Harassment by Online Lending Apps as Reference Without Consent

1) What this practice looks like

In the Philippine online lending space, a common abuse pattern is contacting people who are not the borrower—friends, co-workers, relatives, neighbors, or random names pulled from a phonebook or social media—and telling them they are a “reference,” “contact person,” or someone who should “help settle” the borrower’s loan. The contact is often unsolicited, persistent, and may escalate into threats, humiliation, or disclosure of the borrower’s alleged debt.

This conduct usually appears in one or more of these forms:

  • Reference without consent: The lender claims you were listed as a reference, but you never agreed, never signed, and were never informed.
  • Contact scraping: The borrower’s phone contact list is accessed (often via app permissions), then messages are blasted to multiple contacts.
  • Third-party collection pressure: Calls/texts demand that you pressure the borrower, pay on their behalf, or “guarantee” payment.
  • Public shaming: Messages to your workplace, group chats, Facebook comments, or threats to post your photo/name.
  • Threats and intimidation: Threats of arrest, criminal charges, home visits, employer notification, or violence.
  • Identity association: The lender links you to the borrower and implies you’re liable.

The legal treatment in the Philippines depends on (a) whether your personal data was processed without a lawful basis, (b) whether communications are defamatory, threatening, or harassing, and (c) whether any debt collection rules were violated.

2) The core legal idea: “Being contacted” is not the same as “being liable”

A key principle: Being called a “reference” does not automatically create liability. In Philippine law, a person becomes liable for another’s obligation only through a recognized legal mechanism (e.g., suretyship/guaranty, co-maker, assignment, agency, or other binding undertaking), typically requiring clear consent and, in many cases, written form.

So if you never agreed to be a guarantor or surety, you are generally not responsible for the debt, even if the borrower listed you or the app claims you are a reference.

What you can be: a data subject whose personal information was processed, and a victim of harassment, potentially with civil, administrative, and (in extreme cases) criminal remedies.

3) Main laws and regulatory frameworks that apply

A. Data Privacy Act of 2012 (Republic Act No. 10173)

This is often the most powerful framework when an online lending app:

  • obtained your number through scraping,
  • used it beyond what’s necessary,
  • disclosed personal data to shame or coerce,
  • contacted you without a proper lawful basis,
  • or processed your personal data in a way that is unfair or disproportionate.

Key concepts

  • Personal information: Your name, mobile number, workplace info, social media account, photo, address, etc.
  • Processing: Collection, recording, storage, use, disclosure, dissemination, and other handling.
  • Lawful basis: Consent is one basis, but not the only one. A lender may claim “legitimate interests” or “performance of contract,” but those justifications are limited—especially for third parties who are not parties to the loan.

Why “reference without consent” is a privacy red flag If you did not transact with the lender, your data is typically processed only if there is a valid basis and it passes tests of:

  • Transparency (you were properly informed),
  • Proportionality (only what is necessary),
  • Legitimate purpose (collection methods must be legitimate),
  • Data minimization and fairness.

Mass messaging third parties to shame a borrower is hard to defend as “necessary” or “proportionate” for collection.

Potential privacy violations Depending on facts, the conduct may implicate:

  • Unauthorized processing and/or disclosure,
  • Processing for a purpose not compatible with what was declared,
  • Excessive collection and intrusive access (e.g., contact list),
  • Failure to implement reasonable safeguards,
  • Potential “data breach” if data is exposed broadly (e.g., group blasts).

Where to complain

  • The National Privacy Commission (NPC) is the primary venue for privacy-related complaints and enforcement.

B. Lending Company Regulation Act of 2007 (RA 9474) and SEC oversight

Online lending apps are commonly either lending companies or connected to one, and many are subject to Securities and Exchange Commission (SEC) regulation. Even when an app is merely a platform, if it is tied to a lending company, SEC compliance expectations typically apply.

In practice, the SEC has taken action against unfair debt collection practices, especially those involving:

  • harassment,
  • public shaming,
  • threats,
  • contacting third parties in abusive ways.

Where to complain

  • The SEC (for lending companies and financing companies, and their collection practices), particularly if the entity is registered or purports to be a lending/financing company.

C. Civil Code provisions on human relations (civil liability)

Even when criminal statutes are hard to apply, civil remedies can be strong.

Key principles:

  • Abuse of rights (Art. 19): exercising a right in a manner that is unjust, contrary to morals, good customs, or public policy can create liability.
  • Acts contra bonus mores and interference with peace of mind (Arts. 20, 21): wrongful acts that cause injury can support damages.
  • Moral damages may be recoverable where harassment causes anxiety, humiliation, or social harm.
  • Nominal damages may apply to vindicate a violated right even without extensive proof of pecuniary loss.

If the lender’s conduct harms your reputation, workplace standing, mental well-being, or family life, civil claims may be viable.

D. Revised Penal Code crimes that may be implicated

Depending on severity and wording of messages:

  1. Grave threats / light threats If the collector threatens unlawful harm (violence, wrongful accusation, etc.), threats provisions can apply.

  2. Unjust vexation (as a concept) / similar harassment-type offenses Persistent annoyance that is without legitimate purpose and causes disturbance can be actionable, though charging decisions depend heavily on local prosecutorial practice and current jurisprudence.

  3. Slander/Oral defamation (calls) and libel (written/public) If the collector states false imputations that damage reputation—especially publicly—defamation laws may apply.

  4. Coercion If the collector forces you to do something (pay, pressure the borrower) through intimidation or threats, coercion theories can arise.

Important: whether criminal filing is appropriate depends on exact content (screenshots are critical), the audience (private vs public), and demonstrable harm.

E. Cybercrime Prevention Act of 2012 (RA 10175)

If defamatory or threatening acts occur through ICT (texts, messenger, social media posts), related cybercrime provisions may be considered—especially where:

  • harassment is conducted online,
  • communications are shared broadly,
  • defamatory imputations are made in digital form.

Cyber-related filing often hinges on whether the act fits a recognized underlying offense (e.g., libel) and the manner of commission (online).

F. Anti-Photo and Video Voyeurism Act (RA 9995) / other laws

Usually less common in lending harassment, but may matter if collectors threaten or distribute intimate material (even fabricated). More commonly, the relevant issue is privacy and defamation when they share non-intimate photos (your face, ID, etc.) without consent.

4) When the lender contacts you: what is lawful vs unlawful conduct?

Generally acceptable collection conduct

A lender can:

  • contact the borrower through reasonable means,
  • remind about payment,
  • negotiate restructuring,
  • pursue lawful remedies (demand letters, civil case).

Red lines that are typically unlawful or sanctionable

Conduct becomes risky/illegal when it involves:

  • Contacting you (a third party) repeatedly to pressure the borrower when you did not consent and have no liability;
  • Disclosing the borrower’s debt to you or others (especially broadly) when not necessary and without lawful basis;
  • Threatening arrest for mere nonpayment (nonpayment of debt is generally a civil matter; arrest threats are commonly abusive);
  • Pretending to be authorities or implying criminal charges as a collection tactic;
  • Public shaming (posting on social media, group chats, workplace dissemination);
  • Using your personal data (name/photo/employer) to shame or intimidate you;
  • Harassing frequency (dozens of calls/texts per day; calling your boss; night calls);
  • False statements implying you are a debtor, co-maker, or criminal.

5) Liability: “reference,” “guarantor,” “co-maker,” “authorized contact”

These labels matter:

Reference / contact person

  • Usually intended only to help locate the borrower.
  • No payment obligation unless you separately agreed to one.

Guarantor / surety / co-maker

  • Can create liability, but typically requires clear agreement, often written.
  • If your signature, valid consent, and proper documentation are absent, liability is difficult to establish.

“Authorized contact” (in app terms)

  • Apps sometimes hide broad permissions/authorizations in T&Cs.
  • Even then, third-party data processing still must meet privacy law standards. Borrower consent to give your data does not automatically give the lender unlimited rights to harass you.

6) Consent: what counts, what doesn’t

Consent should be:

  • Freely given
  • Specific
  • Informed
  • Indicated (clear affirmative act)

What usually does NOT count as your consent

  • Borrower listing your name/number without telling you.
  • Lender claiming “the borrower agreed” and therefore you are fair game.
  • “Implied consent” from having a relationship with the borrower.
  • Being in the borrower’s phone contacts.

If the lender cannot show that you consented (or cannot point to another strong lawful basis), contacting you repeatedly and disclosing debt details is vulnerable to a privacy complaint.

7) Common harassment scripts and how Philippine law typically views them

“We will have you arrested / warrant / police”

Often a hallmark of abusive collection. Nonpayment of debt is generally not a criminal offense by itself. Threatening arrest can support complaints for harassment, threats, coercion, unfair collection, and privacy violations (if combined with dissemination).

“We will send field agents to your workplace”

A lender may do lawful field collection to the borrower’s address, but using third-party contact (your workplace) to shame or pressure is high risk.

“Pay now or we will post your photo/name”

Public posting is a serious exposure: privacy and potential defamation issues.

“You are listed as reference, you must pay”

Misrepresentation of liability can be part of coercion/abuse; it also undermines any “legitimate interest” claim.

8) Practical response strategy (legally mindful)

Step 1: Preserve evidence (do this immediately)

  • Screenshots of SMS, Messenger, Viber, WhatsApp.
  • Call logs showing frequency.
  • Recordings (be careful: recording rules can be context-specific; if unsure, prioritize written evidence).
  • Any posts, tags, group chat blasts, emails to HR.
  • Note dates/times; list witnesses (coworkers who saw messages).

Step 2: Identify the entity

  • App name, company name, SEC registration details (if known), website, privacy policy link, DPO contact info.
  • Sometimes collectors use multiple numbers—track all.

Step 3: Send a firm “stop processing/contacting me” notice

You can send a short message that:

  • You are not the borrower, not a guarantor, and did not consent.
  • They must stop contacting you and stop processing your personal data for collection.
  • Any further contact will be used for complaints to NPC/SEC and possible criminal/civil action.

Keep it professional; avoid threats of violence or profanity.

Step 4: Block, but keep evidence first

Blocking stops the harassment but may reduce incoming evidence. Capture enough first, then block.

Step 5: Escalate to regulators

  • NPC for privacy-related processing/disclosure/harassment via personal data.
  • SEC for abusive collection practices of lending/financing companies.
  • Consider PNP Anti-Cybercrime Group / NBI Cybercrime Division if there are online threats, extortion-like behavior, or defamatory posting, and you have complete evidence.

Step 6: If your workplace is involved

  • Notify HR with a factual memo and attach screenshots.
  • Request HR not to engage with collectors and to refer all inquiries to you (or legal/HR point person).
  • Ask HR to preserve any emails or recorded calls.

9) Potential claims and remedies (what you can realistically seek)

A. Administrative remedies

  • Orders to stop processing / compliance directives (privacy enforcement).
  • Penalties and sanctions against the company or responsible officers (depending on findings).
  • SEC actions affecting the lending company’s authority to operate.

B. Civil remedies

  • Damages (moral, nominal, actual if you suffered loss, attorney’s fees in proper cases).
  • Injunction (court order to stop harassment) in appropriate circumstances.

C. Criminal complaints (case-by-case)

  • Threats, coercion, defamation/libel/cyber-libel (depending on publication and content).
  • Other applicable offenses depending on the facts.

In many harassment scenarios, the most efficient early leverage is often regulatory complaint plus a documented cease-and-desist demand, backed by preserved evidence.

10) Special situations

If you actually know the borrower

Even if you are friends or family, that does not create liability. It may, however, increase the likelihood the lender obtained your data through the borrower’s contact list permissions—raising privacy concerns.

If the borrower truly listed you as reference

That still does not mean you consented. Borrower’s act does not automatically authorize third-party harassment.

If the lender uses your photo, employer, or address

This is typically more serious. The more sensitive or identity-related the data, the higher the privacy risk, especially if used for shaming.

If you’re contacted only once

A single contact may be framed as a location attempt, but disclosure of debt details or coercive language can still be problematic. Repeated contact after you object is much harder to justify.

11) Prevention: how to reduce the risk of being targeted

  • Ask friends/family not to list you as reference without consent.

  • If you must be listed as emergency contact/reference, insist on:

    • written notice,
    • limited purpose (location only),
    • no disclosure of debt details,
    • no repeated contact.

  • Encourage borrowers to avoid apps that demand aggressive permissions (contacts, gallery, call logs). Excessive permissions increase misuse risk.

12) A template message you can send to collectors

Option A (short and direct): “Do not contact me again. I am not the borrower, not a co-maker/guarantor, and I did not consent to be contacted or to the processing of my personal data for collection. Any further contact or disclosure will be documented for complaint to the National Privacy Commission and the SEC.”

Option B (more formal): “I deny any obligation for the alleged debt. I did not consent to being named as a reference nor to the processing/disclosure of my personal information for debt collection. I am formally objecting and demanding that you cease contacting me and cease processing my personal data for this purpose. Further contact will be treated as harassment and reported to the National Privacy Commission and other proper authorities.”

13) Key takeaways

  • You are generally not liable for another person’s loan just because an app labels you a “reference.”
  • Persistent third-party debt collection, shaming, and threats are legally vulnerable under privacy law, SEC-regulated lending conduct standards, and civil/criminal theories depending on content and publication.
  • Evidence (screenshots, logs) and a clear written objection are your strongest first moves.
  • The NPC and SEC are practical escalation routes in the Philippine context, especially for abusive online lending operations.

If you want, paste (1) the exact text of the messages you received (remove names/numbers), and (2) the app/company name shown in the messages, and you’ll get a tailored issue-spotting list of the strongest possible complaints and the cleanest wording for your cease-and-desist letter.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login