How to Stop Harassing Calls and Texts from Online Lending Apps in the Philippines (Data Privacy Act Guide)

How to Stop Harassing Calls and Texts from Online Lending Apps in the Philippines

A practical legal guide under the Data Privacy Act and related rules

Why this matters

Aggressive online lending apps (OLAs) sometimes scrape your phonebook, spam your contacts, or threaten to “blast” your employer and family if you miss a payment. These tactics can violate Philippine law—most notably the Data Privacy Act of 2012 (DPA, R.A. 10173), the Financial Products and Services Consumer Protection Act (R.A. 11765), and the Securities and Exchange Commission’s rules on unfair collection practices. This guide explains your rights and gives you concrete steps and templates to stop the harassment while keeping any genuine debt issue in proper, lawful channels.

Important: This guide is information, not legal advice. If you face credible threats or ongoing doxxing, involve law enforcement immediately.

The legal backbone (plain English)

1) Data Privacy Act of 2012 (R.A. 10173)

  • Lawful basis required: Apps must have a valid legal ground to collect/use your data (e.g., your freely given, specific, informed consent; or necessity for a contract). Coercive consent (e.g., “grant full contacts access or you can’t proceed”) is suspect, especially if not proportionate to the service.

  • Purpose & proportionality: Collect only what’s necessary. Scraping your entire phonebook to collect a small loan is typically disproportionate.

  • Transparency: Clear privacy notices are required (who collects, what’s collected, why, how long, transfers, rights, and complaint channels).

  • Security: Reasonable organizational, physical, and technical measures to protect your data.

  • Your rights (data subject rights):

    • To be informed and to access your data.
    • To object to processing (e.g., “stop contacting my contacts”).
    • To erasure/blocking (e.g., “delete my phonebook data”).
    • To rectification (correct wrong info).
    • To damages and to file a complaint with the National Privacy Commission (NPC).

  • Liability: Unlawful processing, unauthorized disclosure, and negligent handling can lead to fines, imprisonment, and administrative penalties.

2) SEC rules on debt collection by lending/financing companies

  • Unfair collection practices are prohibited: Threats, profane/insulting language, shaming (“wall of shame,” mass messages to friends/employer), false representation, or contacting persons not named as guarantors/co-makers are disallowed.
  • Disclosure: Collectors must properly identify themselves and their company.
  • Registration: Lending apps must be duly registered/authorized. Unregistered OLAs are subject to closure and enforcement actions.

3) Financial Products and Services Consumer Protection Act (R.A. 11765)

  • Prohibits abusive collection and harassing conduct.
  • Empowers regulators (e.g., SEC for lending companies; BSP for banks/e-money) to sanction violators and provide consumer redress.

4) Other potentially relevant laws

  • Revised Penal Code (e.g., grave threats, grave coercion, unjust vexation) for extreme conduct.
  • Cybercrime Prevention Act (R.A. 10175) for ICT-enabled threats, doxxing, or unlawful access.
  • SIM Registration Act (R.A. 11934) enables telcos/authorities to act on fraudulent/abusive numbers.

What counts as harassment in this context?

  • Repeated calls or messages designed to intimidate, shame, or pressure—especially outside reasonable hours.
  • Messaging your contacts (family, employer, colleagues) to shame you or demand payment, when they are not guarantors/co-makers.
  • Threatening legal action that is baseless or exaggerated (“We will jail you tomorrow” for a civil debt).
  • Using degrading, profane, or demeaning language.
  • Publishing or threatening to publish your personal data (“doxxing”).

Immediate steps to protect yourself

  1. Gather evidence (don’t delete):

    • Screenshots of texts/chats (show phone numbers, timestamps, content).
    • Call logs and any recorded voicemails.
    • Copies of the app’s privacy notice, loan contract, and consent screens.
    • Names/IDs used by collectors (and note when they refused to identify themselves).
    • If your contacts were messaged, ask them for forwardable screenshots.

  2. Secure your device & accounts:

    • Revoke app permissions (Contacts, SMS, Phone, Storage, Location) in your phone settings.
    • Change passwords for email and financial accounts; enable 2FA.
    • Consider uninstalling the app after capturing evidence (but keep enough records to reference your account).

  3. Tell the lender—formally—to stop (rights exercise letter below):

    • Object to further harassment and withdraw/limit consent to use your phonebook or to contact third parties.
    • Demand erasure of scraped contacts and unnecessary data.
    • Require future communications be in writing and limited to your official contact details.

  4. Warn your contacts (briefly):

    • Let close contacts/employer know you’ve been targeted by an abusive collector, that it may be unlawful, and they should forward any messages to you.
    • Do not share private details; keep it factual and short.

  5. Block & filter (with evidence preserved):

    • Use your device’s block/spam features; consider third-party call blockers.
    • Keep initial samples as proof before blocking.

  6. If there are credible threats or doxxing:

    • File a report with PNP (local station or Anti-Cybercrime Group) or NBI-Cybercrime Division. Bring evidence.

Formal channels to make it stop

A) Write to the lender/app (Data Protection Officer & Collections Unit)

Send a rights-exercise notice and a separate cease-and-desist on unfair collection. Do this even if you also plan to complain to regulators.

What to include

  • Your full name, account/loan reference, registered mobile/email.
  • A clear invocation of DPA rights: object to processing that involves contacting third parties; demand erasure of your contacts; require access to the data they hold (including the contact list they scraped and its sources).
  • A demand to cease harassment (calls/texts to your contacts; insulting messages; threats).
  • A request that all future communications be via your chosen channel and during reasonable hours.
  • A deadline (e.g., 5 business days) to confirm compliance.

Keep proof of sending (email with read receipt or courier/registered mail).

B) File a complaint with the National Privacy Commission (NPC)

  • Basis: unlawful processing; processing without valid consent; disproportionate collection; unauthorized disclosure to your contacts; non-compliance with rights requests.
  • Remedies NPC can order: stop processing, erasure, corrective action, and administrative fines/penalties.
  • Attach your evidence and a copy of your letter to the lender/DPO and their reply (or proof of no reply).

C) Complain to the Securities and Exchange Commission (SEC) (for lending/financing companies)

  • Cite unfair collection practices: shaming, threats, contacting non-authorized third parties, failure to identify.
  • Ask SEC to verify the company’s registration/authority and take enforcement action if needed.

D) Law enforcement (for threats, extortion, doxxing)

  • PNP or NBI for criminal angles (threats/coercion, cyber offenses).
  • Bring printed screenshots, call logs, and a narrative of events.

E) Telco reporting

  • Report the abusive numbers to your mobile provider (Smart/Globe/DITO) as spam/harassing.
  • Provide dates/times and screenshots; ask for guidance on additional blocking or filtering.

Templates you can copy-paste

1) Data Privacy Rights Exercise & Cease Processing (to the DPO)

Subject: Exercise of Data Privacy Rights; Objection and Request for Erasure

[Date]

Data Protection Officer
[Name of Lending App/Company]
[Email / Address]

Dear DPO,

I am [Full Name], borrower/account no. [______], registered mobile [______], email [______].

1) I am exercising my rights under the Data Privacy Act of 2012 to:
   a. OBJECT to the processing of my personal data that involves accessing, storing, or using my phonebook/contacts and contacting any third parties not expressly acting as my guarantor/co-maker; and
   b. REQUEST ERASURE/BLOCKING of any contacts or unnecessary data already collected from my device.

2) PURPOSE LIMITATION & PROPORTIONALITY: The collection and use of my entire contact list is not necessary to perform the loan contract. It is disproportionate and was not supported by freely given, specific, and informed consent.

3) UNFAIR COLLECTION PRACTICES: Representatives of your company and/or agents have engaged in harassing communications, including [describe briefly, e.g., threats / messages to my employer/family]. These acts must cease immediately.

DEMANDS:
- Confirm within five (5) business days that you have ceased processing my contacts and have erased such data.
- Limit future communications to [my email/phone] between [reasonable hours].
- Provide an itemized list of my personal data you retain, the sources, recipients (including any third parties you contacted), and your retention schedule.

Please treat this as an urgent privacy matter. Failure to comply may result in complaints to the National Privacy Commission and the SEC.

Sincerely,
[Full Name]
[Signature if sending hard copy]

2) Cease & Desist on Unfair Collection (to Collections/Compliance)

Subject: Cease and Desist – Unfair Collection Practices

[Date]

To whom it may concern:

Your representatives have engaged in prohibited collection practices, including [shaming / threats / contacting non-authorized third parties / failure to identify]. These actions violate Philippine law and regulations on lending/financing collection conduct.

You are hereby directed to CEASE and DESIST from:
- Contacting my family, employer, or other contacts who are not guarantors/co-makers;
- Using threats, profane or demeaning language; and
- Misrepresenting legal consequences.

Limit communications to [my email/phone] between [reasonable hours]. All further violations will be documented for submission to the SEC, NPC, and law enforcement.

Sincerely,
[Full Name]

3) Witness/Contact Notice (for colleagues/family who were messaged)

Hi [Name], you may have received a message/call about me from [Lending App/Collector].
This conduct can be unlawful. Please forward any messages to me and do not engage further.
Thank you for your help.

Building a strong evidence file

  • Chronology (dates/times; who contacted whom; what was said).
  • Copies of the app’s privacy notice at the time you used it.
  • Loan agreement, screenshots of consent screens/permissions.
  • All messages, call logs, and recordings (if any).
  • Any harm suffered (stress, reputational damage at work, costs incurred).
  • Names/IDs used by agents; numbers used; any refusal to identify.

Reasonable hours & channels

While there is no single “Fair Debt Collection Practices Act” in the Philippines, regulators consider harassing frequency, late-night calls, use of insults, and third-party contacts as red flags. It is reasonable to set a window (e.g., 9:00 a.m.–6:00 p.m.) and a single contact channel. Put this in writing in your notices.

If you still owe money: handle the debt, not the abuse

  • Separate the harassment issue from the debt. You can insist on lawful, professional collection and settle or dispute the account.
  • Ask for a statement of account (principal, interest, fees) and the authority to collect if a third-party agency is involved.
  • If fees/interest look unconscionable, consider negotiating or seeking legal help.
  • Pay only via official channels with proper receipts. Avoid sending IDs/selfies via chat to unknown “collectors.”

Common questions (FAQ)

Can they jail me for unpaid personal loans? Ordinary civil debt is not a criminal offense. However, fraud (e.g., knowingly issuing bad checks, identity theft) is different. Threats of “immediate arrest” for mere non-payment are typically scare tactics.

They messaged my boss and coworkers. Is that allowed? Generally no—contacting third parties who are not guarantors/co-makers is a hallmark of unfair collection and may violate the DPA’s disclosure rules.

I “consented” to contacts access when I installed the app. Am I stuck? You can withdraw consent, and the company must respect purpose limitation and proportionality. Consent obtained under pressure or without a clear need is questionable.

They won’t identify themselves. Collectors must disclose their identity and the company they represent. Refusal is a red flag. Document it.

How long do they get to keep my data? Only as long as necessary for the stated, lawful purpose, subject to retention policies and legal requirements. You can ask for their retention schedule and demand deletion of unnecessary data.

Quick checklist

  • Save screenshots, call logs, recordings.
  • Revoke app permissions and secure accounts.
  • Send DPA rights letter to the DPO.
  • Send cease-and-desist to collections/compliance.
  • Warn close contacts; ask for evidence.
  • File appropriate complaints (NPC for privacy; SEC for unfair collection; police/NBI for threats).
  • Manage the actual debt through proper, documented channels.

When to escalate urgently

  • Threats of violence or sexualized harassment.
  • Doxxing or distribution of your photos/IDs.
  • Messaging minors or vulnerable relatives.
  • Impersonation of government officers (“We are from the court/prosecutor/police”)—verify independently and report.

Final word

You do not have to accept shaming, intimidation, or the scraping of your contacts as “part of borrowing.” Philippine law protects you. Use your DPA rights, put your demands in writing, document everything, and escalate through the NPC, SEC, and (if needed) law enforcement. Handle the loan through clean, official channels—without the abuse.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login