Nigeria’s data protection laws (the NDPR and the new NDPA) require clear, informed consent for any personal data use. In practice, however, many fintech platforms push extensive data access through click-through permissions and fine-print checkboxes.
For example, digital loan apps typically demand broad permissions, including access to a borrower’s contacts, SMS history, location, camera, microphone, and more, all before disbursing a loan.
As one article notes, “most loan apps require access to your phone contacts before giving out loans. Many borrowers click ‘allow’ without realising what this means.”
Indeed, the privacy policy of a Nigerian micro-lender (9Credit) explicitly asks customers to authorise access to “GPS location Information, … SMS Logs … [and] telephone number,” among other personal data.
These apps often justify this by saying the data is needed for identity verification and loan recovery, one policy even admits it will “communicate with your phone-book contacts to finish collection when you have…failed to repay”.
Under NDPR/NDPA rules, consent must be specific and freely given, with the purpose made clear. Section 2.3 of the NDPR states that no personal data shall be obtained unless its purpose is disclosed to the individual and valid consent is given.
Consent cannot be obtained by “fraud, coercion, or undue influence”. In reality, many Nigerian borrowers are in dire need of cash and click through consent screens without scrutinising them.
As one legal analysis observes, “it is not unusual for a data subject who is desperate for a loan to give access to his contacts, messages and even location at the point of application without understanding the implications.” In short, lenders exploit the fact that users often agree to broad terms without fully reading them.
Open Banking services similarly lean on formal consent flows. Nigeria’s Central Bank (CBN) requires explicit customer consent before any sharing of account or BVN data. In theory, this makes all APIs opt-in and time-bound. In practice, the consent flow typically boils down to a one-time OTP verification and a checkbox click.
For example, the new iGree BVN consent platform forces users to input their BVN, receive an OTP, and then click an “Allow” button. While technically compliant, this process can be opaque to users because few people read what they’re agreeing to, and “checkbox” consents on apps are easily ignored.
Even fintech blogs warn that “consent” is often reduced to a click, and an ordinary Nigerian might just tap “Agree” without grasping the implications.
Legal and regulatory context
By law, these practices should not be sufficient.
The NDPR/NDPA mandates that data controllers obtain informed, freely given consent and allow data subjects to withdraw consent at any time. Yet many lenders effectively sidestep this by bundling consent into routine app onboarding.
For example, loan apps routinely scrape contacts and SMS data under the banner of “customer permission,” claiming it was agreed to in the signup process.
Experts point out that a loan company has no business collecting data about an individual’s friends or family and that using a borrower’s consent to justify contacting their associates is not valid consent from those third parties.
Enforcement is beginning because Nigeria’s data regulator (NITDA) has fined predatory lenders for such privacy breaches. A few years ago, SokoLoan was fined ₦10 million for “privacy-invading” practices, including unauthorised data sharing in violation of NDPR provisions.
Real cases of privacy breaches under the consent cover
As of March 2024, Nigeria’s data regulator, the NDPC, was reported to be handling more than 400 cases involving digital lending apps accused of violating privacy by accessing phones’ contacts, photo galleries, SMS logs, and location data under the veil of “customer consent”.
Earlier, the NDPC’s 2023 annual report confirmed that most of these cases involve lenders collecting data far beyond what’s necessary, violating multiple NDPR principles, including data minimisation and purpose limitation. Yet contact and gallery permissions continued as normal in Nigeria.
A few examples:
Haruna Michael reported a lender using his photos in defamatory recovery messages. The app labelled him a fugitive and sent his contacts defamatory messages branding him a fraudster. Humiliation streamed to his social circle, and his public reputation was irreparably damaged.
Moshood, featured in PRNigeria, received calls from dozens accusing him of owing ₦500,000, despite never having taken a loan. Borrowers’ friends and family got repeated calls from creditors demanding payment. Data was scraped and used for aggressive intimidation tactics.
On Reddit, multiple survivors share similar ordeals. A victim of the app “ScorePro” said lenders exploited gallery, SMS, location, and call log access to threaten him with morphed nude pictures if he didn’t pay. When he tried to withdraw app permissions, lenders blocked his repayment, making access mandatory for managing debts.
Another Reddit timeline detailed a woman whose contacts were spammed with blackmail threats and fabricated insolvency messages. All because a loan app gained phone access under consent, then misused it to harass third parties and amplify shame in her network.
NDPR violations in three dimensions
| Issue | NDPR violation | Real‑world harm |
|---|---|---|
| Excessive early permissions | Purpose limitation & data minimisation | Photo/contacts used for defamation |
| Third‑party contact access | Consent must be direct & informed | Friends & family inundated with recruiters |
| Unclear consent mechanism | Informed consent requirement | Users not understanding what was shared |
Why this consent loophole must be closed
Nigeria’s fintech ecosystem has leaned heavily on the idea of “consent” but too often, that consent is more mechanical than meaningful. A checkbox, an OTP, or a hastily accepted privacy policy becomes a licence for platforms to access deeply personal data: contact lists, messages, photos, and more. On paper, it looks legal. In practice, it strips users of agency.
Globally, this model has been discarded. Consent now means explicit permission for specific purposes, given in clear language, and revocable at any time. In Nigeria, it still means “click here to continue.”
That loophole is now facing pressure from three sides: regulators, platforms, and users.
Fines are beginning to bite. In 2024, the Nigeria Data Protection Commission (NDPC) slammed Fidelity Bank with a ₦555 million penalty, the highest on record, for failing to obtain proper consent before sharing user data with third-party marketers.
The year before, Meta was fined ₦178 billion ($220M) with support from the FCCPC, over murky consent across its services. Both cases showed how thin legal wording can cost platforms more than revenue; it can cost them legitimacy.
Tech giants are also responding. In 2023, Google enforced new Play Store rules that barred apps from accessing user photos or contacts unless they directly enhance app functionality. This wiped out dozens of lending apps that had been using consent prompts to peek into people’s phones and shame borrowers into repayment.
Still, real consequences are rare and often too late. Meanwhile, fintech platforms that abuse this grey area continue to onboard millions, raise capital, and build features on data that wasn’t freely given. It’s a fast-growth model but not a sustainable one.
Because trust, not speed, is what gives digital finance its staying power.
Consent isn’t just legal compliance. It’s a product feature. A value proposition. A promise. And Nigerian fintech entities that ignore this are building brittle foundations, easily cracked by public backlash, regulatory shifts, or platform bans.
To close this loophole, regulators and platforms must insist on reforms. This includes:
- Clearer, localised consent prompts that tell users what data is collected and why.
- Revocation tools that allow users to take back permissions without being locked out.
- Ethics reviews for high-risk data practices like lending, open banking, or KYC automation.
- Public-facing dashboards showing what data major platforms collect and how it’s used.
- Real-time enforcement powers that allow NDPC to shut down non-compliant apps—not just fine them months later.
Because the future of fintech in Nigeria, especially open banking, depends not on how many consents are clicked, but on how many users feel safe, respected, and in control.
Technext Newsletter
Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!
