WHAT HAPPENS WHEN YOUR STARTUP OR APP COLLECTS CUSTOMER DATA WITHOUT PROPER SAFEGUARDS
Let’s be honest, most businesses don’t think twice about it.
A quick sign-up form. A phone number collected at checkout. Emails gathered during a promo.
It all feels harmless.
But here’s the question you should ask yourself…are you actually allowed to do this, and are you doing it properly?
Because once you collect someone’s personal data, Nigerian law steps in.
Under the Nigeria Data Protection Act 2023, any business that collects or uses personal data, names, phone numbers, emails, BVN, even health records, has a legal duty to protect it.
And the law is clear about roles.
A data controller is the business deciding why and how that data is used.
A data processor is anyone handling that data on your behalf, like a third-party platform or email service.
Simple point is that if the data passes through your hands, responsibility follows you.
SO WHAT’S THE REAL RISK?
Yes, your business can get into serious trouble.
The Nigeria Data Protection Commission (NDPC) can investigate you. And the penalties are not small.
Depending on your category, you could face fines of up to N10 million or 2% of your annual gross revenue.
And it doesn’t stop there. The individual whose data was mishandled can also take action.
In practice, they only need to show:
• the data was in your custody
• you handled it unlawfully or carelessly
• you failed to put proper safeguards in place
That’s it.
WHAT IF THERE’S A BREACH?
You don’t get to stay quiet.
The law gives you a timeline.
If a breach is likely to affect people’s rights, you must report it to the NDPC within 72 hours of becoming aware of it.
And where the risk is serious, you must also inform the affected individuals.
One thing businesses often miss: how you respond matters. Those who act quickly, notify people, and cooperate tend to be treated better than those who try to cover things up.
WHAT SHOULD YOUR BUSINESS BE DOING RIGHT NOW?
Nothing complicated, but it has to be deliberate:
• Have a clear data protection policy
• Appoint a Data Protection Officer where required
• Register with the NDPC if you qualify
• Put a proper breach response plan in place
THE LESSON
If your business collects or uses personal data in Nigeria, this law applies to you. No exceptions.
You don’t need bad intentions to get into trouble. Carelessness is enough.
And for customers, the position is equally clear. You have rights. You can question how your data is used, object to it, and report misuse.
Data is now part of doing business.
Treat it casually, and it becomes a liability. Handle it properly, and it builds trust.
The choice is yours.
Can You Prove a Company Exists Without Its Certificate of Incorporation?
Sodeinde v. World Mission Agency Inc (2026) 4 NWLR (Pt. 2033) 1(SC)
QUESTION
Can you prove a company’s legal personality without tendering its certificate of incorporation?
ANSWER
Yes. A company’s legal personality can still be proved even without tendering its certificate of incorporation.
Although the certificate remains the primary and most direct proof, it is not the only way. Where it is unavailable, the law recognises other credible means of proof.
LEGAL BACKGROUND
A company is often regarded as a distinct legal personality, i.e., the company acts like a real legal person. It can contract, own property, sue, and be sued. The legal personality makes a company a separate entity from its members. As a general rule, a company’s certificate of incorporation is the only proof of its legal personality.
The effect of this rule is that if the aggrieved party fails to provide the company’s certificate of incorporation, it will be unable to prove the legal personality of the company. The result is that the action will fail for want of proper parties, and the court will lack jurisdiction to hear the matter.
Because this rule may encourage companies to keep their certificates to get away with some actions, the strict position has been lessened. Now, a simple company search on CAC portal is sufficient proof.
FACTS IN BRIEF
Sodeinde sued World Mission Agency Inc. The respondents raised a preliminary objection, arguing the appellant did not establish their juristic personality and sought an order striking out the suit on the ground that it was not а juristic person because the appellants could not produce their certificate of incorporation. The trial court agreed and struck out the case. Sodeinde appealed.
COMPETING ARGUMENTS
Appellant (Sodeinde): Sodeinde argued that he established the respondent’s personality by providing a company search and that the absence of a certificate of incorporation should not defeat the case.
Respondents (World Mission Agency Inc): The respondents argued that Sections 41 and 42 of CAMA 2020 establish that the certificate of incorporation is the proof of a company's distinct personality and legal existence. They argued against the court’s jurisdiction because their legal personality had not been established.
CORE HOLDINGS
The Supreme Court held that an original соpy or a certified true сору of a сomраnу search report issued bу the Corporate Affairs Commission (САС), with a signed and dated “verification stamp” of the САС is an additional means of prima facie proof that an organization is а соmраnу registered
or incorporated.
WHAT TO LEARN FROM THIS
While the certificate of incorporation remains the primary proof, the court will not shut out a case just because it’s unavailable. A properly issued CAC search report can still establish a company’s existence.
As a young wig, the best thing you can do for yourself right now is increase your surface area for opportunity beyond your CV or optimised LinkedIn profile. Jobs or briefs will not come and find you where you are.
By your surface area, I mean the number of rooms you enter, conversations you start, events you attend, and people you speak to.
I have seen this happen too many times to call it a coincidence. The opportunities that change people’s trajectories rarely arrive through a formal process. They come through a person in a room; someone who knows someone, who heard something, who can make one phone call that changes everything. But that's only if you are there.
Dear young person, the person who has what you need may already be in your city. They may be at the next conference, the next seminar, the next industry gathering you keep postponing. Go outside and attend the thing. Speak to the person next to you and ask the burning questions you have been sitting on. The more you show up, the more life has to work with.
Timidity is for the rich. Aye soro soke lawayiii!!!.
Rahma cares ✍️
once did a trademark search for a client, and in the search I discovered an A-list artist (from a very rich family) that trademarked his name across all 45 available classes.
That is a defensive trademark.
In Nigeria, your trademark / brand protection is limited to a narrow class. Ie, you trademark your name in one class and you are only protected in that class out of the other 45.
I often advise founders to think ahead, not just where they are today, but where their brand can go tomorrow.
For example, you run a fintech today. You register your name for financial services.
Tomorrow, someone starts using the same name for clothing or bottled water. It’s a different class.
That’s how brands get diluted.
We have seen all this play out in the VDM & BLord’s case.
One registration is a good start, but it doesn’t cover everything. For businesses, your protection ONLY covers the class you registered in.
Now, the law actually allows something called Defensive Registration.
Under section 32 of the Trade Marks Act, it is mainly for well-known marks. The kind of brand where if people see the name anywhere, they immediately connect it to you.
That’s the test.
And if you’re already well known, meeting that statutory threshold for defensive registration, then it only makes sense to go for it.
So what do you do as a growing business?
You don’t wait till you become “well-known” before thinking defensively.
You start by registering your mark in relevant classes around your business. Think about where your brand can realistically expand to, and cover those areas early.
I usually tell founders, protect your present, and also protect where you’re clearly heading.
Don’t wait until someone else gets there first.
Because once another person registers your name in a different class, you’re now entering wahala you could have avoided.
And trust me, WARS are not cheap.
Now, truth is, doing this across multiple classes costs money.
But compared to rebranding, litigation, or losing your name in another space, it’s a much easier decision.
I’ve seen founders ignore this early, then spend years trying to clean it up later.
Protect your name properly. It saves you stress later.
I also often advise founders to pay serious attention to who owns the code, not just the brand, because that’s where the real problems show up.
You hire a developer.
They build your app.
Everything is working fine.
Then one day, issue comes up and you realise… you don’t actually own the code.
Under copyright law, the person who creates the work owns it by default.
So if there was no clear agreement from the beginning assigning IP to you as the founder, you may just have a license to use it, not ownership.
And that can get messy very quickly.
Another thing people miss is this…
Trademark protects your brand identity.
Copyright protects your expression (the code).
They solve two different problems.
So doing one and ignoring the other leaves a loophole.
Simple advice I give is this, before any line of code is written, settle ownership clearly in writing. Not after. Not “we’ll sort it later.”
Because when things go well, nobody cares. It’s when things go bad that this starts to matter.
Some personal news!
Excited to announce that @shapesLabHQ has been acquired by a YC-backed company.
Everyone at Shapes Lab will be joining the company full-time (more details on this later).
Three months ago, I launched Shapes Lab to help founders build products the right way. Today, we are joining forces with one of the most cracked teams to deliver on this mission.
Super grateful to my co-founder, early customers, and everyone who has supported this journey. We wouldn't be here without y'all 🤍
Anyone can shoot a pretty high quality video on their iPhone for FREE, yet there are now more videographers, making more money than ever shooting for YouTube, Netflix, Advertising etc…
But yeah.. designers are cooked.
🤣
I did not have time to explain then. Now I do. Grab a seat.
“Force majeure” is a contractual provision which suspends performance of a contract or even terminates it, upon the occurrence of specified events. The most important element of force majeure is that parties must provide for it in the contract. It is not implied. It must be expressly agreed that if X occurs, then Y happens to the contract.
Frustration is a different thing altogether. Frustration is not a contractual right. It is an implied condition imposed by the common law that when an event occurs which renders a contract incapable of performance or leads to a radical change in obligations, the contract is automatically discharged. Parties need not agree on frustrating events. Once a frustrating event occurs, it affects the contract by operation of law.
Let me categorize the distinctions this way.
Force majeure must be expressly provided for in a contract before a party can rely on it. Frustration is implied and needs no express provision.
Parties are at liberty to define force majeure and prescribe its effect upon occurrence. This could range from suspension, alternative performance, or even termination. The effect is not fixed. But the effect of frustration is fixed. It discharges all further contractual obligations although accrued ones remain.
Thanks for reading my little law ted-talk.
Most of us are using AI for legal work the wrong way. Many rely on what the model already knows, which is mostly public, general, sometimes outdated and fake.
The real advantage is to use AI on top of premium, verified legal databases.
Here’s the cheat code I use:
When I need authorities on a specific issue or I’m building an argument, I don’t start from scratch. I open my paid @NWLRonline database in Chrome, where I already have Claude Co-work running as an extension.
Then I prompt within that environment. So instead of guessing or pulling from generic training data, the AI is working directly with actual reported cases, established principles, verified judicial reasoning
The results are always superb. No hallucinations (so far). Just relevant authorities within a short period of time.
In a few minutes, I get cases directly on point and legal principles supporting my argument.
Of course, I still cross-check. Always. But instead of spending hours digging, I validate in minutes.
Plug the AI into a solid data.
At first I was l0st but I have f0und my way back with @l0f0_00 🧭🐙
Just applied for whitelist:
https://t.co/X92HhbZ9Gs
Join the adventure! #l0stANDf0und#IP#NFT