Microfinance lender Platinum Credit has been ordered to compensate a mobile subscriber Sh400,000 for repeatedly sending unsolicited promotional messages and making calls without consent, in a ruling that underscores growing enforcement of data privacy laws.

The decision by the Office of the Data Protection Commissioner followed a complaint filed by Samwel Waweru on November 27, accusing the lender of persistently sending him loan advertisements without his knowledge or authorisation.

In her determination, Data Commissioner Immaculate Kassait found the company liable for breaching constitutional and statutory data protection provisions.

“The Respondent is hereby ordered to pay the Complainant Sh400,000 as compensation, and an enforcement notice is hereby issued,” Kassait ruled.

“The actions of the Respondent amounted to unlawful processing of personal data.”

The ODPC said Platinum Credit violated Article 31 of the Constitution, which guarantees the right to privacy, as well as key provisions of the Data Protection Act governing how personal data should be collected and used.

In a further twist, the regulator recommended the prosecution of the company’s directors, accusing them of providing false or misleading information during the investigation.

“A recommendation for prosecution is hereby made against the Respondent’s directors for furnishing information they knew to be false or misleading,” Kassait said.

“This is an offence under the law and carries serious penalties.”

If convicted, the directors risk fines of up to Sh3 million, imprisonment for up to 10 years, or both.

The ruling comes amid rising public outrage over spam messages and unsolicited digital content, including betting alerts, trivia subscriptions, and aggressive loan marketing.

The Communications Authority of Kenya recently acknowledged the surge in complaints, terming the issue a growing concern.

“We have noted increasing consumer frustration over spam messages, unauthorised subscriptions, and misuse of personal data,” the authority said in a statement.

“These concerns are a priority for the Authority.”

Under the Data Protection Act, companies are required to obtain clear consent before sending direct marketing messages, inform users how their data will be used, and provide a functional opt-out option at no cost.

Consumers also retain the right to object to the use of their personal data for marketing purposes.

“A data subject may request a data controller not to process their personal data for specific purposes such as direct marketing,” the law states.

Affected individuals can lodge complaints with the ODPC through its online platform, with investigations typically concluded within 90 days.

The latest ruling signals a tougher stance by regulators, warning companies that misuse of personal data and disregard for consumer consent will attract hefty penalties.