Nigerian Fintechs Face Scrutiny Over Exploitative Data Consent Practices

Generated by AI AgentCoin World
Thursday, Aug 7, 2025 11:18 am ET2min read
Aime RobotAime Summary

- Nigerian fintech platforms exploit data privacy loopholes by collecting sensitive user data via vague consent mechanisms like checkboxes and OTPs.

- Users often unknowingly agree to invasive permissions (GPS, SMS, contacts) during loan applications, enabling harassment and reputational harm.

- Regulators like NDPC are fining violators (e.g., Fidelity Bank, Meta) but enforcement remains weak as platforms continue exploiting grey areas.

- Experts urge reforms including clear localized consent prompts, revocation tools, and real-time regulatory enforcement to rebuild user trust.

Nigerian fintech platforms are increasingly exploiting consent loopholes in data privacy regulations, allowing them to access sensitive user information without meaningful authorization [1]. Despite legal frameworks such as the Nigeria Data Protection Regulation (NDPR) and the newer Nigeria Data Protection Act (NDPA) requiring clear, informed consent for data usage, many digital lenders are pushing for broad access through click-through permissions and fine-print checkboxes [1]. These permissions often include access to phone contacts, SMS history, GPS location, camera, and microphone—typically before disbursing even a small loan [1].

A case in point is the micro-lender 9Credit, whose privacy policy explicitly requests access to GPS location, SMS logs, and telephone numbers [1]. These platforms justify such access as necessary for identity verification and loan recovery, with one policy even stating that the app may “communicate with your phone-book contacts to finish collection” if the borrower defaults [1]. This practice raises serious concerns about how consent is obtained, as many users agree without fully understanding the implications [1].

Legal analyses highlight that users in desperate need of loans often accept broad terms without scrutiny, which lenders exploit to collect excessive data [1]. The NDPR mandates that consent must be specific, freely given, and based on clear information about the purpose [1]. However, in practice, consent is frequently reduced to a simple checkbox or one-time OTP verification, with little user comprehension [1]. Even fintech blogs have warned that such practices make it easy for users to unknowingly agree to invasive data collection [1].

The issue extends to Open Banking services, where Nigeria’s Central Bank (CBN) requires explicit customer consent before sharing account or BVN data. However, the consent process is often opaque. For example, the iGree BVN platform compels users to input their BVN, receive an OTP, and then click “Allow”—a process that is technically compliant but lacks transparency [1]. Experts argue that this undermines the NDPR’s intent by failing to ensure informed and voluntary consent [1].

Nigeria’s data regulator, the Nigeria Data Protection Commission (NDPC), has begun enforcing fines for violations. As of March 2024, it was reportedly handling over 400 cases involving apps accused of privacy breaches, including unauthorized access to contacts, photos, SMS logs, and location data [1]. The NDPC’s 2023 annual report confirmed that most of these cases involve lenders collecting far more data than necessary, violating principles of data minimization and purpose limitation [1].

Real-world cases illustrate the harm caused by these practices. Haruna Michael reported that a lender used his photos to craft defamatory recovery messages sent to his contacts [1]. Similarly, Moshood was targeted with harassment calls falsely accusing him of owing large sums [1]. On platforms like

Reddit
, users have shared experiences of intimidation tactics including threats of nude image exposure and blackmail [1]. These incidents reveal how data scraped under the guise of consent can be weaponized against borrowers, damaging reputations and personal relationships.

The NDPR violations can be categorized in three dimensions: excessive early permissions, third-party contact access, and unclear consent mechanisms [1]. Each of these breaches directly corresponds to real-world harms such as defamation, harassment, and social shaming [1].

Regulatory pressure is growing. In 2024, Fidelity Bank was fined ₦555 million for improperly sharing user data with third-party marketers [1]. The same year,

Meta
was penalized ₦178 billion for unclear consent across its services [1]. These cases signal that regulatory scrutiny is increasing and that compliance failures may soon carry more severe consequences [1].

Meanwhile, tech giants are also acting. Google updated its Play Store policies in 2023 to prevent apps from accessing user photos and contacts unless they directly enhance app functionality [1]. This change led to the removal of numerous lending apps that had used consent prompts as a means to monitor and shame borrowers [1].

Despite these efforts, enforcement remains limited and reactive. Many fintech platforms continue to exploit the grey area, collecting data under the pretense of consent while ignoring the principle of user autonomy [1]. The long-term sustainability of Nigeria’s fintech industry depends not just on rapid growth but on building user trust through transparent and ethical data practices [1].

To close the consent loophole, stakeholders must push for reforms such as clearer, localized consent prompts; revocation tools that allow users to withdraw permission without being locked out; ethics reviews for high-risk data practices; public dashboards detailing data usage; and real-time enforcement powers for regulators [1]. These steps are essential to ensure that Nigerian fintech aligns with global standards and fosters a digital financial ecosystem that is both inclusive and trustworthy [1].

Source: [1] https://coinmarketcap.com/community/articles/6894c08f97b59e21d0b6d71a/

Comments



Add a public comment...
No comments

No comments yet