the right to withdraw consent at any time. Upon revocation:

• The lender must cease all processing of your data for debt collection purposes
• Third-party contact data harvested from your phone must be deleted
• You are entitled to written confirmation of deletion within 30 days

If harassment of your network continues after revocation is confirmed, the penalties escalate and criminal liability crystallises.

Step 5: Calculate Your Actual Debt

The in duplum rule (Section 44A of the Banking Act, Cap 488) caps the total interest and penalties recoverable at the original principal amount once the debt doubles.

If you borrowed KSh 10,000 and are being asked to repay KSh 25,000, the excess above KSh 20,000 may be legally unenforceable. Courts have progressively extended this protection to non-bank lenders and digital credit providers.

Remedies: From Complaint to Compensation

Pathway	Authority	Likely Timeline	Potential Outcomes
File a data protection complaint	ODPC (odpc.go.ke)	60–90 days	Compensation order, administrative fine up to KSh 5M, enforcement notice, data deletion order
File a digital lending complaint	Central Bank of Kenya	Varies	License suspension, public censure, operational restrictions
Civil suit for damages	High Court / ELRC	6–18 months	Damages for distress and reputational harm, injunction, and declaratory relief
Criminal complaint	Director of Public Prosecutions / Police	Uncertain	Prosecution under the Business Laws (Amendment) Act, 2024; imprisonment up to 3 years

RECENT ENFORCEMENT IN PRACTICE • As of January 2026, the ODPC has issued 184 compensation orders to Kenyan data subjects, signalling a decisive shift from warnings to active enforcement. • The High Court dismissed Mulla Pride’s constitutional challenge to its KSh 2.975 million ODPC fine, confirming that the statutory appeal route under Section 64 of the Data Protection Act is the correct channel: [2025] KEHC 11287 (KLR). • The ODPC recommended prosecution of Ceres Tech’s director for obstructing the Data Commissioner — the first such recommendation for a digital lender: ODPC Determination, 15 January 2025. • Courts have extended the in duplum rule to digital lenders, preventing double-principal debt accumulation.

When Your Employer Gets the Call

Debt collectors calling your workplace trigger additional protections. Articles 28 and 31 of the Constitution, the Employment Act, and the Data Protection Act collectively impose duties on employers to protect employee data.

If your employer takes adverse action based on a debt collector’s call, consider these additional protections:

• Disciplinary action based solely on debt: May constitute an unfair labour practice challengeable before the Employment and Labour Relations Court.
• Disclosure to colleagues: May violate your constitutional right to privacy and the Data Protection Act.
• Wrongful termination: Dismissal following a debt collector’s intervention may be procedurally and substantively unfair under the Employment Act.
• Employer liability: An HR department that shares your employment data with a debt collector without your consent becomes a data controller in their own right, liable under the DPA.

Frequently Asked Questions

Q: Is it legal for a debt collector to contact my family?

A: No. Under Regulation 20(c) and (e) of the CBK Digital Credit Providers Regulations 2022, and the Business Laws (Amendment) Act 2024, contacting third parties who have not consented to being contacted is prohibited and is now a criminal offence.

Q: What if I actually gave the app access to my contacts?

A: Consent must be freely given, specific, and informed. Courts and the ODPC have consistently held that tapping ‘allow’ on a permissions screen does not constitute informed consent to harvest contacts for debt collection. You can also revoke that consent at any time under Section 26 of the Data Protection Act.

Q: Can I be arrested for not paying a digital loan?

A: Defaulting on a loan is a civil matter, not a criminal offence. Debt collectors who threaten arrest or prosecution are making false claims, which is itself an offence under the Business Laws (Amendment) Act, 2024, and may amount to criminal extortion.

Q: How do I file a complaint with the ODPC?

A: Visit www.odpc.go.ke, complete the online complaint form, and attach screenshots and documents. The ODPC must investigate within 60 days. There is no fee for filing.

Q: What damages can I recover?

A: The ODPC can order the lender to pay you compensation for distress, loss, and damage. Courts have awarded amounts from KSh 250,000 to KSh 700,000 in comparable cases. You may also be entitled to legal costs.

Q: Does the law apply to unlicensed lenders?

A: The Data Protection Act and constitutional rights apply to all entities. Unlicensed lenders are additionally exposed to CBK enforcement and cannot legally enforce the underlying debt.

THE MIDNIGHT CALL WAS NOT JUST RUDE — IT WAS CRIMINAL The lender who harvested your contacts violated the Data Protection Act, 2019. The agent who threatened arrest committed an offence under the Business Laws (Amendment) Act, 2024. And the company that authorised both faces administrative fines, license revocation, and prosecution. But laws do not enforce themselves. The ODPC and CBK remain overwhelmed with complaints. Lenders calculate that your shame will keep you silent. Don’t be silent.

Contact Mukamba & Company Advocates

Mukamba & Company Advocates specialises in data protection violations, digital lending abuse, and constitutional privacy rights. We have secured compensation for debt-shaming victims and obtained court orders stopping harassment campaigns against borrowers and their families.

Your mother’s phone should never ring because of your debt. We make sure it doesn’t.

BOOK A CONFIDENTIAL CONSULTATION Contact Mukamba & Company Advocates today for a confidential initial consultation. The law is on your side. Let us help you use it. The first step costs you nothing but a phone call.

DISCLAIMER

This article is published for general informational purposes only and does not constitute legal advice. The law may have changed since publication. Reading this article does not create an advocate-client relationship. For advice specific to your situation, please contact a qualified advocate.

Sources Consulted

Legislation and Regulations (via Kenya Law)

• Constitution of Kenya, 2010
• Data Protection Act, 2019 (Cap. 411C)
• CBK (Digital Credit Providers) Regulations, 2022
• Business Laws (Amendment) Act, 2024
• Banking Act (Cap 488) — Section 44A (in duplum rule)

Court Judgments (Verified on Kenya Law)

• Mulla Pride Limited v Office of the Data Protection Commissioner (Petition E420 of 2023) [2025] KEHC 11287 (KLR) — https://new.kenyalaw.org/akn/ke/judgment/kehc/2025/11287/eng@2025-07-31
• Ceres Tech Limited v Commissioner, Office of the Data Protection Commissioner (Judicial Review Application 25 of 2024) [2024] KEHC 12833 (KLR) — https://new.kenyalaw.org/akn/ke/judgment/kehc/2024/12833/eng@2024-10-24

ODPC Determinations and Enforcement Notices

• Whitepath Company Limited — ODPC Penalty Notice, 11 April 2023 (KSh 5 million)
• ODPC — 184 Compensation Orders Announcement, January 2026: https://www.odpc.go.ke/

<