I. Introduction

Mobile numbers in the Philippines are no longer just tools for calls and text messages. They are now gateways to banking apps, e-wallets, government portals, delivery accounts, social media accounts, work communications, and one-time passwords. Because of this, the deactivation of a SIM card or the reassignment of a recycled mobile number can create serious legal, financial, and privacy consequences.

The issue sits at the intersection of telecommunications law, data privacy, consumer protection, cybersecurity, contract law, banking regulation, and criminal law. A mobile number may technically belong to the telecommunications provider, but its practical use is deeply connected to a person’s identity. When a number is deactivated or reassigned, the previous user may lose access to accounts, while the new user may receive messages, calls, OTPs, debt collection notices, or private communications intended for someone else.

In the Philippine context, the key laws and rules include the SIM Registration Act, the Data Privacy Act of 2012, the Cybercrime Prevention Act of 2012, consumer protection laws, National Telecommunications Commission regulations, and sector-specific rules issued by agencies such as the Bangko Sentral ng Pilipinas.

II. Legal Nature of a SIM Card and Mobile Number

A SIM card allows a subscriber to access a telecommunications network. It is tied to a mobile number assigned by the public telecommunications entity or telco. In ordinary use, subscribers often think of the mobile number as “theirs.” Legally, however, the number is generally assigned for use, not owned in the same way one owns personal property.

The telco controls numbering resources under government authority. Mobile numbers form part of the national telecommunications numbering system, which is regulated by the State through the National Telecommunications Commission. The subscriber’s right is therefore usually contractual and regulatory: the right to use the number while the subscription remains valid and while the subscriber complies with law, telco terms, and applicable regulations.

This distinction matters. A subscriber may have rights against wrongful deactivation, poor service, unfair terms, breach of contract, or mishandling of personal data, but the subscriber normally cannot claim absolute ownership over a mobile number.

III. SIM Registration Act and Mandatory Registration

Republic Act No. 11934, known as the SIM Registration Act, requires the registration of SIM cards as a condition for activation or continued use. The law was enacted to address scams, fraud, anonymous criminal activity, and misuse of mobile communications.

Under the SIM Registration Act, subscribers must provide required identifying information. For individuals, this generally includes full name, date of birth, sex, address, type of government-issued identification presented, and identification number. Juridical entities must submit corporate or organizational information and authorized representative details.

The law applies to prepaid and postpaid SIMs, including embedded SIMs and SIMs used for data-only services. Foreign nationals using Philippine SIMs are also subject to registration requirements, with special rules depending on the nature and duration of their stay.

Failure to register within the prescribed period results in deactivation. Once deactivated, the SIM loses access to outgoing and incoming calls, text messages, and mobile data, subject to any restoration rules provided by law, implementing regulations, or telco processes.

IV. Grounds for SIM Deactivation

SIM deactivation may occur for several reasons.

First, non-registration under the SIM Registration Act can lead to deactivation. This was one of the most significant recent mass-deactivation events in Philippine telecommunications history.

Second, prepaid SIMs may be deactivated because of expiration. Telcos impose validity periods for prepaid loads, promos, and SIM activity. A prepaid number that remains inactive for a long period may be disconnected under the telco’s terms.

Third, a postpaid account may be deactivated or disconnected for non-payment, breach of subscription terms, fraud, misuse, or termination of the account.

Fourth, SIMs may be deactivated because of confirmed fraudulent registration, false identity, forged documents, or regulatory enforcement.

Fifth, law enforcement or regulatory authorities may seek restrictions, disclosure, or action in connection with criminal investigations, although such actions must still comply with constitutional, statutory, and procedural safeguards.

Sixth, the subscriber may voluntarily request termination, replacement, blocking, or suspension, especially in cases of loss, theft, unauthorized use, or suspected compromise.

V. Effects of SIM Deactivation

The immediate effect of deactivation is loss of network access. The subscriber may be unable to receive calls, send texts, receive OTPs, access mobile data, or use services linked to the number.

The broader effects can be more serious. A deactivated number may lock the user out of e-wallets, bank accounts, social media accounts, email accounts, government apps, ride-hailing apps, delivery platforms, and workplace systems. If the number is later recycled and assigned to another person, messages intended for the former user may reach the new holder.

This creates risks of identity theft, account takeover, unauthorized access, privacy violations, mistaken debt collection, reputational harm, and financial fraud.

VI. Recycled Numbers: Meaning and Legal Problem

A recycled number is a mobile number that was previously assigned to one subscriber, later deactivated or released, and eventually reassigned to a new subscriber.

Number recycling is common because mobile numbers are finite public telecommunications resources. Without recycling, telcos would eventually exhaust available number ranges. The practice is not inherently illegal. The legal problem arises when the recycling process exposes the former subscriber’s personal data, enables unauthorized access to accounts, causes confusion, or creates harm to the new subscriber.

Recycling becomes especially risky because many digital services treat a mobile number as proof of identity. In reality, possession of a number only proves present control of that number, not ownership of the former user’s identity.

VII. Common Problems Caused by Recycled Numbers

1. OTPs Sent to the New Holder

The most serious problem occurs when banks, e-wallets, apps, or online platforms continue sending OTPs to the recycled number. The new holder may receive verification codes intended for the previous user.

If the new holder uses those OTPs to access the former user’s accounts, this may expose the new holder to civil, criminal, and data privacy liability.

2. Account Recovery Abuse

Some platforms allow password reset or account recovery through mobile number verification. If a former user failed to update account details before losing the number, the new holder may be able to trigger recovery flows.

Platforms that rely solely on SMS verification may contribute to the risk, especially where they do not require additional authentication factors.

3. Misdelivered Private Messages

The new holder may receive personal texts, appointment reminders, medical notifications, work messages, family messages, legal notices, delivery updates, or confidential business communications intended for the former user.

The new holder should not exploit, publish, or misuse those communications.

4. Debt Collection and Harassment

New subscribers sometimes receive collection calls or text messages for the previous number holder. This is common where debtors, borrowers, or users of lending apps registered the old number.

Repeated collection messages to the wrong person may raise issues under data privacy law, consumer protection rules, and debt collection standards.

5. E-Wallet and Banking Lockouts

Former users may be unable to access accounts because OTPs go to the old number. This can cause financial disruption, especially where the mobile number is the primary authentication method.

6. Social Media and Messaging App Confusion

Apps such as messaging platforms and social networks may use phone numbers for discovery, login, and account recovery. A recycled number can cause mistaken identity, unauthorized account recovery, or contact-list confusion.

7. Business and Professional Harm

For professionals, freelancers, sellers, and small businesses, losing a number may mean losing customers, bookings, leads, and business reputation. If the number is reassigned, the new holder may receive business inquiries intended for the previous user.

VIII. Data Privacy Act Implications

Republic Act No. 10173, or the Data Privacy Act of 2012, is central to recycled number issues.

A mobile number is personal information when it can identify an individual or is reasonably linked to an individual. In many cases, a mobile number is associated with a name, account, device, location, transaction history, banking profile, or app identity.

Telcos, banks, e-wallet providers, online platforms, lenders, and merchants may be personal information controllers or personal information processors depending on their role. They are required to process personal data fairly, lawfully, securely, and only for legitimate purposes.

A recycled number issue may become a data privacy concern when an organization continues sending personal data, OTPs, transaction alerts, billing statements, medical notices, loan reminders, or confidential information to a number no longer controlled by the data subject.

The question is whether the organization had reasonable safeguards in place. For example, banks and e-wallet providers may be expected to maintain stronger verification processes because of the sensitivity of financial accounts. A platform that allows account takeover using only a recycled number may face scrutiny if its security design is inadequate.

The former number holder also has responsibilities. Users should update registered mobile numbers, maintain account recovery options, and notify service providers when a number is lost, deactivated, or transferred. However, user negligence does not automatically excuse organizations from implementing reasonable security measures.

IX. Is Receipt of Another Person’s OTP Illegal?

Merely receiving an OTP intended for someone else is usually not, by itself, criminal conduct if the recipient did nothing to cause it and does not misuse it.

The legal risk begins when the recipient uses the OTP, attempts to access the account, impersonates the former user, resets passwords, transfers funds, reads private account data, or shares the code with others.

Depending on the facts, such conduct may implicate the Cybercrime Prevention Act, access device laws, estafa, identity theft, unjust enrichment, data privacy violations, bank fraud rules, or other criminal and civil liabilities.

The safest course for the new number holder is to ignore the OTP, avoid clicking links, avoid account recovery attempts, and notify the sender or platform if repeated sensitive messages are received.

X. Duties of the Former Number Holder

A person who loses access to a number should act quickly.

The former holder should contact the telco to determine whether the SIM can be reactivated, replaced, or recovered. If the SIM was lost or stolen, the subscriber should request blocking or replacement and comply with identity verification requirements.

The person should immediately update the registered mobile number in banks, e-wallets, government apps, email accounts, social media accounts, delivery apps, ride-hailing apps, subscriptions, employer records, insurance accounts, and healthcare portals.

The person should also change passwords and enable stronger authentication methods such as authenticator apps, device-based passkeys, backup email verification, or hardware security keys where available.

For financial accounts, the user should notify the bank or e-wallet provider that the old number is no longer controlled by them. Written notice is advisable. The user should request account protection, temporary restrictions if needed, and removal of the old number from OTP delivery.

If unauthorized transactions occur, the user should immediately report them to the provider, request investigation, preserve evidence, and consider reporting to law enforcement, the National Privacy Commission, the National Telecommunications Commission, or other relevant agencies.

XI. Duties and Risks of the New Number Holder

A new subscriber who receives a recycled number should understand that prior associations with the number may persist.

The new holder should not use OTPs, links, passwords, account recovery prompts, delivery codes, or private information intended for the previous holder. The new holder should not pretend to be the former user, respond as the former user, or access accounts linked to the old identity.

If the new holder receives repeated collection calls, banking alerts, e-wallet notifications, medical messages, or sensitive information, the new holder may inform the sender that the number has been reassigned. For persistent harassment or privacy-invasive messages, the new holder may file complaints with the sender, the lending company, the app operator, the telco, or regulators.

The new holder may also block senders, but blocking alone may not solve serious privacy or harassment problems.

XII. Telco Responsibilities

Telecommunications providers are central actors in SIM deactivation and number recycling.

Telcos must comply with the SIM Registration Act, relevant NTC regulations, consumer protection obligations, and data privacy requirements. They must maintain systems for registration, verification, deactivation, reactivation, number assignment, and customer support.

For recycled numbers, telcos should maintain reasonable cooling-off periods before reassignment, clear subscriber notices, accessible recovery procedures, and secure identity verification for replacement or reactivation requests. They should also provide subscribers with clear information about prepaid validity, inactivity rules, and consequences of non-registration.

Telcos also process large volumes of personal data. Their registration systems, customer databases, and verification mechanisms must comply with the Data Privacy Act. Unauthorized disclosure, weak safeguards, or poor handling of subscriber identity documents may expose telcos to regulatory and legal consequences.

However, telcos are not usually responsible for every third-party app or bank that continues to use an old number. Responsibility may be shared among the former user, the telco, and the third-party service provider, depending on the facts.

XIII. Responsibilities of Banks, E-Wallets, and Online Platforms

Banks, e-wallets, and digital platforms should not treat a mobile number as an infallible identity credential. SMS OTP has known vulnerabilities, including SIM swap, device theft, phishing, malware, social engineering, and number recycling.

Financial institutions and e-money issuers are expected to use appropriate security controls based on risk. These may include multi-factor authentication, device binding, transaction monitoring, cooling periods for number changes, biometric verification, stronger customer support protocols, and alerts through multiple channels.

Where a user reports that a registered number is no longer under their control, the provider should have a clear process for account recovery and number updating. That process should be secure enough to prevent fraud but not so burdensome that legitimate users are permanently locked out.

Platforms that continue to send sensitive personal data to a recycled number after notice may face data privacy issues. Platforms that allow account takeover through recycled numbers may also face consumer protection and negligence claims depending on the circumstances.

XIV. SIM Swap vs. Recycled Number

SIM swap and recycled number issues are related but distinct.

A SIM swap usually involves unauthorized transfer or replacement of a subscriber’s SIM, allowing a fraudster to take over the victim’s mobile number. This often involves social engineering, fake documents, insider collusion, or weak telco verification.

A recycled number, by contrast, involves a number that was deactivated or released and later legitimately reassigned to a new subscriber. The new holder may have no malicious intent.

Both situations can lead to OTP interception and account takeover, but the legal analysis differs. SIM swap cases often focus on fraud, negligence, identity verification failure, and unauthorized access. Recycled number cases focus more on deactivation rules, notice, reassignment practices, user account hygiene, and third-party reliance on outdated contact information.

XV. Consumer Protection Issues

Subscribers may have consumer rights when deactivation is wrongful, unexplained, premature, or contrary to published terms. A telco may be expected to provide clear terms, proper notice where required, fair customer support, and reasonable mechanisms for dispute resolution.

A consumer may complain if a telco deactivates a SIM despite compliance with registration requirements, refuses reasonable assistance, fails to explain the basis for disconnection, or mishandles identity documents.

Consumer protection may also apply to banks, lenders, e-wallet providers, and apps that fail to provide reasonable account recovery or continue sending sensitive information to the wrong person after being informed of the issue.

XVI. Debt Collection Calls to Recycled Numbers

Debt collection calls to recycled numbers are common in the Philippines, especially where online lending apps, financing companies, or creditors rely on phone contacts.

A new number holder is not liable for the previous user’s debt merely because they now hold the recycled number. Debt is personal to the borrower or obligor. The number holder should clearly state that they are not the debtor and that the number has been reassigned.

Repeated calls, threats, shaming, abusive language, disclosure of debt details to third parties, or harassment may violate applicable rules on fair debt collection, privacy, and consumer protection. The affected person may preserve screenshots, call logs, recordings where lawful, names of collectors, company names, and message content for complaint purposes.

Complaints may be directed to the lending company, financing company, app operator, relevant regulator, or privacy authority depending on the nature of the conduct.

XVII. Criminal Law Considerations

Several criminal law issues may arise from recycled number misuse.

Unauthorized access to accounts may constitute a cybercrime. Using OTPs to enter another person’s account, change credentials, obtain personal information, or transfer funds may expose the actor to liability.

Fraudulent use of another person’s identity may trigger identity theft-related provisions under cybercrime and other laws.

Obtaining money, property, or services by pretending to be the former number holder may constitute estafa or other fraud offenses.

Interception, misuse, publication, or unauthorized processing of personal information may lead to data privacy liability.

Threatening or harassing a new number holder over another person’s debt may also create civil, administrative, or criminal exposure depending on the conduct.

XVIII. Civil Liability

Civil liability may arise under contract, quasi-delict, damages, privacy rights, or consumer law.

A former number holder may consider claims if wrongful deactivation caused actual damage, particularly where the telco breached its terms or failed to follow required procedures.

A person whose account was taken over because a provider used weak security may consider claims against the wrongdoer and, in appropriate cases, against the service provider if negligence is established.

A new number holder harassed by collectors or repeatedly sent sensitive personal data may seek remedies against the sender or organization responsible, especially after giving notice that the number has been reassigned.

Civil claims require proof of duty, breach, causation, and damages. In practice, documentary evidence is important: screenshots, emails, tickets, call logs, transaction records, telco notices, account recovery correspondence, and regulator complaint acknowledgments.

XIX. Remedies and Complaint Channels

A person affected by SIM deactivation or recycled number problems may consider several remedies.

For telco-related issues, the subscriber should first file a formal customer service complaint and obtain a reference number. If unresolved, escalation to the National Telecommunications Commission may be appropriate.

For privacy issues, such as misdirected sensitive data, mishandled identity documents, unauthorized processing, or failure to stop sending personal information to the wrong number, a complaint to the National Privacy Commission may be considered.

For banking, e-wallet, or unauthorized transaction issues, the user should immediately contact the provider’s fraud or customer protection channel. Escalation may involve the Bangko Sentral ng Pilipinas or other appropriate regulator depending on the institution.

For cybercrime, account takeover, identity theft, or financial fraud, reports may be made to law enforcement cybercrime units.

For lending harassment, complaints may be brought to the relevant regulator, the company involved, and privacy authorities if personal data misuse is involved.

XX. Evidence to Preserve

Affected individuals should preserve evidence early. Useful evidence includes:

screenshots of OTPs, alerts, collection messages, and account recovery notices;
call logs showing repeated calls;
names, phone numbers, and company names of callers;
emails and customer support ticket numbers;
telco account records and SIM registration confirmation;
proof of identity and proof of prior use of the number;
bank or e-wallet transaction records;
police reports or affidavits, where applicable;
written notices sent to telcos, banks, apps, lenders, or platforms;
responses from providers or regulators.

Evidence should be preserved without unlawfully accessing another person’s account or disclosing another person’s personal information.

XXI. Practical Steps for Former Number Holders

Former users should take the following protective steps:

recover or replace the SIM immediately if possible;
update all important accounts with a new number;
remove the old number from banking, e-wallet, email, and social media accounts;
enable authenticator apps, passkeys, or other non-SMS authentication;
change passwords for accounts linked to the old number;
notify banks and e-wallets in writing;
monitor financial accounts for suspicious activity;
request freezing or enhanced verification if fraud risk is high;
preserve evidence of failed access or unauthorized activity;
file complaints promptly when providers fail to act.

XXII. Practical Steps for New Holders of Recycled Numbers

New number holders should take these precautions:

do not use OTPs or account recovery links intended for others;
do not impersonate the former holder;
inform callers or senders that the number has been reassigned;
block persistent wrong-number senders where appropriate;
report abusive collectors or repeated sensitive messages;
avoid sharing screenshots containing another person’s private information except when needed for a formal complaint;
secure the new SIM under the SIM Registration Act;
be cautious if the number appears linked to suspicious accounts or financial activity;
avoid replying to scam-like messages;
maintain records if harassment or privacy violations continue.

XXIII. Best Practices for Businesses and Professionals

Businesses and professionals who rely on mobile numbers should avoid using a single mobile number as the sole point of customer contact or account recovery.

They should maintain updated contact databases, use official email addresses and websites, notify clients of number changes, secure business messaging accounts, and maintain control of important numbers by ensuring active subscription status.

For businesses using customer mobile numbers, it is advisable to verify numbers periodically, provide opt-out mechanisms, avoid sending excessive personal data through SMS, and respond promptly when informed that a number has been reassigned.

XXIV. Best Practices for Banks, E-Wallets, and Platforms

Institutions should recognize recycled numbers as a foreseeable risk. They should design systems accordingly.

Good practices include multi-factor authentication beyond SMS, device recognition, risk-based verification, delay periods for sensitive changes, alerts to old and new channels, clear account recovery processes, and secure procedures for changing registered numbers.

Platforms should avoid disclosing sensitive information in SMS content. Instead of saying, for example, full transaction details or account balances, messages should minimize personal data and direct users to secure channels.

When notified that a number has been reassigned, organizations should have a process to suppress messages, verify the affected account, and update records.

XXV. The Role of Notice

Notice is legally important. Once an organization is informed that a number no longer belongs to the former user or has been reassigned, the organization’s continued use of that number may become more difficult to justify.

A former user should give written notice to banks, e-wallets, and important platforms. A new holder receiving sensitive messages should also notify the sender where feasible.

Written notice creates a record and helps establish that the organization had actual knowledge of the risk.

XXVI. Is the Telco Liable for Recycled Number Harm?

Telco liability depends on facts.

A telco is not automatically liable simply because a recycled number still receives messages intended for a former user. Many such messages originate from third-party databases outside the telco’s control.

However, liability may be argued if the telco wrongfully deactivated the number, failed to follow applicable rules, negligently reassigned the number contrary to required holding periods or internal safeguards, mishandled SIM registration data, ignored valid recovery requests, or enabled unauthorized SIM replacement through weak verification.

The legal analysis must examine the subscription terms, applicable regulations, notice given, timeline of deactivation, reason for deactivation, evidence of compliance, and actual harm.

XXVII. Is the Former User Liable for Messages Sent to the New Holder?

Usually, the former user is not liable merely because third parties continue sending messages to the old number. However, the former user may create risk if they knowingly keep the number registered in services after losing control of it, especially where this causes harm or confusion.

For sensitive accounts, the former user should update records promptly. Failure to do so may affect disputes with banks or platforms, particularly if the user ignored warnings, failed to maintain recovery information, or delayed reporting unauthorized activity.

XXVIII. Is the New Holder Liable for Accessing Old Accounts?

Yes, the new holder may be liable if they knowingly use the number to access accounts belonging to the previous user.

Receiving a recycled number does not transfer ownership of the former user’s bank accounts, social media profiles, e-wallets, emails, subscriptions, or private communications. Present control of a phone number is not consent to access another person’s accounts.

The new holder should treat misdirected OTPs and messages as accidentally received information, not as permission.

XXIX. Constitutional and Privacy Principles

The Philippine Constitution protects privacy of communication and correspondence, subject to lawful order of the court or public safety and order as prescribed by law. Although recycled number issues often involve private companies and accidental misdelivery rather than government intrusion, constitutional privacy values inform statutory interpretation and policy.

The Data Privacy Act further reinforces principles of transparency, legitimate purpose, proportionality, security, and accountability. Organizations handling phone numbers must process them responsibly because mobile numbers are now powerful identifiers.

XXX. Policy Concerns

Recycled number problems show the weakness of SMS-based identity systems. The law may recognize telco numbers as network identifiers, but society increasingly uses them as identity keys. This mismatch creates legal and practical risk.

Better policy would involve clearer rules on number recycling, minimum cooling-off periods, stronger consumer notice, mandatory suppression mechanisms after reassignment notices, improved inter-industry coordination, and reduced reliance on SMS OTP for high-risk transactions.

Financial institutions, telcos, and digital platforms should treat recycled-number account takeover as a foreseeable harm, not a rare accident.

XXXI. Frequently Asked Questions

1. Can a deactivated SIM be reactivated?

It depends on the reason for deactivation, telco policy, timing, and applicable regulations. Some deactivated SIMs may be restored within a limited period. Others may be permanently released and eventually recycled.

2. Can a person demand the return of a recycled number?

Possibly, but there is no absolute guarantee. If the number has already been reassigned, recovery may be difficult. The result depends on telco policy, regulatory rules, and whether there was wrongful deactivation.

3. Is a recycled number illegal?

No. Number recycling is a normal telecommunications practice. The legal issue is whether recycling was done properly and whether resulting privacy or security risks were mishandled.

4. What should a person do after receiving OTPs for someone else?

Do not use them. Do not access the account. Notify the sender if the messages continue, especially if the sender is a bank, e-wallet, lender, or government-related service.

5. Can debt collectors force the new number holder to pay?

No. A person does not become liable for another person’s debt merely by receiving their old mobile number.

6. Can the new holder use the former user’s social media account if the OTP goes to the recycled number?

No. That may amount to unauthorized access, identity misuse, or other unlawful conduct.

7. Can a bank be liable if it sends OTPs to a recycled number?

It depends. Liability may arise if the bank failed to implement reasonable security, ignored notice, or allowed unauthorized access despite foreseeable risks.

8. Is a mobile number personal information?

Yes, when it identifies or can reasonably be linked to an individual.

XXXII. Conclusion

SIM deactivation and recycled number issues in the Philippines are not merely technical inconveniences. They affect identity, privacy, property, access to financial services, and cybersecurity.

The central legal lesson is that a mobile number should not be treated as permanent proof of identity. A telco may assign and recycle numbers, but organizations that use those numbers for authentication must account for the risk that control of the number can change.

Former number holders must act quickly to update accounts and secure access. New number holders must avoid misusing messages intended for others. Telcos must follow fair, secure, and transparent procedures. Banks, e-wallets, lenders, and online platforms must reduce dependence on SMS-based identity and respond promptly when number reassignment creates risk.

As mobile numbers continue to function as digital identity keys, Philippine law and regulatory practice will likely place increasing emphasis on accountability, privacy protection, and stronger authentication systems.