Philippine Legal Context

Online lending apps, often called OLAs, have become common in the Philippines because they offer fast, app-based loans with minimal paperwork. But many borrowers have reported abusive practices: repeated threatening calls, public shaming, messages to family and co-workers, unauthorized use of phone contacts, false accusations, insults, doxxing, fake legal threats, and misuse of photos or IDs.

Philippine law does not allow a lending company, financing company, collection agency, or online lending app to harass, shame, threaten, or unlawfully expose a borrower’s personal data. A borrower may owe money, but debt does not remove the borrower’s rights to privacy, dignity, due process, and lawful collection treatment.

This article explains the legal framework, prohibited acts, borrower rights, evidence-gathering steps, complaint options, and remedies available in the Philippines.

I. What Is Online Lending App Harassment?

Online lending app harassment refers to abusive, oppressive, deceptive, threatening, humiliating, or privacy-invasive collection conduct by an online lender, financing company, lending company, collection agency, agent, or third-party service provider.

Common examples include:

Calling or texting the borrower repeatedly at unreasonable hours.
Threatening imprisonment for nonpayment.
Threatening to post the borrower’s face online.
Sending messages to the borrower’s contacts.
Calling the borrower’s employer, family, friends, or co-workers.
Telling others that the borrower is a scammer, criminal, or estafador.
Publishing the borrower’s name, photo, address, ID, or loan balance.
Accessing the borrower’s contact list without proper basis.
Using the borrower’s photo to shame or embarrass them.
Sending fake legal notices or fake barangay/court/police threats.
Using profanity, insults, sexualized language, or threats of violence.
Contacting references who did not consent to be collection targets.
Creating group chats to shame the borrower.
Posting defamatory statements on social media.
Sending messages that imply the borrower committed a crime merely because of unpaid debt.

A lender has the right to collect a lawful debt. But that right must be exercised lawfully.

II. Debt Does Not Justify Harassment

A borrower’s failure to pay a loan does not give the lender permission to violate the law.

The lender may:

Send lawful reminders.
Demand payment.
Charge lawful interest and penalties if agreed and legally valid.
Negotiate restructuring.
Endorse the account to a legitimate collection agency.
File a civil case to collect.
Report proper credit information through lawful channels.
Exercise remedies allowed under the loan agreement and law.

But the lender may not:

Threaten violence.
Use insults or obscene language.
Shame the borrower publicly.
Contact unrelated third persons to embarrass the borrower.
Misuse the borrower’s contacts, photos, or private files.
Pretend to be a court, police officer, prosecutor, or government agency.
Use false criminal threats to force payment.
Publish the borrower’s personal data.
Harass the borrower’s employer or relatives.
Process personal data beyond legitimate, necessary, and proportionate purposes.

The SEC has rules against unfair debt collection practices by lending and financing companies and their third-party service providers. The National Privacy Commission has also issued rules specifically addressing personal data processing in loan-related transactions. (creditinfo.gov.ph)

III. Main Laws and Agencies Involved

Online lending harassment may involve several overlapping laws and regulators.

1. Securities and Exchange Commission

The Securities and Exchange Commission, or SEC, regulates lending companies and financing companies. It also receives complaints involving online lending apps, unfair debt collection practices, abusive collection agents, and unregistered or unauthorized lending operations.

The Credit Information Corporation’s consumer guidance identifies the SEC as the proper agency for complaints involving lending companies, financing companies, online lending apps, and microfinance institutions. (creditinfo.gov.ph)

2. National Privacy Commission

The National Privacy Commission, or NPC, enforces the Data Privacy Act. It handles complaints involving unauthorized access, use, sharing, disclosure, or processing of personal data.

The NPC has specifically addressed online lending apps that harvest contact lists, photos, location data, media files, email data, and social media data. It has also ordered takedowns and data-processing bans against certain apps found to have engaged in excessive and unlawful personal data processing. (National Privacy Commission)

3. Police and Cybercrime Authorities

If the harassment includes threats, identity misuse, online defamation, hacking, cyber harassment, fake accounts, or fraud, the matter may be reported to law enforcement, including cybercrime units.

4. Courts

Courts may be involved in civil actions, criminal cases, protection-related remedies, damages claims, or injunctions where appropriate.

IV. Data Privacy Act Protection

The Data Privacy Act of 2012, or Republic Act No. 10173, protects personal information and sensitive personal information in both government and private-sector information systems. It created the National Privacy Commission and defines consent as a freely given, specific, informed indication of will, evidenced by written, electronic, or recorded means. (National Privacy Commission)

For online lending, this means an app cannot simply collect and use whatever data it wants because the borrower clicked “allow” or signed up for a loan. Data processing must still comply with the principles of:

Transparency
Legitimate purpose
Proportionality
Lawful basis
Security
Accountability
Respect for data subject rights

Even if the borrower owes money, the lender must process personal data lawfully.

V. Personal Data Commonly Abused by Lending Apps

Online lending apps may collect or attempt to access:

Full name
Mobile number
Home address
Email address
Employer details
Salary or income information
Government IDs
Selfies
Photos
Contact list
Call logs
SMS
Device identifiers
Location data
Social media accounts
Bank or e-wallet details
References and emergency contacts
Loan balance and repayment history

Some data may be legitimately needed for identity verification, fraud prevention, or credit evaluation. But harvesting large amounts of unrelated data, especially contact lists and photos, can become unlawful if unnecessary, excessive, or used for harassment.

VI. App Permissions and Contact List Harvesting

The NPC has made clear that online lending apps are prohibited from requiring unnecessary permissions involving personal and sensitive personal information. App permissions must be suitable, necessary, and not excessive for legitimate purposes such as KYC, creditworthiness assessment, fraud prevention, and lawful debt collection. (National Privacy Commission)

The NPC has also specifically stated that online lenders are barred from harvesting phone contact lists, email lists, and social media contacts for debt collection harassment. Access to a phone camera may be allowed only for legitimate KYC purposes, and the borrower’s photo must not be used to harass or embarrass the borrower. (National Privacy Commission)

This is crucial. Many abusive OLAs rely on contact-list access to pressure borrowers by threatening to message everyone in their phonebook. That practice may create both data privacy and unfair collection issues.

VII. Character References and Emergency Contacts

Online lenders often ask for references or emergency contacts.

A reference is not automatically a guarantor.

A person listed as a reference generally does not become liable for the borrower’s loan merely because their name or number was provided. Unless that person separately agreed to act as a co-maker, surety, guarantor, or borrower, the lender should not demand payment from them.

The NPC’s loan-related transaction rules were amended to address borrowers, character references, and guarantors, including added protections and notices in loan-related data processing. (National Privacy Commission)

A lender may verify contact information in a lawful and proportionate way, but it should not shame the borrower or pressure third persons who are not liable for the debt.

VIII. Unfair Debt Collection Practices

Unfair debt collection practices may include:

Threats of violence or harm.
Use of insults, obscene language, or profanity.
False representation that nonpayment is automatically a crime.
False representation that the collector is from a court, police, prosecutor, or government office.
Threatening arrest without legal basis.
Threatening public exposure of the borrower.
Disclosing the borrower’s debt to unrelated persons.
Calling or messaging contacts to shame the borrower.
Harassing the borrower’s employer.
Repeated calls meant to annoy, abuse, or intimidate.
Using fake legal documents.
Misrepresenting the amount owed.
Charging undisclosed or unlawful fees.
Contacting the borrower at unreasonable hours.
Using personal data for purposes beyond lawful collection.

The SEC’s unfair debt collection framework applies not only to lending and financing companies but also to their third-party service providers. A lender cannot avoid liability by outsourcing harassment to a collector. (creditinfo.gov.ph)

IX. Common Harassment Scripts and Why They Are Legally Problematic

1. “We will have you arrested today.”

Nonpayment of a loan is generally a civil matter unless fraud or another crime is involved. A collector should not threaten arrest merely to force payment.

2. “We will post your picture as a scammer.”

This may involve privacy violation, defamation, cyber-related liability, and unfair collection practice.

3. “We will call your employer and tell them you are a fraud.”

This may be harassment, third-party disclosure of debt information, possible defamation, and unlawful personal data processing.

4. “We will message all your contacts.”

This may involve unlawful contact-list use and excessive personal data processing.

5. “Your reference must pay your loan.”

A reference is not liable unless they separately agreed to be legally bound.

6. “We will file estafa if you do not pay today.”

A legitimate legal claim may be pursued through proper channels, but using baseless criminal threats as a collection tactic may be abusive.

X. Borrower Rights Under the Data Privacy Act

A borrower is a data subject and may exercise rights under the Data Privacy Act, including:

Right to be informed
Right to object
Right to access
Right to rectification
Right to erasure or blocking
Right to damages
Right to data portability, where applicable
Right to file a complaint with the NPC

The borrower may ask the lender:

What data was collected?
Why was it collected?
What app permissions were accessed?
Was the contact list accessed?
Was the data shared with collection agencies?
Who are the recipients?
What is the legal basis for processing?
How long will the data be retained?
How can consent be withdrawn?
How can unlawful data be deleted or blocked?

The Data Privacy Act gives the NPC authority to administer and implement the law and monitor compliance with data protection standards. (National Privacy Commission)

XI. Consent Is Not a Blank Check

Many lending apps argue that the borrower “consented” when installing the app or applying for a loan.

But valid consent must be specific, informed, freely given, and evidenced. Consent to verify identity or process a loan is not consent to shame the borrower, message all contacts, misuse photos, or publish personal details.

Even where consent exists, personal data processing must still be:

Necessary
Proportionate
Not excessive
Limited to declared purposes
Protected by security measures
Consistent with the borrower’s rights

A borrower cannot be forced to give excessive phone permissions unrelated to the loan.

XII. Public Shaming and Debt-Shaming

Debt-shaming happens when a lender or collector exposes the borrower’s alleged debt to others to pressure payment.

Examples:

Posting the borrower’s name and photo online.
Calling the borrower a scammer in group chats.
Sending the borrower’s debt details to family members.
Messaging co-workers about the unpaid loan.
Tagging the borrower on social media.
Creating fake wanted posters.
Sending edited images with insulting captions.
Publishing the borrower’s ID or address.

The NPC has acted against online lending apps for debt-shaming and excessive personal data processing. It has previously ordered data-processing bans and takedowns involving online lending apps accused of privacy violations. (National Privacy Commission)

XIII. Threats to Contact Employers

Collectors sometimes threaten to call HR, supervisors, or co-workers.

This may be unlawful or abusive if the purpose is to shame the borrower or pressure employment consequences. A lender may have a legitimate reason to verify employment at the application stage, but telling an employer about a borrower’s debt or threatening workplace embarrassment is different.

A borrower should preserve:

Screenshots of messages threatening employer contact.
Call logs.
Record of actual employer calls.
Statements from HR or co-workers.
Names and numbers used by collectors.
Any messages sent to workplace group chats.

The borrower may include these in SEC, NPC, and law enforcement complaints.

XIV. Threats to Family Members and Friends

Contacting family members, friends, neighbors, or co-workers to disclose a borrower’s debt may violate privacy and collection rules.

A collector may not use the borrower’s social circle as a humiliation tool.

If contacts receive messages, ask them to preserve:

Screenshots.
Phone numbers used by collectors.
Date and time.
Exact words used.
Any mention of the borrower’s name, debt, balance, or accusation.
Any threats or insults.

This evidence is powerful because it shows disclosure to third persons.

XV. Fake Legal Threats

Abusive collectors often use fake legal language.

Common examples:

“Final warrant notice”
“Barangay arrest order”
“Cybercrime warrant”
“Court summons” sent by text
“NBI complaint filed today”
“Police operation scheduled”
“Hold departure order”
“Estafa case approved”
“You will be imprisoned in 24 hours”
“Sheriff will seize your property tomorrow”

Real court processes do not happen through random threatening text blasts. A legitimate court summons, subpoena, warrant, or judgment follows formal legal procedure.

Collectors may demand payment, but they should not fabricate government authority.

XVI. Can a Borrower Be Imprisoned for Nonpayment?

As a general rule, a person is not imprisoned merely for inability to pay a debt.

The Philippine Constitution prohibits imprisonment for debt.

However, criminal liability may arise if there is a separate criminal act, such as fraud, falsification, bouncing checks under applicable law, identity fraud, or other offenses. But a collector cannot automatically convert ordinary nonpayment into a criminal case by sending threats.

A lender that believes a crime occurred must file the proper complaint and prove the elements. It cannot use false criminal threats as harassment.

XVII. Interest, Penalties, and Excessive Charges

Many online lending complaints involve extremely high interest, daily penalties, processing fees, service fees, rollover charges, and hidden deductions.

Borrowers should review:

Principal amount borrowed.
Amount actually received.
Interest rate.
Processing fee.
Service fee.
Penalties.
Total amount payable.
Due date.
Whether deductions were disclosed.
Whether effective interest was clearly explained.

Unfair, deceptive, or unconscionable terms may support complaints. Even if money is owed, the amount demanded must be lawful and properly computed.

XVIII. Unauthorized Data Sharing With Collection Agencies

A lender may engage a collection agency or third-party service provider, but personal data sharing must still comply with law.

The borrower should be informed about:

Who processes their data.
What data is shared.
Why it is shared.
Whether the recipient is a processor or separate controller.
How the data is protected.
How the borrower can exercise rights.
Whether the collection agency is authorized.

The lender remains accountable for personal data under its control. The NPC has emphasized accountability of lending and financing companies and persons acting like them for personal data under their control or custody. (National Privacy Commission)

XIX. Unauthorized Access to Contacts, Photos, and Media

A serious privacy violation may occur when the app accesses:

Phone contacts
Photo gallery
Camera
SMS
Call logs
Email accounts
Social media accounts
Location
Files
Device storage

The NPC has found that some apps processed information such as contacts, location, photos, media files, email, and social media data in ways that posed serious privacy concerns. (National Privacy Commission)

Borrowers should check app permissions and revoke unnecessary access. They may also uninstall the app, but should preserve evidence first.

XX. What Borrowers Should Do Immediately When Harassed

Step 1: Stay calm and do not engage emotionally

Collectors may intentionally provoke fear, shame, and panic.

Do not respond with threats or insults. Keep communications factual.

Step 2: Preserve evidence

Save:

Screenshots
Call logs
Text messages
Chat messages
Voice recordings, where lawfully obtained
Collection letters
Social media posts
Group chat messages
Messages sent to contacts
App permission screenshots
Loan agreement
Disclosure statement
Payment receipts
Proof of harassment to third persons

Step 3: Revoke app permissions

Check phone settings and disable access to contacts, camera, photos, location, SMS, and storage if unnecessary.

Step 4: Notify contacts

Tell family, friends, and co-workers not to engage with collectors and to preserve messages.

Step 5: Send a written cease-and-desist or complaint message

Tell the lender to stop unlawful harassment, communicate only through proper channels, and respect privacy rights.

Step 6: File complaints

Depending on the facts, complain to the SEC, NPC, platform/app store, bank/e-wallet, police, cybercrime authorities, or court.

XXI. Evidence Checklist

A strong complaint should include:

Borrower’s full name and contact details.
Name of lending app.
Name of lending company, if known.
SEC registration or certificate number, if available.
App download link or screenshots.
Loan application screenshots.
Loan agreement.
Disclosure statement.
Amount borrowed.
Amount received.
Amount demanded.
Payment history.
Screenshots of threats.
Screenshots of messages to contacts.
Call logs showing frequency.
Names and numbers of collectors.
Social media posts or group chats.
Proof of access to contacts or photos.
App permission screenshots.
Proof that contacts were messaged.
Emotional, employment, or reputational harm suffered.
Prior demand to stop harassment.
Any response from the lender.

The more organized the evidence, the stronger the complaint.

XXII. How to Document Calls

For each call, record a log:

Date	Time	Number	Caller Name	What Was Said	Witness
May 5, 2026	9:15 AM	09xx xxx xxxx	“Legal Dept.”	Threatened to call employer	Spouse heard call
May 5, 2026	10:02 AM	09xx xxx xxxx	Collector	Called borrower “scammer”	Screenshot saved

If calls are too frequent, take screenshots of the call history.

If recording calls, consider privacy and admissibility rules. At minimum, written logs and screenshots should be preserved.

XXIII. How to Document Messages to Contacts

Ask contacts to send screenshots showing:

Collector’s number.
Date and time.
Full message.
Borrower’s name mentioned.
Debt amount mentioned.
Threats or insults.
Any group chat created.
Any image or ID shared.

Do not edit screenshots. Preserve originals.

XXIV. Sample Message to Lending App

A borrower may send:

I demand that you stop all abusive, threatening, and privacy-invasive collection practices. You and your agents are not authorized to contact my family, friends, employer, co-workers, or phone contacts regarding my alleged debt. You are not authorized to publish or disclose my personal information, photo, address, loan balance, or other personal data. All communications should be sent only to me through lawful channels. I reserve my rights to file complaints with the SEC, National Privacy Commission, law enforcement, and other appropriate offices.

This does not erase the debt, but it creates a record that the borrower objected to unlawful practices.

XXV. Sample Message to Contacts

Borrowers may warn contacts:

If you receive calls or messages from any lending app or collector about me, please do not engage or give them information. Kindly screenshot the message, save the number, and send it to me. They are not authorized to discuss my personal information or alleged debt with you.

This helps preserve evidence and reduces panic.

XXVI. Filing a Complaint With the SEC

File with the SEC when the issue involves:

Lending company harassment.
Financing company harassment.
Online lending app misconduct.
Unfair debt collection.
Unregistered or unauthorized lending operations.
Abusive third-party collection agents.
Misleading loan terms.
Hidden charges or unfair penalties.
Threats, insults, and shaming by collectors.

The SEC maintains channels for complaints and public submissions, including an online ticketing/contact system. (imessage.sec.gov.ph)

In the complaint, identify the lender, app name, collectors, loan details, and attach evidence.

XXVII. Filing a Complaint With the National Privacy Commission

File with the NPC when the issue involves:

Unauthorized contact-list access.
Messages to contacts.
Public posting of borrower data.
Use of borrower’s photo for shaming.
Unauthorized processing of IDs or selfies.
Excessive app permissions.
Disclosure of debt to third persons.
Doxxing.
Failure to honor data subject rights.
Refusal to delete or stop unlawful processing.

The NPC has handled complaints involving online lending apps and has taken enforcement action against apps for excessive and unlawful data processing. (National Privacy Commission)

A complaint should include screenshots, app permissions, proof of messages to contacts, and the lender’s privacy notice or loan terms if available.

XXVIII. Reporting to App Stores and Platforms

Borrowers may report the app to:

Google Play Store
Apple App Store
Facebook
TikTok
Messaging platforms
Payment platforms
Hosting providers
Ad platforms

The NPC has previously coordinated takedown-related actions involving online lending apps whose data processing created serious privacy concerns. (National Privacy Commission)

A platform report should attach:

App name
App link
Developer name
Screenshots of harassment
Evidence of excessive permissions
Privacy violation summary

XXIX. Reporting to Police or Cybercrime Authorities

Report to law enforcement if there are:

Threats of violence.
Extortion.
Identity theft.
Fake accounts.
Hacking.
Cyber harassment.
Online defamation.
Unauthorized publication of personal data.
Sextortion or sexualized threats.
Fraudulent loan app activity.
Use of fake government documents.
Harassment involving minors or vulnerable persons.

Bring printed and digital evidence.

XXX. Possible Criminal Issues

Depending on the facts, abusive collection may raise issues under:

Grave threats
Light threats
Unjust vexation
Slander or oral defamation
Libel or cyber libel
Identity theft
Computer-related fraud
Data privacy offenses
Extortion-related offenses
Coercion
Falsification, if fake legal documents are used
Usurpation or false representation of authority, where applicable

The proper charge depends on the exact conduct and evidence.

XXXI. Civil Remedies

A borrower or affected third person may consider civil remedies for:

Damages
Injunction
Protection of privacy
Defamation-related harm
Emotional distress
Loss of employment opportunity
Business or reputational injury
Abuse of rights
Breach of contract
Unjust or excessive collection

Civil action may be appropriate where harassment caused measurable damage.

XXXII. Rights of Third Persons Contacted by the Lender

Family members, friends, co-workers, and references may also have rights.

If they did not borrow money and did not guarantee the loan, they generally should not be harassed, pressured, or shamed.

They may complain if:

Their personal number was obtained without proper basis.
They received threatening calls.
They were told private debt information.
They were pressured to pay.
They were insulted.
Their personal data was processed without lawful basis.
They were added to group chats.
Their workplace was contacted.

Third persons should preserve evidence and may file their own complaint where appropriate.

XXXIII. Employer Contact and Workplace Harm

If the lender contacts the borrower’s employer and the borrower suffers workplace consequences, document:

Who contacted the employer.
What was said.
Whether loan details were disclosed.
Whether the borrower was embarrassed.
Whether HR issued a memo.
Whether work relationships were affected.
Whether the borrower was suspended, disciplined, or terminated.
Whether the employer has call logs or emails.
Whether co-workers received messages.

This may support privacy, defamation, labor-related, or civil damages claims depending on the facts.

XXXIV. What if the Borrower Really Owes the Money?

The borrower should separate two issues:

Debt obligation
Illegal collection conduct

If the loan is valid, the borrower may still need to pay or negotiate. But the lender must collect lawfully.

A borrower can say:

I am willing to discuss a lawful payment arrangement, but I object to threats, shaming, contact-list messaging, employer harassment, and unauthorized disclosure of my personal data.

This preserves the borrower’s position: the debt issue may be resolved, but harassment is not waived.

XXXV. Negotiating Payment Without Waiving Rights

Borrowers who want to settle may ask for:

Updated statement of account.
Breakdown of principal, interest, fees, and penalties.
Waiver or reduction of penalties.
Written settlement amount.
Written payment deadline.
Official payment channel.
Receipt after payment.
Confirmation of full settlement.
Deletion or restriction of unnecessary personal data.
Written undertaking to stop contacting third persons.

Do not rely on verbal promises. Get settlement terms in writing.

XXXVI. Beware of Paying Collectors Without Verification

Before paying, verify:

Is the collector authorized?
Is the payment account official?
Does the account name match the lender?
Will payment be credited to the loan?
Will an official receipt be issued?
Is there a written settlement?
Is the collector demanding extra “clearance fees”?
Is the collector using threats to force immediate transfer?

Some borrowers pay collectors but the account remains unpaid because the collector was unauthorized or the payment was not properly credited.

XXXVII. Demand for Statement of Account

A borrower may request a clear statement of account showing:

Principal borrowed.
Amount disbursed.
Interest.
Processing fee.
Service fee.
Penalties.
Collection charges.
Payments made.
Remaining balance.
Basis of computation.

If the lender refuses to provide a breakdown and only sends threats, this may support a regulatory complaint.

XXXVIII. Unregistered or Illegal Lending Apps

Some online lending apps operate without proper registration or authority.

Red flags include:

No SEC registration.
No lending company name.
App name differs from company name.
No physical address.
No privacy notice.
No loan agreement.
No disclosure statement.
No official receipt.
Payment to random personal accounts.
Threatening collectors with no company identity.
App disappears from app store.
Multiple cloned apps with same collector numbers.

The SEC and other government bodies have repeatedly warned against abusive and unauthorized online lending operations, including app removals and blocking actions. (Manila Standard)

XXXIX. The Role of Third-Party Collection Agencies

A lending company may use collection agencies, but they must still follow the law.

The lender may be accountable for its third-party collectors if those collectors act for the lender.

A third-party collector should not:

Hide its identity.
Pretend to be a police officer.
Pretend to be a court sheriff.
Threaten arrest without basis.
Use abusive language.
Contact unrelated third persons.
Publish personal data.
Use fake legal documents.
Demand payment through personal accounts.
Refuse to provide proof of authority.

Borrowers may ask for the collector’s authority to collect.

XL. Harassment Through Multiple Numbers

Many collectors use rotating numbers.

Borrowers should:

Screenshot call logs.
Save numbers.
Use phone blocking features.
Avoid answering abusive calls if unsafe.
Ask collectors to communicate in writing.
Preserve voicemails and messages.
Report numbers to telecom providers where appropriate.
Include all numbers in complaints.

A pattern of repeated calls from many numbers can show harassment.

XLI. Group Chats and Public Posts

If collectors create group chats or social media posts:

Screenshot the full group chat.
Capture participant list.
Save the collector’s account name and profile link.
Save timestamps.
Preserve photos or captions used.
Ask contacts not to delete messages.
Report the group or post to the platform.
Include the evidence in NPC and SEC complaints.

Group shaming is one of the clearest forms of abusive collection.

XLII. Use of Borrower’s Photo

The NPC has specifically stated that a borrower’s photo must not be used to harass or embarrass the borrower to collect a delinquent loan. (National Privacy Commission)

Improper use of a borrower’s photo may involve:

Data privacy violation.
Cyber harassment.
Defamation.
Emotional distress.
Unfair debt collection.
Possible identity misuse.
Platform policy violations.

A borrower should preserve copies of any image used by collectors.

XLIII. Use of Borrower’s Government ID

Government IDs contain sensitive personal information.

A lender may collect ID data for legitimate KYC purposes, but it should protect the ID and not disclose it publicly.

Improper acts include:

Posting ID photos online.
Sending ID copies to contacts.
Using ID as a threat.
Editing ID into shame posts.
Sharing ID with unauthorized collectors.
Keeping ID data longer than necessary.
Failing to secure ID data.

This may support a Data Privacy Act complaint.

XLIV. Location Tracking

Some apps may request location access.

Location data can be sensitive because it reveals movement, residence, workplace, and habits.

Location access should be justified, necessary, and proportionate. Continuous tracking for debt intimidation may be excessive and unlawful.

Borrowers should disable location access if not necessary.

XLV. Contacting References vs. Harassing References

There is a difference between lawful reference verification and harassment.

A lender may verify a reference during application if properly disclosed and legally justified.

But it should not:

Demand payment from the reference.
Shame the borrower to the reference.
Disclose full loan details unnecessarily.
Threaten the reference.
Repeatedly call the reference.
Add the reference to group chats.
Use the reference as leverage.

References may file complaints if harassed.

XLVI. Guarantors and Co-Makers

A guarantor, surety, co-maker, or co-borrower may be legally liable if they signed or agreed to be bound.

But even then, collection must still be lawful.

Collectors may demand payment from a true co-maker or guarantor, but they still cannot use threats, insults, doxxing, or unlawful data processing.

A person who did not sign as guarantor should not be treated as one.

XLVII. Minors and Online Lending

If an online lending app granted a loan to a minor, legal issues arise.

Questions include:

Did the borrower have legal capacity?
Did the app verify age?
Was a parent’s data used?
Were IDs falsified?
Did the app process a minor’s data?
Were contacts of the minor harassed?
Did the app comply with KYC and data privacy safeguards?

Processing minors’ data and collecting from minors require heightened care.

XLVIII. Spouses and Family Members

A spouse or family member is not automatically liable for a borrower’s online loan unless they are a co-borrower, guarantor, surety, or the debt legally binds the conjugal or community property under applicable family law principles.

Collectors should not harass spouses, parents, siblings, or children merely because they are related to the borrower.

XLIX. Can Collectors Go to the Borrower’s House?

A lender may pursue lawful collection. But home visits must not involve:

Threats.
Trespass.
Public shaming.
Barangay gossip.
Loud accusations.
Harassment of household members.
Seizure of property without court authority.
Pretending to be sheriff or police.
Violence or intimidation.

Collectors cannot seize property simply because the borrower owes money. Court process is required for execution of judgment.

L. Barangay Threats

Collectors often threaten to report the borrower to the barangay.

A barangay may help mediate certain disputes, but it cannot imprison a borrower for debt. Barangay proceedings are not a substitute for court collection.

A collector should not misuse barangay terminology to intimidate.

LI. Police Threats

Police generally do not collect private debts.

If collectors claim police will arrest the borrower for nonpayment, ask for:

Case number.
Police station.
Name and rank of officer.
Written complaint.
Official subpoena or notice.

Do not panic over anonymous threats. Preserve the message and report abusive threats.

LII. Court Summons and Legal Notices

A real court summons is served according to court rules.

Text messages saying “court notice,” “final warrant,” or “legal team arrest today” are often intimidation tactics.

If an actual court case is filed, the borrower should respond properly and seek legal advice. Ignoring real court papers is risky.

But fake legal threats should be documented and reported.

LIII. Credit Reporting

Legitimate lenders may report credit information through lawful credit channels, subject to applicable laws and rules.

But public shaming is not credit reporting.

A lawful credit report is different from:

Messaging all contacts.
Posting on Facebook.
Calling employer.
Creating group chats.
Sending defamatory labels.
Publishing ID or photo.

Credit reporting must follow proper legal channels and data protection requirements.

LIV. Data Subject Request to Stop Processing

A borrower may send a data subject request asking the lender to:

Identify data collected.
Provide copy of personal data.
Disclose recipients.
Stop unlawful processing.
Delete excessive data.
Stop contacting third persons.
Correct inaccurate information.
Limit processing to lawful collection.
Explain retention period.
Identify the data protection officer.

This may be sent to the lender’s official email or privacy contact, if available.

LV. Sample Data Privacy Request

I am exercising my rights as a data subject. Please provide information on the personal data you collected from me, the purposes of processing, the app permissions accessed, the recipients or third parties to whom my data was disclosed, and the retention period. I object to any processing of my personal data for harassment, public shaming, disclosure to my contacts, or other unfair collection practices. I demand that you stop processing unnecessary or excessive data, including my contact list, photos, and information of third persons, and confirm the actions taken.

Keep proof of sending.

LVI. Filing With NPC: Key Allegations

A strong NPC complaint may allege:

Excessive collection of personal data.
Unauthorized contact-list access.
Disclosure of debt to third persons.
Use of photos for shaming.
Lack of valid consent.
Lack of transparency.
Lack of legitimate purpose.
Lack of proportionality.
Failure to secure personal data.
Failure to honor data subject rights.
Unauthorized sharing with collectors.
Processing personal data for unfair collection.

Attach evidence.

LVII. Filing With SEC: Key Allegations

A strong SEC complaint may allege:

Unfair debt collection practices.
Threats or intimidation.
Profanity and insults.
False criminal accusations.
Public shaming.
Contacting third persons.
Misrepresentation of legal authority.
Use of third-party collectors to harass.
Hidden fees or misleading loan terms.
Lack of proper lending authority.
Failure to disclose true loan cost.
Refusal to provide statement of account.

Attach evidence.

LVIII. Remedies the SEC May Impose

Depending on the case and applicable rules, regulatory consequences may include:

Warning.
Fine.
Suspension.
Revocation of certificate of authority.
Sanctions against lending or financing company.
Orders affecting abusive practices.
Referral to other agencies.
Action against illegal or unauthorized lending operations.

The exact outcome depends on evidence and regulatory findings.

LIX. Remedies the NPC May Impose

Depending on the case, the NPC may:

Investigate.
Order the personal information controller to respond.
Direct correction, deletion, blocking, or cessation of processing.
Issue compliance orders.
Recommend prosecution where criminal violations exist.
Impose administrative consequences where allowed.
Coordinate takedowns or data-processing bans in serious cases.

The NPC has previously ordered online lending apps to stop processing borrowers’ personal data and coordinated takedown/removal measures for apps with serious privacy concerns. (National Privacy Commission)

LX. App Takedown and Data Processing Ban

A serious privacy case may lead regulators to direct an app to stop processing personal data or be removed from app stores.

The NPC has issued orders against specific online lending apps after findings of irrelevant, unnecessary, and excessive harvesting of personal and sensitive information without free and informed consent. (National Privacy Commission)

This shows that privacy violations by OLAs are not merely private disputes. They can become regulatory enforcement matters.

LXI. What if the App Is Foreign-Owned or Anonymous?

Some abusive apps hide behind foreign operators, shell companies, or changing app names.

Borrowers should collect:

App name.
Developer name.
App store link.
Website.
Privacy policy.
Company name in loan agreement.
Payment account.
Collector numbers.
Email addresses.
SEC registration claims.
Screenshots of all pages before deletion.

Even if the operator is hard to identify, payment accounts, app store records, telecom numbers, and digital trails may help regulators and law enforcement.

LXII. Payment Channels and Fraud Risk

Some OLAs demand payment through personal e-wallets or bank accounts.

Before paying, verify:

Official lender name.
Official account name.
Payment reference.
Whether the payment will be credited.
Whether receipt will be issued.
Whether settlement will close the account.
Whether the app shows the same amount.
Whether the collector is authorized.

Payment to random personal accounts may create risk of non-crediting or fraud.

LXIII. Full Settlement Documentation

If the borrower pays, request:

Official receipt.
Updated statement of account.
Certificate of full payment.
Confirmation of loan closure.
Removal of collection status.
Written confirmation that third-party collectors have been informed.
Confirmation that unnecessary personal data will no longer be processed.
Confirmation that no further collection will be made.

Keep these permanently.

LXIV. “Rollover” and Reborrowing Traps

Some apps pressure borrowers into taking new loans to pay old loans.

This can create a debt cycle.

Watch out for:

Automatic loan renewal.
Rollover fees.
Short repayment periods.
Deductions from principal.
Pressure to borrow from another app.
Multiple affiliated apps.
Threats if borrower refuses rollover.
Excessive daily penalties.

Borrowers should avoid borrowing from one abusive app to pay another. Seek restructuring, formal complaint, or financial counseling instead.

LXV. Data Privacy and Loan Closure

After loan closure, the lender should not keep processing personal data beyond lawful retention purposes.

The lender may retain some records for legal, accounting, regulatory, or dispute purposes. But it should not continue using contact lists, photos, or borrower data for harassment or unrelated marketing.

Borrowers may request deletion or blocking of unnecessary data after closure.

LXVI. Marketing and Cross-Selling

Some lenders use borrower data for marketing or sharing with affiliates.

The NPC loan-related rules indicate that using data for marketing, cross-selling, or sharing with third parties for unrelated products or services requires a separate lawful basis under the Data Privacy Act. (National Privacy Commission)

Consent for a loan application is not automatically consent for unrelated marketing.

LXVII. Automated Credit Scoring

Online lenders may use automated processing, profiling, credit rating, or scoring.

Borrowers should be informed if loan processing uses profiling, automated processing, automated decision-making, or credit scoring before their data enters the processing system or at the next practical opportunity. (National Privacy Commission)

Borrowers may ask what categories of data were considered in deciding whether to approve or deny a loan.

LXVIII. Security Obligations

Lenders must protect borrower data.

Security failures may include:

Leaked borrower lists.
Publicly accessible databases.
Unsecured IDs or selfies.
Sharing data with unauthorized collectors.
Weak access controls.
Failure to delete old data.
Unencrypted files.
Data exposure through collection group chats.
Use of personal devices by collectors without safeguards.
Failure to report data breaches where required.

Even a legitimate lender can be liable if it fails to secure borrower data.

LXIX. Data Breach Concerns

A data breach may occur if borrower personal data is accessed, disclosed, altered, lost, or used without authorization.

Examples:

Contact list leaked to collectors.
Borrower IDs shared in a group.
Database sold to other lending apps.
Borrower information posted online.
Former employees keep borrower data.
Debt lists circulated through messaging apps.

The borrower may report suspected breaches to the NPC.

LXX. When Harassment Causes Mental Distress

Online lending harassment can cause anxiety, panic, shame, depression, workplace fear, family conflict, and reputational harm.

Borrowers should document harm:

Medical consultation.
Psychological consultation.
Work memos.
HR records.
Witness statements.
Social media posts.
Screenshots of public humiliation.
Family messages.
Lost work opportunities.
Expenses incurred.

Such documentation may support damages claims or regulatory evaluation.

LXXI. Defamation and Cyber Libel Concerns

If collectors publicly accuse the borrower of being a scammer, criminal, thief, estafador, or fraudster, defamation issues may arise.

Online publication may raise cyber libel issues depending on the facts.

However, defamation law is technical. The borrower should preserve the publication and consult counsel before filing.

Do not retaliate with defamatory posts. Stick to factual complaints.

LXXII. Borrower Posting About the Lender

Borrowers may warn others, but should avoid legal risk.

Safer public statements are factual:

“I received these messages from this number after applying for a loan. The messages were also sent to my contacts. I have filed complaints with the proper agencies.”

Avoid unsupported statements such as:

“All employees are criminals.”
“This person is a scammer” without proof.
Posting private addresses of collectors.
Posting personal data of employees.
Encouraging harassment.

The borrower should focus on evidence and official complaints.

LXXIII. What if the Lender Offers to Stop Harassment if Paid Immediately?

A collector may say:

“Pay now or we will message your contacts.”

This may be coercive or abusive.

The borrower should preserve the threat. If able to pay and wanting to settle, still demand written settlement terms and official payment channel.

If unable to pay, do not panic. File complaints and tell contacts to preserve evidence.

LXXIV. Can a Borrower Block Collectors?

A borrower may block abusive numbers, especially if calls are threatening or repetitive.

However, it is useful to keep at least one lawful communication channel open, such as email or SMS, for legitimate statements of account and settlement discussions.

Borrowers may send:

Please communicate only through this email address. I will not respond to abusive calls or messages.

This helps show reasonableness.

LXXV. Changing SIM or Phone Number

Changing SIM may reduce harassment, but it can also make settlement or legal communication harder.

Before changing numbers:

Save all evidence.
Export messages.
Screenshot call logs.
Notify trusted contacts.
Update important accounts.
Preserve access to e-wallets and banking apps.
Inform lender of lawful communication channel, if appropriate.

Do not destroy evidence.

LXXVI. Uninstalling the App

Before uninstalling:

Screenshot app permissions.
Screenshot loan details.
Screenshot balance and due date.
Screenshot privacy notice.
Screenshot loan agreement.
Save payment history.
Save app name and developer.
Revoke permissions.
Export evidence.

After evidence is saved, uninstalling may help stop further data access.

LXXVII. Phone Security Steps

Borrowers should:

Revoke app permissions.
Uninstall abusive apps after preserving evidence.
Change passwords.
Enable two-factor authentication.
Check connected apps.
Review Google or Apple account permissions.
Check social media privacy settings.
Warn contacts.
Scan for malware.
Avoid installing APK files from unknown sources.

Some abusive apps may be installed outside official app stores, increasing risk.

LXXVIII. APK and Sideloaded Lending Apps

Be cautious with lending apps installed through APK links, not official app stores.

Risks include:

Malware.
Excessive permissions.
No platform accountability.
Hidden data harvesting.
Hard-to-identify developer.
No standard app review.
Fake app clones.
Remote access risks.

Borrowers should avoid installing financial apps from unofficial links.

LXXIX. Identity Theft Risk

Online lending apps may collect IDs, selfies, signatures, and personal information. If misused, this can lead to identity theft.

Borrowers should monitor for:

Unknown loan applications.
New collection messages from other apps.
E-wallet or bank account issues.
SIM registration misuse.
Social media impersonation.
Fake accounts using borrower photos.
Unauthorized credit inquiries.
Messages from unknown lenders.

Report identity misuse immediately.

LXXX. If the Borrower Never Applied for the Loan

Some people are harassed despite never borrowing.

This may happen because:

Their number was listed as a reference.
Their contact was harvested.
Their identity was used fraudulently.
Their SIM number was recycled.
The collector has the wrong person.
Someone used their ID or phone.

They should state:

I am not the borrower, co-maker, guarantor, or authorized representative. Stop contacting me and delete my personal data unless you have a lawful basis to retain it.

They may file NPC and SEC complaints if harassment continues.

LXXXI. If Someone Used Your ID to Borrow

Act quickly:

Request loan documents from the lender.
Deny unauthorized transaction in writing.
Ask for the basis of processing your data.
File a police or cybercrime report.
File NPC complaint for identity misuse.
File SEC complaint if lender ignored KYC failures.
Notify e-wallets or banks.
Monitor other accounts.
Preserve all messages and documents.

Identity fraud should not be treated as ordinary debt.

LXXXII. Harassment of Non-Borrowers

Non-borrowers may include:

References.
Family members.
Friends.
Co-workers.
Employers.
Neighbors.
Former owners of recycled numbers.
Persons mistakenly contacted.
Victims of identity theft.

They may complain because their personal data is being processed without proper basis.

LXXXIII. Can a Lender Contact a Borrower’s Contacts?

A lender should not use contacts to shame or pressure the borrower.

Limited contact may be lawful only if:

There is a legitimate purpose.
The data subject was properly informed.
The contact is relevant.
The processing is necessary and proportionate.
No debt details are unnecessarily disclosed.
The contact is not harassed.
The contact is not asked to pay unless legally liable.

Mass messaging a borrower’s contact list is highly problematic.

LXXXIV. Complaint Strategy

A borrower may file multiple complaints because different agencies address different issues.

Problem	Possible Forum
Abusive collection by lending company	SEC
Contact-list harvesting or data misuse	NPC
Threats, extortion, identity theft	Police / cybercrime authorities
Fake app or scam	SEC, police, cybercrime, app store
Payment account fraud	Bank / e-wallet provider
Public shaming on social media	NPC, platform, cybercrime authorities
Civil damages	Court
Excessive or unclear loan charges	SEC, court, consumer/legal counsel

LXXXV. Practical Complaint Package

Prepare one folder with:

Summary of facts.
Timeline.
Loan details.
App screenshots.
Loan agreement.
Payment records.
Harassment screenshots.
Contact-list harassment proof.
Collector numbers.
Social media links.
App store link.
Company information.
Data privacy request, if sent.
Cease-and-desist message, if sent.
Witness/contact screenshots.
Desired remedy.

This folder can be used for SEC, NPC, police, and legal counsel.

LXXXVI. Sample Timeline for Complaint

March 1: Borrower downloaded app and applied for ₱5,000 loan. March 1: App required access to contacts and photos. March 1: Borrower received only ₱3,500 after deductions. March 7: Borrower missed due date. March 8: Collector began calling 30 times per day. March 8: Collector messaged borrower’s mother and employer. March 9: Collector sent borrower’s photo to contacts and called borrower “scammer.” March 10: Borrower demanded that harassment stop. March 11: Collector created group chat with borrower’s contacts. March 12: Borrower filed complaints.

A timeline helps regulators understand the pattern.

LXXXVII. Possible Remedies to Request

In complaints, the borrower may request:

Immediate cessation of harassment.
Order to stop contacting third persons.
Deletion or blocking of unlawfully processed data.
Investigation of app permissions.
Sanctions against lender and collectors.
Correction of account records.
Clear statement of account.
Removal of defamatory posts.
Preservation of evidence.
Damages, where appropriate.
App takedown or regulatory action for serious violations.
Referral for criminal investigation.

LXXXVIII. What Not to Do

Avoid:

Deleting evidence.
Threatening collectors back.
Posting collectors’ private data online.
Paying to random personal accounts without verification.
Borrowing from another abusive app to pay the first.
Ignoring real legal documents.
Signing settlement without reading.
Admitting inflated amounts without statement of account.
Giving new passwords, OTPs, or IDs.
Installing more unknown lending apps.
Allowing app permissions to remain active unnecessarily.
Sending money because of fake arrest threats.

LXXXIX. Difference Between Harassment and Lawful Collection

Lawful Collection	Harassment / Violation
Polite payment reminder	Threats and insults
Statement of account	Fake criminal accusations
Communication with borrower	Messaging borrower’s contacts
Lawful demand letter	Fake warrant or fake court notice
Proper collection agency	Anonymous abusive numbers
Negotiated payment plan	Public shaming
Court collection case	Threatening immediate arrest
Credit reporting through lawful channels	Posting debt on Facebook
Necessary data processing	Harvesting contacts and photos

XC. Duties of Legitimate Online Lenders

A compliant lender should:

Be properly registered and authorized.
Provide clear loan terms.
Disclose interest, fees, penalties, and total cost.
Collect only necessary data.
Provide just-in-time privacy notices.
Avoid excessive app permissions.
Protect borrower data.
Use lawful collection methods.
Train collectors.
Monitor third-party collection agencies.
Provide a privacy contact or data protection officer.
Honor data subject rights.
Stop unlawful processing after purpose is served.
Avoid harassment, shaming, threats, and deception.
Provide receipts and account statements.

XCI. Red Flags Before Borrowing From an App

Avoid or verify apps that:

Require access to all contacts.
Require access to photo gallery without clear reason.
Require SMS and call log access.
Have no company name.
Have no SEC registration.
Have no privacy notice.
Offer vague loan terms.
Deduct huge fees upfront.
Have extremely short repayment periods.
Have many harassment complaints.
Use APK downloads.
Use multiple app names.
Demand payment to personal accounts.
Hide interest and fees.
Have no customer service address.

XCII. Preventive Steps Before Applying

Before using an online lending app:

Verify the company with the SEC.
Read the loan agreement.
Read the privacy notice.
Check app permissions.
Avoid apps requiring contact-list access.
Check reviews for harassment complaints.
Avoid APK downloads.
Use only official app stores.
Screenshot all terms before accepting.
Confirm total repayment amount.
Avoid borrowing if terms are unclear.
Do not upload unnecessary IDs or photos.
Do not list people as references without informing them.
Keep copies of all documents.

XCIII. Special Concern: Repeated Small Loans

Many borrowers get trapped in repeated small loans.

A ₱3,000 loan may become several loans across multiple apps, each with short terms and high penalties.

Practical steps:

List all loans.
Stop taking new loans.
Prioritize legitimate lenders.
Ask for restructuring.
Dispute illegal charges.
Report harassment.
Seek help from family or financial counselor if possible.
Avoid rolling debt into more OLAs.
Keep all payments documented.
Negotiate in writing.

XCIV. If the Borrower Is Suicidal or in Crisis

Harassment can become overwhelming.

If a borrower is at risk of self-harm, the immediate priority is safety:

Contact a trusted person.
Step away from the phone.
Do not engage with collectors.
Seek emergency mental health support.
Ask someone trusted to help preserve evidence and file complaints.
Block abusive numbers temporarily.
Remember that debt can be negotiated, but harm to oneself is irreversible.

No loan is worth a life.

XCV. Frequently Asked Questions

Can an online lender message my contacts?

Not to shame, threaten, or disclose your debt. Contact-list harvesting and use for harassment are legally problematic.

Can they post my picture online?

No. Using your photo to harass or embarrass you for collection is prohibited under NPC guidance.

Can they call my employer?

They should not disclose your debt or shame you at work. Employment verification is different from harassment.

Can they arrest me for unpaid online loan?

Ordinary nonpayment is generally a civil matter. Arrest threats are often abusive unless there is a separate genuine criminal process.

Should I still pay?

If the loan is valid, you should address the debt. But you may demand lawful collection, proper computation, and an end to harassment.

Can I sue?

Depending on the facts, you may file administrative, civil, or criminal complaints.

Can references be forced to pay?

Not unless they agreed to be guarantors, sureties, co-makers, or co-borrowers.

Can I ask them to delete my data?

You may exercise data subject rights, subject to lawful retention grounds. You can object to unlawful or excessive processing.

XCVI. Sample SEC Complaint Summary

I am filing a complaint against [App/Lending Company] for unfair debt collection practices. After I missed payment on [date], their collectors repeatedly called and texted me using abusive and threatening language. They threatened arrest, contacted my family and employer, disclosed my alleged debt, and sent insulting messages to my contacts. I request investigation and appropriate action against the lending company, its online lending app, and its collectors.

Attach screenshots, call logs, loan documents, and third-party messages.

XCVII. Sample NPC Complaint Summary

I am filing a complaint for unauthorized and excessive processing of my personal data by [App/Lending Company]. The app required access to my contacts/photos during loan application. After alleged nonpayment, collectors used my personal data to contact my phone contacts, disclose my loan details, and shame me. My photo/name/contact information was used for collection harassment. I request investigation, cessation of unlawful processing, deletion or blocking of unnecessary data, and appropriate sanctions.

Attach app permission screenshots, privacy notice, messages to contacts, and public posts.

XCVIII. Practical Checklist for Victims

Do this immediately:

Screenshot all threats.
Save call logs.
Ask contacts to send screenshots.
Revoke app permissions.
Screenshot loan details.
Save payment records.
Demand statement of account.
Send cease-and-desist message.
File SEC complaint for unfair collection.
File NPC complaint for privacy violations.
Report threats or identity misuse to cybercrime authorities.
Avoid paying random personal accounts.
Negotiate only in writing.
Keep receipts.
Seek legal help if sued or severely harassed.

XCIX. Key Takeaways

Online lending apps in the Philippines may collect lawful debts, but they must do so lawfully. Borrowers do not lose their rights because they missed a payment.

The most important rules are:

Debt does not justify harassment.
Contact-list harvesting for shaming or collection pressure is legally problematic.
Borrower photos must not be used to embarrass or threaten borrowers.
Lenders and collectors must avoid unfair debt collection practices.
References and contacts are not automatically liable for the loan.
Fake arrest threats and fake legal notices should be documented and reported.
The SEC handles unfair collection complaints involving lending and financing companies.
The NPC handles privacy violations and unlawful personal data processing.
Borrowers should preserve evidence before deleting apps or messages.
Payment disputes should be handled through verified channels and written settlements.
Harassment by third-party collectors may still expose the lender to accountability.
Public shaming, doxxing, and employer harassment may create administrative, civil, or criminal liability.
Borrowers should distinguish between the duty to pay a lawful debt and the right to be free from unlawful collection conduct.
Complaints are stronger when supported by screenshots, call logs, app permissions, loan documents, and third-party witness messages.
The safest response is to document, revoke unnecessary permissions, demand lawful communication, and file with the proper agencies.

In short, an online lender may pursue payment, but it cannot weaponize a borrower’s personal data, dignity, family, workplace, or social circle. Philippine law gives borrowers and affected third persons remedies against harassment, public shaming, excessive app permissions, unauthorized data sharing, and abusive collection tactics.