I. Introduction

The rise of online lending apps (OLAs) in the Philippines has made borrowing quick and convenient—but also opened the door to abusive collection tactics. One of the most common complaints is this: online lenders calling, texting, or shaming a borrower’s family, friends, co-workers, or other contacts to pressure payment.

In the Philippine legal framework, this practice is not just “unethical” or “annoying.” It can amount to:

• Unlawful processing of personal data under the Data Privacy Act of 2012 (DPA);
• Unfair or abusive debt collection under Securities and Exchange Commission (SEC) regulations;
• Possible criminal acts such as grave threats, unjust vexation, or libel under the Revised Penal Code; and
• Grounds for administrative complaints before the National Privacy Commission (NPC) and the SEC.

This article explains, in a Philippine setting, how and why calling a borrower’s contacts can be illegal, what rights borrowers and those contacts have, and what remedies are available.

---

II. How Online Lending Apps Typically Work

Most problematic OLAs follow a similar pattern:

1. Mobile app download The user downloads an app from Google Play, Apple App Store, or a third-party site.

2. Consent to permissions During installation or registration, the app asks for permission to access:

   • Contacts;
   • SMS;
   • Photos/files;
   • Camera/microphone; and/or
   • Location.

3. Short-term, high-interest loans The borrower receives a small loan, often with very short terms (e.g., 7–14 days) and high effective interest rates or multiple “fees.”

4. Aggressive collection upon default or even slight delay If the borrower is late in paying—or sometimes even before due date—collection agents:

   • Call or text repeatedly;
   • Send threatening or degrading messages; or
   • Contact people in the borrower’s phonebook to “expose” the debt.

These last acts—especially calling your contacts—are where the main legal issues arise.

---

III. Legal Framework in the Philippines

A. Data Privacy Act of 2012 (Republic Act No. 10173)

The DPA governs the collection, processing, and sharing of personal data in the Philippines. Key points:

1. Personal information and sensitive personal information

   • Name, contact details, and contact lists are personal information.
   • When linked to financial status or debts, they can take on more sensitive character because they relate to a person’s finances and reputation.

2. Lawful basis for processing For personal data to be processed lawfully, the controller (here, the lending company or app operator) must have a valid basis, generally:

   • Consent;
   • Contractual necessity;
   • Legal obligation;
   • Protection of vital interests;
   • Legitimate interests (subject to tests of necessity and proportionality).

3. Data subject rights (borrowers and their contacts):

   • Right to be informed;
   • Right to access;
   • Right to object;
   • Right to erasure/blocking;
   • Right to damages;
   • Right to lodge a complaint with the NPC.

4. Data sharing vs. incidental use Using a borrower’s contact list to reach out to third persons who have no relationship with the lender to disclose the alleged debt is generally not just “incidental use” – it is data sharing with third parties, which requires:

   • A legal basis; and
   • Compliance with transparency and purpose limitation.

NPC has repeatedly emphasized that “blanket consent” to all phone permissions is not a free pass for abusive practices. Consent must be:

• Freely given,
• Specific,
• Informed, and
• Evidenced by clear action.

“Allow access to contacts to continue” in a cluttered interface often fails this standard, especially when used for harassment.

5. Liabilities under the DPA

Possible violations include:

• Unauthorized processing of personal information Using contact data beyond what was reasonably necessary for the loan and without valid legal basis.

• Unauthorized disclosure Informing third persons about a borrower’s debt without lawful basis or the borrower’s proper consent.

• Improper use Using personal data for purposes incompatible with the original purpose (e.g., from verification to public shaming).

Penalties under the DPA can include imprisonment and fines, which scale depending on the type of violation and whether sensitive information is involved.

---

B. SEC Regulation of Lending and Financing Companies

Most online lending apps are backed by lending companies or financing companies regulated by the SEC under:

• Lending Company Regulation Act of 2007 (RA 9474) and its Implementing Rules;

• Financing Company Act (RA 8556); and

• Various SEC Memorandum Circulars, including those on:

  • Registration of online lending platforms; and
  • Prohibition of unfair collection practices.

While specific circular numbers and details may vary, the general themes are:

1. Registration requirement Lending and financing companies using online platforms must be:

   • Registered as corporations with the SEC; and
   • (Where required) their online lending platforms must be reported to or registered with the SEC.

2. Unfair or abusive debt collection practices are prohibited Collection practices that are typically classified as unfair include:

   • Using threats, obscenities, or profanities;
   • Harassing or threatening the borrower or third parties;
   • Public shaming or posting of unpaid debts on social media;
   • Contacting persons in the borrower’s contact list who are not guarantors or co-makers; and
   • Calling at unreasonable hours (e.g., late at night or extremely early morning).

The SEC has publicly warned and, in some cases, suspended or revoked the registration of lending companies and online platforms for such practices.

3. Possible SEC sanctions

   • Fines;
   • Suspension or revocation of certificate of authority to operate as a lending/financing company;
   • Cease-and-desist orders against the app/platform.

---

C. National Privacy Commission (NPC) Actions on Online Lenders

The NPC has issued numerous:

• Advisories and press releases condemning harassment through contact lists;

• Compliance Orders directing online lenders to:

  • Stop accessing contact lists;
  • Stop using collected data for harassment or shaming;
  • Secure and properly dispose of unlawfully collected personal data.

In several instances, the NPC has coordinated with the SEC and other agencies to crack down on abusive OLAs.

---

D. Other Potential Legal Bases

1. Revised Penal Code Depending on the content and methods of communication, the following crimes may be relevant:

   • Grave threats / light threats If collection agents threaten physical harm or serious wrong.

   • Unjust vexation For persistent, unreasonable annoyance or harassment.

   • Libel or slander If they falsely or maliciously impute a crime, vice, or defect to damage a borrower’s reputation (e.g., calling the borrower a “swindler” or “criminal” in group chats).

2. Anti-Violence Against Women and Their Children Act (RA 9262) In situations where:

   • The borrower is a woman or child, and
   • The abusive collection or shaming is perpetrated or facilitated by an intimate partner or former partner using online lender data, the acts may be seen as part of economic or psychological abuse.

3. Safe Spaces Act (RA 11313) If harassment is gender-based or sexual in nature, online harassment provisions may be triggered.

4. Civil Code (Damages) Harassed borrowers and their contacts may sue for:

   • Moral damages (for shame, anxiety, humiliation);
   • Exemplary damages (if acts are wanton, fraudulent, or oppressive);
   • Attorney’s fees and costs.

---

IV. Are Lenders Allowed to Call Your Contacts at All?

A. When it may be arguably allowed

Very limited circumstances could justify contacting a third party, such as:

• When the person is a co-borrower, guarantor, or co-maker who signed documents acknowledging responsibility for the loan;
• When the third party directly provided their contact details to the lender for that purpose; or
• Where the third party consented to being a “character reference,” and the call is limited to legitimate verification (not harassment or disclosure of sensitive details).

Even in these cases:

• The DPA still applies (purpose limitation, data minimization, proportionality); and
• SEC rules still prohibit abusive language, threats, or unreasonable pressure.

B. When it is generally unlawful

The practice is generally unlawful when:

• The lender accesses the borrower’s entire contact list solely because the app had permission, and

• Uses it to:

  • “Shame” the borrower;
  • Accuse the borrower of being a scammer; or
  • Pressure payment by humiliating the borrower in front of colleagues, friends, or relatives.

This typically violates:

• The DPA (unlawful processing and unauthorized disclosure);
• SEC rules (unfair debt collection); and
• Possibly criminal laws if threats or defamatory statements are made.

---

V. Rights and Remedies of Borrowers

A. Under the Data Privacy Act

Borrowers have the right to:

1. Be informed You have the right to know:

   • What personal data the app collects;
   • For what specific purposes; and
   • To whom it may be disclosed.

2. Access your personal data You can request copies of personal data being processed by the lender.

3. Object to processing You may object to further use of your contact data and demand that they stop using it to call your contacts, especially for harassment.

4. Rectification and erasure/blocking You can ask them to correct inaccurate data and to delete or block data no longer necessary or unlawfully obtained.

5. Compensation for damages If you suffer damage due to unlawful processing or disclosure, you can claim damages.

6. File a complaint with the NPC You can file a formal complaint with the NPC against the lender/app.

---

B. Under SEC Regulations

If the app is backed by a lending or financing company (most are), you may:

1. File a complaint with the SEC

   • Describe the abusive collection practices;
   • Attach screenshots, recordings, and other evidence;
   • Identify the company name, app name, and any SEC registration numbers (if available).

2. Request investigation and sanctions The SEC can:

   • Examine their practices;
   • Fine them;
   • Suspend or revoke their authority to operate; and/or
   • Issue cease-and-desist orders.

---

C. Criminal and Civil Actions

In more severe cases, borrowers can:

• File criminal complaints with the:

  • Philippine National Police (PNP), or
  • National Bureau of Investigation (NBI), particularly the cybercrime units, for acts such as grave threats, unjust vexation, or online libel.

• File civil cases for damages under the Civil Code.

Because these routes can be complex and fact-specific, consulting a lawyer or a legal aid clinic is strongly advisable.

---

VI. Rights and Remedies of the Borrower’s Contacts

The borrower’s contacts are independent data subjects under the DPA. They also have rights, including:

1. Right to object If you receive a call or text from a lender about someone else’s debt, you can tell them:

   • You did not consent to this;
   • You object to their use of your number for this purpose; and
   • They should stop calling or messaging you.

2. Right to file a complaint with the NPC Contacts can file their own complaint, especially when:

   • Their number was obtained from the borrower’s app permissions; and
   • They never had any relationship with the lender.

3. Possible civil claims If the harassment is severe, they may also consider a civil action for damages.

---

VII. Evidence to Preserve

Whether you are the borrower or one of the contacts, evidence is crucial. Preserve:

• Screenshots of messages;
• Call logs showing frequency and timing;
• Voice recordings (if lawfully obtained);
• Copies of app permissions or privacy policy (if available);
• Names, numbers, and identifiers used by the lender or collector;
• Links to group chats or posts where shaming occurred.

This evidence will be important for NPC, SEC, PNP/NBI, or courts.

---

VIII. Practical Steps if an Online Lender Is Harassing You or Your Contacts

1. Do not deny legitimate debt Even if the collection method is illegal, a legitimate debt may still be owed. The legality of the collection practice and the existence of the debt are separate issues.

2. Negotiate payment terms—preferably in writing You may:

   • Request restructuring or extension; or
   • Propose a payment schedule you can realistically follow.

3. Revoke permissions and limit data exposure

   • Check your phone settings and disable the app’s access to contacts, SMS, and storage (where possible).
   • Uninstall the app after securing copies of any evidence you need.

4. Formally demand the lender to stop harassment

   • Send an email or written notice:

     • Objecting to the use of your contacts;
     • Demanding they cease contacting your contacts and limit communication to you via lawful means.

5. File complaints with regulators

   • NPC – for privacy violations (unlawful processing and disclosure of personal data).
   • SEC – for unfair collection practices by lending/financing companies.
   • DTI / LGU – in some cases for business practice issues, especially if the entity is not properly registered.

6. Seek legal advice or help from legal aid groups

   • Integrated Bar of the Philippines (IBP) chapters;
   • Law school legal aid clinics;
   • NGOs focusing on digital rights or consumer protection.

7. Consider blocking numbers and using call-filtering tools

   • While not a legal remedy, it can protect your peace of mind.
   • However, keep at least some evidence first before blocking.

---

IX. Compliance Expectations for Legitimate Online Lenders

For legitimate lenders operating in the Philippines, compliance is not optional. Basic expectations include:

1. Transparent privacy notices

   • Clear, plain-language explanations of:

     • What data is collected;
     • Why it is collected;
     • How long it is retained;
     • Whether it is shared and with whom.

2. Data minimization

   • Avoid requesting unnecessary access (e.g., entire contact list) if identity and creditworthiness can be assessed in less intrusive ways.

3. Fair collection policies

   • Communicate with the borrower through:

     • Registered business numbers,
     • Reasonable hours,
     • Professional language and tone.

   • Avoid reaching out to third parties except in legally justified cases.

4. Security measures

   • Implement appropriate organizational, physical, and technical measures to protect borrowers’ and contacts’ personal data.

5. Accountability and documentation

   • Keep records of data processing activities;
   • Train staff on DPA compliance and anti-harassment policies;
   • Maintain internal mechanisms to handle complaints quickly.

---

X. Key Takeaways

• Calling or texting your contacts to shame or pressure you to pay is often unlawful in the Philippines, particularly under the Data Privacy Act and SEC rules on unfair debt collection practices.
• Borrowers and their contacts are both protected data subjects. Their phone numbers and identities cannot be used or shared arbitrarily.
• Regulatory complaints may be filed with the National Privacy Commission and the SEC, and in serious cases, criminal or civil actions may also be available.
• While you should still address valid debts, you do not have to tolerate harassment, shaming, or unlawful data use.

For personalized guidance—especially where large sums, severe harassment, or unique circumstances are involved—it is wise to consult a lawyer or a legal aid organization familiar with Philippine data privacy, consumer protection, and cybercrime laws.