Regulating consumer data protection in Kenya’s Digital Credit Services: assessing the effectiveness of informed consent in law

Abstract

Kenya’s rapid expansion of Digital Credit Services (DCS) has significantly improved financial inclusion, especially for unbanked and underbanked populations. However, this growth has raised serious concerns about consumer data protection due to the vast amounts of personal and financial information collected by Digital Credit Providers (DCPs). This study examines the effectiveness of the informed consent model within Kenya’s legal and regulatory framework in ensuring consumer data privacy in digital lending. Despite the existing regulatory framework, major gaps remain in protecting consumers’ rights and ensuring they fully understand how their data is collected, processed, and shared. The study first explores the development of Digital Financial Services (DFS) in Kenya, emphasizing how mobile money platforms and financial technology (FinTech) have facilitated the rise of digital lending. While these innovations have provided financial access to millions, they have also created data privacy vulnerabilities. Consumers often provide their data without adequate transparency or meaningful consent. Key concerns include information asymmetry, coercive consent mechanisms, algorithmic credit scoring opacity, and regulatory challenges surrounding artificial intelligence (AI) and big data applications. To analyse these issues, the study evaluates various consent models, including informed consent, dynamic consent, opt-in and opt-out models, implied consent, and granular consent. It finds that Kenya’s reliance on informed consent is inadequate because consumers often agree to data collection without fully understanding the implications. Factors such as complex terms and conditions, low digital literacy, and manipulative design strategies make it difficult for consumers to make rational, informed decisions about their data privacy. Cognitive biases and information overload further weaken the effectiveness of informed consent. The study also reviews Kenya’s legal and regulatory framework for consumer data protection in digital lending. While the existing laws provide a foundation, enforcement remains a challenge. The Office of the Data Protection Commissioner (ODPC) lacks the capacity to enforce regulations effectively, and there is insufficient coordination among key regulators like the Central Bank of Kenya (CBK) and the Communications Authority of Kenya (CAK). Additional gaps include unclear guidelines on AI-driven decision-making, weak penalties for data breaches, and a lack of consumer education initiatives. To put Kenya’s regulatory challenges into a global perspective, the study compares its consumer data protection framework with the European Union’s General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (POPIA). The GDPR is found to be a strong model, ensuring that consent is freely given, specific, informed, and unambiguous, with strict enforcement mechanisms. South Africa’s approach aligns with GDPR principles but faces enforcement challenges similar to Kenya’s, highlighting the difficulty of balancing innovation with consumer protection. The study recommends several measures to enhance consumer data protection. These include adopting dynamic consent models, which allow users to modify data-sharing preferences over time; strengthening enforcement mechanisms through better regulatory coordination; increasing consumer awareness and financial literacy; implementing privacy-by-design principles in digital credit services; and fostering cross-border cooperation in regulating digital lending. In conclusion, while Kenya has made progress in consumer data protection, its reliance on informed consent is inadequate in addressing risks associated with AI, big data, and algorithmic decision-making. A more adaptive and consumer-centric approach is needed, incorporating dynamic consent, stronger enforcement, and enhanced consumer education to ensure digital borrowers are protected from data exploitation. This study contributes to discussions on financial technology regulation and offers policy recommendations for improving Kenya’s digital credit landscape.