Unsolicited Online Lending App Messages and Data Privacy Complaints in the Philippines

I. Introduction

The rise of online lending applications in the Philippines has created faster access to credit, especially for borrowers who may not qualify for traditional bank loans. However, it has also produced serious legal issues involving abusive debt collection, unauthorized access to phone contacts, unsolicited messages, harassment, public shaming, and misuse of personal data.

A common complaint is that a person receives threatening, embarrassing, or persistent messages from an online lending app even though the person did not borrow money, did not consent to be contacted, or was merely listed as a phone contact or “reference” by a borrower. In other cases, the borrower receives messages that disclose the loan, accuse the borrower of fraud, threaten legal action, or warn that the lending app will contact relatives, employers, neighbors, or social media connections.

These situations raise issues under Philippine data privacy law, consumer protection law, lending and financing regulations, criminal law, and civil liability principles.

This article discusses unsolicited online lending app messages and data privacy complaints in the Philippine legal context.

II. Nature of the Problem

Online lending app complaints commonly involve the following acts:

  1. Sending collection messages to persons who are not borrowers;
  2. Contacting a borrower’s phone contacts without valid consent;
  3. Accessing a borrower’s contact list, photos, messages, call logs, or social media accounts;
  4. Sending defamatory or humiliating messages to relatives, friends, employers, or co-workers;
  5. Threatening criminal prosecution for non-payment of a loan;
  6. Publishing or threatening to publish the borrower’s identity as a scammer, thief, or fraudster;
  7. Using abusive, profane, or intimidating language;
  8. Sending repeated calls or messages at unreasonable hours;
  9. Misrepresenting that a court case, warrant, barangay blotter, police complaint, or National Bureau of Investigation case has already been filed;
  10. Pretending to be a lawyer, police officer, prosecutor, or government official;
  11. Sending messages despite the recipient’s clear objection;
  12. Processing personal information without lawful basis.

These acts may be unlawful depending on the facts, the nature of the data collected, the existence or absence of consent, the wording of the messages, the recipient, and the conduct of the lending company or its collection agents.

III. Legal Framework

Several Philippine laws and regulatory principles may apply.

A. Data Privacy Act of 2012

Republic Act No. 10173, or the Data Privacy Act of 2012, governs the collection, use, storage, disclosure, and other processing of personal information and sensitive personal information.

Online lending apps and their operators are generally considered personal information controllers or personal information processors when they collect and use borrower data, contact lists, identification documents, phone numbers, addresses, employment details, and other personal information.

The law requires that personal data processing must be lawful, fair, transparent, proportionate, and limited to legitimate purposes.

B. Implementing Rules and NPC Issuances

The National Privacy Commission, or NPC, enforces the Data Privacy Act. It has issued rules, circulars, advisories, and decisions concerning privacy rights, complaints, security incidents, and abusive online lending practices.

The NPC has repeatedly emphasized that access to a borrower’s phone contacts, unnecessary permissions, and public shaming may violate data privacy principles.

C. Lending Company and Financing Company Regulations

Online lending companies may fall under regulations governing lending companies, financing companies, and online lending platforms. The Securities and Exchange Commission, or SEC, regulates lending and financing entities and may act against abusive, deceptive, unfair, or unlawful collection practices.

A lending app may face regulatory consequences if it operates without proper registration, uses an unregistered online lending platform, violates disclosure requirements, or employs unfair debt collection methods.

D. Financial Consumer Protection Principles

Borrowers and financial consumers are entitled to fair treatment, transparency, responsible lending, proper disclosure, and protection against abusive practices.

Even when a debt is valid, collection must still be lawful. A creditor’s right to collect does not include the right to harass, shame, threaten, deceive, or misuse personal data.

E. Civil Code

The Civil Code may apply where a person suffers damage due to unlawful, abusive, negligent, or bad-faith acts. Depending on the facts, a victim may claim damages for violation of rights, defamation, invasion of privacy, abuse of rights, or intentional infliction of harm.

F. Revised Penal Code and Special Penal Laws

Certain conduct may also amount to criminal offenses, such as grave threats, light threats, unjust vexation, slander by deed, libel, cyberlibel, coercion, identity misuse, or other offenses depending on the content and medium of the communication.

IV. Personal Information Involved in Online Lending Apps

Online lending apps commonly process personal information such as:

  • Full name;
  • Mobile number;
  • Email address;
  • Home address;
  • Employment details;
  • Government ID;
  • Selfie or facial image;
  • Bank account or e-wallet information;
  • Device information;
  • IP address;
  • Location data;
  • Contact list;
  • References;
  • Loan amount;
  • Repayment history;
  • Credit score or internal risk profile;
  • Messages and communication logs.

Some of this information may be sensitive, confidential, or high-risk. Even ordinary personal information, such as a name and phone number, is protected under the Data Privacy Act when it identifies or can identify a person.

V. Consent and Lawful Basis

A common misconception is that a lending app may do anything once the borrower clicks “I agree.” That is incorrect.

Consent must be informed, specific, freely given, and evidenced. It must also be limited to legitimate and declared purposes. A vague or hidden permission allowing access to all phone contacts does not automatically justify harassment or mass messaging.

Under Philippine data privacy law, consent is only one lawful basis for processing. Other lawful bases may include contract, legal obligation, legitimate interest, vital interest, and other grounds recognized by law. However, even if a lawful basis exists, processing must still comply with proportionality, transparency, and fairness.

A lending app cannot rely on consent to justify excessive, abusive, deceptive, or unnecessary data processing.

VI. The Principle of Proportionality

The proportionality principle means that the personal data collected and used must be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose.

For online lending apps, this principle is crucial.

A lender may need certain borrower information to evaluate a loan application, verify identity, prevent fraud, and collect a debt. However, it does not follow that the app may access the borrower’s entire contact list, message non-borrowers, shame the borrower, or disclose the debt to third parties.

Collection of debt is a legitimate purpose, but public humiliation is not.

VII. Unsolicited Messages to Non-Borrowers

A person who receives a collection message from a lending app despite not being the borrower may have a valid complaint.

This usually happens when:

  1. The recipient was listed as a reference;
  2. The recipient is in the borrower’s phone contacts;
  3. The borrower’s phonebook was uploaded to the lending app;
  4. The lending app used automated scraping or syncing;
  5. The recipient’s number was obtained from a previous transaction, marketing database, or third-party source.

A non-borrower generally has no obligation to pay another person’s debt unless that person legally acted as a co-maker, guarantor, surety, or otherwise assumed liability. Merely being a contact, relative, friend, co-worker, or reference does not make a person liable for the loan.

A lending app that repeatedly messages a non-borrower may be processing that person’s personal information without lawful basis. If the message discloses another person’s loan, it may also violate the borrower’s privacy.

VIII. References Are Not Automatically Guarantors

Many lending apps require borrowers to provide “references.” A reference is usually a person who may verify identity, residence, or employment. A reference is not automatically liable for the loan.

To be liable as a guarantor, surety, co-maker, or co-borrower, there must be a clear legal undertaking. The person must have consented to that obligation. Liability cannot be imposed merely because a borrower typed someone’s name or number in an app.

Therefore, a collection message saying “You are responsible for this loan because you are listed as a reference” may be misleading unless there is a valid contract showing that the recipient accepted such responsibility.

IX. Unauthorized Access to Contacts

One of the most serious issues in online lending app complaints is access to phone contacts.

A lending app may request permission to access contacts, but that access must still be lawful and proportionate. The fact that a phone operating system allows an app permission does not automatically mean the data privacy processing is legal.

Key questions include:

  1. Was the borrower clearly informed that contacts would be accessed?
  2. Was the purpose explained?
  3. Was access necessary for the loan?
  4. Were all contacts collected, or only specific references?
  5. Were contacts stored on the lender’s server?
  6. Were contacts used for collection?
  7. Were contacts messaged without their consent?
  8. Was the borrower forced to grant access as a condition for using the app?
  9. Could the same purpose have been achieved through less intrusive means?

Mass harvesting of contacts is highly problematic because it affects people who never dealt with the lending app.

X. Disclosure of Debt to Third Parties

A borrower’s loan information is personal information. Disclosing it to third parties without lawful basis may violate privacy rights.

Examples of improper disclosure include messages such as:

  • “Your friend Juan is a delinquent borrower.”
  • “Maria refuses to pay her loan.”
  • “Please tell your employee Carlo to settle his debt.”
  • “This person is a scammer and must be reported.”
  • “Your relative borrowed money and used you as a reference.”
  • “We will post this borrower online if payment is not made.”

Even if the borrower owes money, the lender must collect through lawful means. The existence of a debt does not authorize public exposure.

XI. Harassment and Abusive Collection Practices

Collection becomes legally problematic when it involves harassment, intimidation, deception, or abuse.

Examples include:

  1. Repeated calls or messages intended to annoy or intimidate;
  2. Threats to shame the borrower online;
  3. Threats to contact all phone contacts;
  4. Threats to report the borrower to the employer without legal basis;
  5. Threats of immediate arrest for non-payment;
  6. Use of obscene, insulting, or degrading language;
  7. False claims that a criminal case has already been filed;
  8. False claims that a warrant of arrest will be issued;
  9. Impersonation of law enforcement or court personnel;
  10. Use of fake legal documents;
  11. Messages sent to minors, elderly relatives, or unrelated third parties;
  12. Group chats created to shame the borrower.

Such conduct may support complaints before regulators and may also create civil or criminal liability.

XII. Non-Payment of Debt Is Generally Not Automatically a Crime

A loan is generally a civil obligation. Failure to pay a loan, by itself, is not automatically a criminal offense.

However, a criminal case may arise if there is fraud, falsification, identity theft, use of fake documents, or other criminal conduct. But ordinary inability or failure to pay a debt is usually handled through civil collection.

Therefore, statements like “You will be arrested today if you do not pay” or “The police are coming to your house because you did not pay” may be misleading or abusive if there is no valid legal basis.

A lender may file a civil action for collection if the debt is valid, but it must not use false threats to pressure payment.

XIII. Data Subject Rights

Under the Data Privacy Act, a data subject has rights over personal information. These include:

  1. Right to be informed The person has the right to know how their data is collected, used, stored, shared, and protected.

  2. Right to object The person may object to certain processing, especially where processing is based on consent or legitimate interest.

  3. Right to access The person may request information on what personal data is held about them and how it is being processed.

  4. Right to rectification Incorrect or outdated personal data may be corrected.

  5. Right to erasure or blocking A person may request deletion, blocking, or removal of personal data in appropriate cases.

  6. Right to damages A person may seek compensation for damages caused by inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information.

  7. Right to data portability In certain circumstances, the person may obtain a copy of personal data in a structured format.

These rights may be exercised against a lending app, lending company, collection agency, or other personal information controller.

XIV. Complaint Before the National Privacy Commission

A person may file a complaint with the National Privacy Commission for violations of the Data Privacy Act.

A complaint may be appropriate where:

  • The lending app accessed contacts without proper consent;
  • The app sent messages to non-borrowers;
  • The app disclosed loan information to third parties;
  • The app used personal information for harassment;
  • The app failed to provide a privacy notice;
  • The app refused to respond to data subject requests;
  • The app retained personal data without lawful basis;
  • The app shared information with collection agents or third parties without proper controls;
  • The app used personal data beyond the declared purpose.

Before or during a complaint, the complainant should gather evidence.

XV. Evidence to Preserve

A complainant should preserve:

  1. Screenshots of messages;
  2. Phone numbers used by collectors;
  3. Date and time of calls or messages;
  4. Call logs;
  5. Names used by collectors;
  6. App name and company name;
  7. Privacy policy screenshots;
  8. App permission screenshots;
  9. Loan agreement or terms and conditions;
  10. Proof that the recipient is not a borrower;
  11. Messages sent to family, friends, employers, or co-workers;
  12. Group chats or social media posts;
  13. Proof of payment, if relevant;
  14. Emails or demand letters;
  15. Copies of complaints already sent to the company.

Screenshots should show the full phone number, message content, date, and time whenever possible. It is better to preserve the original messages and not merely copy the text.

XVI. Complaint Before the SEC

The Securities and Exchange Commission may be relevant where the online lending app is operated by a lending company or financing company.

A complaint to the SEC may involve:

  • Unregistered lending operations;
  • Use of an unregistered online lending platform;
  • Abusive debt collection;
  • Misleading loan terms;
  • Excessive charges or unclear fees;
  • Failure to disclose interest and penalties;
  • Harassment by collection agents;
  • Threats, insults, or public shaming;
  • Use of unfair or abusive practices.

The SEC may suspend, revoke, penalize, or otherwise act against companies that violate lending and financing regulations.

XVII. Complaint to Other Agencies

Depending on the facts, a complainant may also consider:

A. Bangko Sentral ng Pilipinas

If the entity is a bank, financing company supervised by the BSP, e-money issuer, payment provider, or other BSP-supervised financial institution, consumer assistance may be available through BSP channels.

B. Department of Trade and Industry

If consumer protection issues are involved, particularly deceptive or unfair practices, the DTI may be relevant, depending on the entity and transaction.

C. Philippine National Police or National Bureau of Investigation

If messages involve threats, cyberlibel, identity theft, hacking, extortion, or other cybercrime-related conduct, law enforcement may be approached.

D. Prosecutor’s Office

A complainant may file a criminal complaint if the facts support a criminal offense.

E. Barangay

Barangay conciliation may apply in some disputes between individuals in the same city or municipality. However, complaints against corporations, cybercrime issues, or regulatory matters may require other forums.

XVIII. Possible Criminal Issues

Depending on the content of the messages and conduct of the collectors, the following criminal issues may arise:

A. Grave Threats or Light Threats

If the collector threatens harm to person, honor, property, or rights, the conduct may be examined under laws on threats.

B. Unjust Vexation

Repeated annoying, harassing, or oppressive messages may potentially support an unjust vexation complaint, depending on circumstances.

C. Coercion

If the collector uses intimidation or force to compel payment or action in a manner prohibited by law, coercion may be considered.

D. Cyberlibel

If false and defamatory statements are made online, through social media, group chats, or electronic communications, cyberlibel may be an issue.

E. Identity Theft or Misuse

If the app or collector uses another person’s identity, fake profiles, or unauthorized personal information, other offenses may arise.

F. Estafa or Fraud Issues

The lender may threaten estafa, but non-payment alone is not automatically estafa. There must be deceit or fraud at the time of the transaction or other legally relevant facts.

G. Usurpation or Misrepresentation

A collector who falsely pretends to be a police officer, lawyer, court sheriff, prosecutor, or government official may create separate legal exposure.

XIX. Civil Liability

A victim may consider civil claims for damages when unlawful conduct causes injury.

Possible bases include:

  1. Abuse of rights;
  2. Violation of privacy;
  3. Defamation;
  4. Intentional infliction of emotional distress under analogous civil law principles;
  5. Negligence in handling personal data;
  6. Breach of contract;
  7. Bad faith;
  8. Violation of statutory rights.

Recoverable damages may include actual damages, moral damages, exemplary damages, attorney’s fees, and litigation expenses, depending on proof and applicable law.

XX. Employer Contact and Workplace Harassment

A frequent complaint is that collectors contact the borrower’s employer or co-workers. This may be unlawful if the purpose is to shame, pressure, or embarrass the borrower.

A lender may have a legitimate reason to verify employment during application, but contacting an employer for harassment or debt shaming is different.

Messages to employers may also create employment consequences for the borrower. If the disclosure is unauthorized or defamatory, it may aggravate the lender’s liability.

Borrowers should preserve proof of workplace messages, including screenshots from co-workers or HR personnel.

XXI. Social Media Shaming

Some online lending collectors threaten to post the borrower’s face, ID, or name online. Others create posts labeling the borrower as a scammer, thief, or criminal.

This may involve:

  • Unauthorized disclosure of personal information;
  • Defamation;
  • Cyberlibel;
  • Harassment;
  • Unfair debt collection;
  • Violation of privacy rights.

Debt collection through public humiliation is legally dangerous. A valid debt does not give a lender the right to destroy a borrower’s reputation.

XXII. Use of Borrower’s Photo or Government ID

Borrowers often submit selfies and government IDs during loan application. These are personal data and may also be sensitive or high-risk information.

The lender may use them for identity verification, but not for public posting, threats, memes, group chats, or humiliation.

Posting a borrower’s ID may expose the borrower to identity theft and may aggravate the privacy violation.

XXIII. Messages to Family Members

Collectors sometimes message spouses, parents, siblings, children, or relatives. The legality depends on the content, purpose, consent, and relationship.

A relative is not liable for the debt unless they legally agreed to be liable. A collector may not disclose the borrower’s debt to relatives simply to create pressure.

Messages to elderly parents, children, or unrelated relatives may be especially abusive if they contain threats or humiliating statements.

XXIV. Borrower’s Obligations Remain

A privacy violation does not automatically erase a valid loan. If the borrower truly received money under a valid loan agreement, the borrower may still have a civil obligation to repay the principal and lawful charges.

However, the lender must collect lawfully. The borrower may dispute illegal interest, hidden charges, unauthorized penalties, or abusive collection methods.

Thus, two issues may exist at the same time:

  1. The borrower’s obligation to pay a valid debt; and
  2. The lender’s liability for unlawful data processing or abusive collection.

One does not automatically cancel the other.

XXV. Unfair Loan Terms and Excessive Charges

Online lending app disputes often involve not only harassment but also unclear or excessive charges.

Common issues include:

  • Very short repayment periods;
  • High service fees deducted upfront;
  • Interest not clearly disclosed;
  • Penalties that rapidly increase the balance;
  • Threats based on inflated amounts;
  • Different amounts in the app, text messages, and collector demands;
  • Lack of proper loan documents.

Borrowers should request a full statement of account and loan computation. A lender should be able to explain principal, interest, service fee, penalty, payment history, and outstanding balance.

XXVI. Demand to Stop Processing Personal Data

A borrower or non-borrower may send a written request to the lending app or company to stop unlawful processing of personal information.

The request may include:

  1. Identification of the complainant;
  2. Description of the unsolicited or abusive messages;
  3. Demand to stop contacting non-borrowers;
  4. Demand to stop disclosing loan information to third parties;
  5. Request for access to personal data held by the company;
  6. Request for deletion or blocking of unlawfully processed data;
  7. Request for the source of the complainant’s personal information;
  8. Demand for preservation of records;
  9. Warning that regulatory complaints may be filed.

The request should be firm, factual, and documented.

XXVII. Sample Data Privacy Demand Letter

A complainant may use a letter similar to the following:

Subject: Demand to Cease Unauthorized Processing of Personal Information

To whom it may concern:

I am receiving calls and messages from your company or your collection agents concerning a loan account that is not my obligation / concerning a loan account in which you have disclosed my personal information and loan details to third parties.

I did not consent to the use of my mobile number for harassment, debt collection against another person, public shaming, or disclosure of private loan information. I demand that you immediately stop processing my personal information for unlawful, excessive, unauthorized, or abusive purposes.

Please provide the following:

  1. The source of my personal information;
  2. The purpose for which my information is being processed;
  3. The legal basis for such processing;
  4. The identity of all persons or entities to whom my information was disclosed;
  5. A copy of all personal information you hold about me;
  6. Confirmation that my information has been deleted, blocked, or removed from collection contact lists, unless you can show a lawful basis for continued retention.

You are further directed to preserve all records, messages, call logs, internal notes, collection instructions, and system logs relating to this matter.

Failure to comply may result in complaints before the National Privacy Commission, Securities and Exchange Commission, and other appropriate authorities.

Sincerely, [Name]

XXVIII. How to File a Data Privacy Complaint

A complainant should generally prepare:

  1. A written complaint or affidavit;
  2. Full name and contact details of the complainant;
  3. Name of the lending app or company;
  4. Screenshots and call logs;
  5. Explanation of how personal data was misused;
  6. Proof that the complainant objected or requested action, if available;
  7. Evidence of harm, embarrassment, distress, or damage;
  8. Copies of messages sent to third parties;
  9. Identification of responsible persons, if known.

The complaint should clearly explain:

  • What personal data was processed;
  • How the complainant learned of the processing;
  • Why the processing was unauthorized or excessive;
  • Who received the data;
  • What harm resulted;
  • What relief is requested.

XXIX. Reliefs That May Be Requested

In a data privacy or regulatory complaint, a complainant may request:

  1. Cessation of unlawful processing;
  2. Deletion or blocking of personal data;
  3. Disclosure of the source of personal data;
  4. Identification of recipients of the data;
  5. Correction of records;
  6. Investigation of the lending app;
  7. Sanctions or penalties;
  8. Damages, where proper;
  9. Orders to stop contacting third parties;
  10. Confirmation that collection agents have been instructed to comply.

The available relief depends on the forum and the facts.

XXX. Liability of Collection Agencies

A lending company may use a third-party collection agency. This does not automatically free the lender from responsibility.

If the collection agency processes personal information on behalf of the lender, the lender may still be accountable for ensuring lawful processing. The collection agency may also be directly liable for its own unlawful conduct.

A proper arrangement should define:

  • Authorized purposes;
  • Data security obligations;
  • Confidentiality;
  • Limits on contacting third parties;
  • Prohibition on harassment;
  • Return or deletion of data;
  • Accountability for violations.

A lender cannot simply blame a collection agent if the abusive conduct resulted from its own system, instructions, data sharing, or failure to supervise.

XXXI. Liability of App Operators, Directors, Officers, and Agents

Depending on the facts and applicable laws, liability may attach to:

  1. The lending company;
  2. The financing company;
  3. The online lending platform operator;
  4. Collection agency;
  5. Individual collectors;
  6. Officers who authorized unlawful practices;
  7. Data protection officer or compliance personnel, where legally relevant;
  8. Third-party processors;
  9. App developers or service providers, if involved in unlawful processing.

The exact liability depends on participation, control, negligence, intent, and statutory obligations.

XXXII. Data Protection Officer

Covered entities are expected to have privacy governance mechanisms, including a data protection officer or responsible compliance person.

A complainant may ask for the contact details of the company’s data protection officer or privacy contact. The company should have a privacy notice explaining how data subjects may exercise their rights.

Failure to provide a meaningful privacy contact may indicate poor compliance.

XXXIII. Privacy Notice and App Permissions

A lawful lending app should have a clear privacy notice explaining:

  • What data is collected;
  • Why it is collected;
  • Whether contacts are accessed;
  • Whether data is shared with collection agencies;
  • How long data is retained;
  • How data subjects can exercise their rights;
  • Who to contact for privacy concerns;
  • Whether data is transferred to third parties or outside the Philippines;
  • Security measures in place.

The app should not hide important privacy terms in vague, confusing, or misleading language.

Permissions should also be limited. If a lending app asks for access to contacts, camera, location, storage, microphone, SMS, and call logs, the user should question whether such permissions are necessary.

XXXIV. Data Retention

A lending app may retain certain data for legitimate business, legal, accounting, anti-fraud, or regulatory purposes. However, retention must not be indefinite without justification.

Data should be retained only as long as necessary for lawful purposes. Once the purpose has ended, the data should be deleted, anonymized, blocked, or securely archived according to law and policy.

For non-borrowers whose data was obtained merely from contact lists, continued retention may be difficult to justify if there is no lawful basis.

XXXV. Security of Personal Data

Online lending apps must protect personal data from unauthorized access, misuse, disclosure, alteration, and destruction.

Security obligations may include:

  • Access controls;
  • Encryption;
  • Authentication;
  • Audit logs;
  • Employee training;
  • Confidentiality obligations;
  • Vendor controls;
  • Incident response procedures;
  • Secure deletion;
  • Limits on collector access;
  • Monitoring of abusive behavior.

A data breach may occur if personal data is accessed, used, or disclosed in a way that compromises confidentiality, integrity, or availability.

XXXVI. Automated Decision-Making and Credit Scoring

Some lending apps use automated systems to evaluate borrowers. They may analyze device data, behavioral patterns, payment history, application details, and other indicators.

Automated credit scoring must still comply with transparency, fairness, and proportionality. A borrower may question how data was used if the app relies on intrusive or irrelevant information.

The use of contact lists for credit scoring is especially sensitive because it processes information about people who are not applicants.

XXXVII. Marketing Messages

Unsolicited online lending messages may also take the form of marketing, such as loan offers, promo codes, or repeated invitations to borrow.

Marketing messages should have a lawful basis. Where consent is required, the recipient should be able to opt out. Sending repeated promotional messages after objection may support a privacy or consumer complaint.

If a person never downloaded the app or never gave a number to the company, the person may ask where the company obtained the number.

XXXVIII. Spam, Smishing, and Scam Lending Messages

Not all unsolicited lending messages come from legitimate lenders. Some may be scams, phishing attempts, or identity theft schemes.

Warning signs include:

  • Unknown shortened links;
  • Requests for upfront processing fees;
  • Requests for OTPs or passwords;
  • Fake app download links;
  • Threats despite no actual loan;
  • No company name or address;
  • Use of personal numbers only;
  • Fake government or court references;
  • Requests to send money to personal e-wallet accounts.

Recipients should avoid clicking suspicious links or providing personal data in response to unsolicited messages.

XXXIX. Borrower Strategy When There Is a Valid Loan

A borrower who has a valid unpaid loan but is being harassed should consider the following:

  1. Do not ignore lawful notices, but do not tolerate abuse;
  2. Ask for a written statement of account;
  3. Communicate through documented channels;
  4. Pay only through official payment channels;
  5. Do not send payment to personal accounts unless verified;
  6. Preserve all abusive messages;
  7. Demand that third-party contact stop;
  8. Negotiate in writing if settlement is possible;
  9. File complaints for unlawful collection practices;
  10. Avoid admitting inflated or disputed charges without review.

A borrower should separate the legitimate debt issue from the illegal collection issue.

XL. Non-Borrower Strategy

A non-borrower who receives collection messages should:

  1. State clearly that they are not the borrower;
  2. State that they did not consent to be contacted for debt collection;
  3. Demand deletion or blocking of their number;
  4. Ask for the source of their personal data;
  5. Avoid paying another person’s debt unless legally obligated;
  6. Preserve screenshots and call logs;
  7. Block numbers if necessary, but preserve evidence first;
  8. File a complaint if messages continue.

A non-borrower should not be pressured into paying merely because their number appears in someone else’s contact list.

XLI. Sample Reply to an Unsolicited Collection Message

A recipient may send a reply like this:

I am not the borrower, co-maker, guarantor, or surety for the loan you are collecting. I did not consent to the use of my mobile number for debt collection or harassment. Stop contacting me and delete or block my personal information unless you can show a lawful basis for processing it. Please provide the source of my number, the legal basis for your processing, and the name of your company and data protection officer. Continued messages will be documented for complaints before the proper authorities.

This message should be sent only if safe and appropriate. In some situations, it may be better to preserve evidence and complain directly.

XLII. What Not to Do

A complainant should avoid:

  1. Deleting evidence;
  2. Responding with threats or insults;
  3. Posting the collector’s personal information online;
  4. Sending money to unverified accounts;
  5. Clicking suspicious links;
  6. Giving OTPs, passwords, or IDs to unknown collectors;
  7. Admitting liability for another person’s debt;
  8. Signing settlement terms without reading them;
  9. Ignoring official court papers if a real case is filed;
  10. Assuming all threats are fake without checking.

Even when collectors act unlawfully, the complainant should remain factual and preserve legal remedies.

XLIII. Difference Between Legitimate Collection and Harassment

A lender may lawfully remind a borrower of payment, send a demand letter, provide account details, and file a proper legal action. It may also use lawful collection agents.

However, collection becomes improper when it involves:

  • False statements;
  • Threats without legal basis;
  • Disclosure to unrelated third parties;
  • Public shaming;
  • Excessive or repeated contact;
  • Use of obscene language;
  • Misuse of personal data;
  • Contacting non-borrowers as pressure tactics;
  • Unauthorized access to phone data.

The law allows collection. It does not allow abuse.

XLIV. Jurisdiction and Venue Issues

Online lending transactions often involve apps, remote borrowers, collectors in different cities, and digital communications.

For regulatory complaints, the appropriate agency depends on the nature of the violation. For criminal complaints, venue may depend on where the message was sent, received, accessed, published, or where damage occurred, depending on the offense and procedural rules.

For civil actions, venue may depend on the residence of parties, contract stipulations, or rules of court.

Because digital evidence and jurisdiction can be complex, serious cases may require legal assistance.

XLV. Digital Evidence Considerations

Digital evidence must be preserved carefully.

Useful practices include:

  1. Keep the original phone messages;
  2. Export chats where possible;
  3. Take screenshots showing date, time, sender, and full content;
  4. Record call logs;
  5. Save voicemail or call recordings only in a manner consistent with law;
  6. Keep email headers if emails are involved;
  7. Preserve URLs and profile links;
  8. Identify whether messages were sent by SMS, Viber, Messenger, WhatsApp, Telegram, email, or app notification;
  9. Ask third-party recipients to preserve messages they received;
  10. Prepare a chronological timeline.

Digital evidence should not be edited in a way that raises authenticity issues.

XLVI. Data Privacy Complaint vs. Cybercrime Complaint

A data privacy complaint focuses on unlawful processing of personal data. A cybercrime complaint focuses on criminal acts committed through information and communications technology.

The same facts may support both.

Example: A collector posts a borrower’s photo online and labels the borrower a scammer. This may involve unauthorized disclosure of personal data and possible cyberlibel.

Example: A lending app accesses contacts and sends messages to all relatives. This may involve privacy violations and abusive collection.

Choosing the right forum depends on the remedy sought: stopping processing, regulatory sanctions, damages, or criminal prosecution.

XLVII. Settlement and Compromise

Some disputes may be settled, especially where the borrower acknowledges a valid debt and the lender agrees to stop abusive collection.

A settlement should be in writing and should state:

  1. Correct outstanding amount;
  2. Payment schedule;
  3. Waiver or reduction of penalties, if agreed;
  4. Official payment channels;
  5. Commitment to stop contacting third parties;
  6. Commitment to delete or restrict unnecessary personal data;
  7. Non-disparagement or confidentiality terms, if appropriate;
  8. Full release after payment;
  9. Issuance of certificate of full payment.

A borrower should avoid vague settlements that do not clearly resolve the account.

XLVIII. Remedies Against Fake or Unregistered Lending Apps

If the lending app is fake, unregistered, or cannot be identified, remedies become harder but not impossible.

The complainant may:

  • Preserve all evidence;
  • Report the app listing to the platform;
  • Report the number to the telecom provider;
  • Report suspicious links;
  • File a cybercrime complaint if fraud or threats are involved;
  • Warn contacts privately without reposting defamatory content;
  • Avoid paying to personal accounts;
  • Monitor identity theft risks.

A fake lending app may be part of a broader scam operation.

XLIX. Role of App Stores and Platforms

App stores, payment platforms, messaging platforms, and social media companies may become relevant when a lending app uses their services.

A complainant may report:

  • Malicious apps;
  • Fake profiles;
  • Harassing accounts;
  • Posts containing personal data;
  • Scam links;
  • Impersonation;
  • Unauthorized use of photos or IDs.

Platform reports do not replace legal complaints, but they may help stop ongoing harm.

L. Preventive Measures for Borrowers

Before using an online lending app, borrowers should:

  1. Verify the company’s registration and authority;
  2. Read the privacy policy;
  3. Check app permissions;
  4. Avoid apps requiring unnecessary access to contacts;
  5. Avoid providing false references;
  6. Understand interest, fees, penalties, and due dates;
  7. Save loan documents;
  8. Use official payment channels;
  9. Avoid apps with reports of harassment;
  10. Borrow only amounts they can realistically repay.

A borrower should be especially cautious if the app requires access to contacts as a condition for a small short-term loan.

LI. Preventive Measures for Non-Borrowers

Non-borrowers can reduce risk by:

  • Avoiding posting phone numbers publicly;
  • Being cautious with forms and promos;
  • Asking friends or relatives not to list them as references without permission;
  • Not responding to suspicious loan links;
  • Blocking and reporting spam;
  • Preserving evidence of harassment;
  • Exercising data subject rights when contacted.

However, non-borrowers cannot fully prevent being listed in someone else’s phone contacts. The law places responsibility on companies to process data lawfully.

LII. Corporate Compliance for Online Lenders

A lawful online lender should implement:

  1. Proper registration and regulatory compliance;
  2. Clear loan terms;
  3. Fair collection policies;
  4. Privacy-by-design app architecture;
  5. Limited data collection;
  6. No unnecessary contact-list harvesting;
  7. Clear privacy notices;
  8. Valid consent mechanisms;
  9. Data subject rights procedures;
  10. Collector training;
  11. Vendor and agency controls;
  12. Audit logs;
  13. Complaint handling procedures;
  14. Data retention and deletion policies;
  15. Security safeguards;
  16. Sanctions for abusive collectors.

Compliance should be built into the lending system, not treated as an afterthought.

LIII. Common Defenses of Lending Apps

A lending app may argue:

  1. The borrower consented to the privacy policy;
  2. Contact access was needed for fraud prevention;
  3. The recipient was listed as a reference;
  4. The messages were sent by a third-party collection agency;
  5. The debt was valid and overdue;
  6. The app disclosed data only for collection;
  7. The complainant suffered no actual damage.

These defenses are not always sufficient. Consent may be invalid or excessive. A reference is not automatically liable. A collection agency’s acts may still be attributable to the lender. A valid debt does not justify public shaming or unlawful data processing.

LIV. Key Legal Principles

The following principles summarize the law:

  1. A valid debt may be collected, but only by lawful means.
  2. Personal data may be processed only with lawful basis.
  3. Processing must be fair, transparent, and proportionate.
  4. Consent is not a blank check.
  5. A phone contact is not automatically a debtor.
  6. A reference is not automatically a guarantor.
  7. Non-payment of debt is not automatically a crime.
  8. Public shaming is not legitimate debt collection.
  9. Disclosure of debt to third parties may violate privacy rights.
  10. Lending companies may be liable for their collectors.
  11. Borrowers may owe money and still be victims of unlawful collection.
  12. Non-borrowers may complain when their data is used without basis.

LV. Conclusion

Unsolicited online lending app messages raise serious legal concerns in the Philippines. They may involve unlawful processing of personal data, abusive debt collection, unauthorized disclosure of loan information, harassment, defamation, and regulatory violations.

A person who receives such messages should preserve evidence, identify the lending app or company, assert data subject rights, demand cessation of unlawful processing, and consider complaints before the National Privacy Commission, Securities and Exchange Commission, law enforcement, or other appropriate bodies.

For borrowers, the existence of a valid debt does not strip them of privacy and dignity. For non-borrowers, being listed as a contact or reference does not automatically create liability. For lenders, digital convenience does not excuse unlawful collection practices.

The proper balance is clear: online lending may be legitimate, but collection must remain lawful, fair, proportionate, and respectful of data privacy rights.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login