An online lending app cannot legally shame you, post your debt, message your phone contacts, or tell your family, friends, co-workers, or employer that you owe money just to pressure you to pay. In the Philippines, this may be a data privacy violation, an unfair debt collection practice, and in serious cases, a cybercrime or criminal offense. The practical question is not only “Is this illegal?” but “What can I do right now, what evidence should I save, and where should I complain?”

Online lending harassment usually follows a familiar pattern: you install an app, grant permissions, fall behind or dispute the loan, then collectors start texting your contact list, posting your name, calling your employer, or saying your contacts are “guarantors” even if they never agreed. Philippine regulators have specifically addressed this abuse. In a 2026 joint advisory, the DICT, National Privacy Commission (NPC), and Securities and Exchange Commission (SEC) reminded online lending platforms that contacting people in a borrower’s contact list, except actual guarantors, is prohibited for debt collection.

Is It Illegal for an Online Lending App to Access or Share Your Contacts?

Yes, if the app accessed, used, disclosed, or posted your contacts without a lawful basis and for a purpose you did not freely and specifically agree to.

Under Republic Act No. 10173, or the Data Privacy Act of 2012, personal information includes information that identifies or can reasonably identify a person. A person whose personal information is processed is called a data subject. Contact names, mobile numbers, workplace details, Facebook accounts, photos, and messages may all be personal information depending on the facts. (National Privacy Commission)

The Data Privacy Act also requires consent to be freely given, specific, and informed. This matters because many lending apps use broad permissions such as “allow contacts” or “allow storage” during installation. A general permission to use an app is not automatically permission to harvest your whole contact list, shame you, contact your employer, or tell unrelated people about your loan. (National Privacy Commission)

The NPC has already stated that online lenders are prohibited from harvesting phone and social media contact lists for harassment. It issued NPC Circular No. 20-01 because of complaints that online lenders were illegally using borrowers’ data and the data of people in their contact lists, damaging reputations and violating data subject rights. (National Privacy Commission)

Your Legal Rights Under Philippine Law

1. Your rights under the Data Privacy Act

As a data subject, you have the right to know whether your personal information has been processed, the purpose of processing, the scope and method of processing, the recipients of your data, the identity of the personal information controller, and the period for which the information will be stored. You also have the right to access your data, dispute inaccuracies, ask for blocking, removal, or destruction of unlawfully obtained or unauthorized data, and claim indemnity for damages caused by unauthorized use. (National Privacy Commission)

In online lending cases, this means you may demand answers to questions such as:

• What personal data did the app collect from my phone?
• Did it access my contacts, gallery, SMS, employer details, or social media data?
• Who received my data?
• Why were my relatives, friends, co-workers, or employer contacted?
• What legal basis allowed the app to disclose my loan information?
• Has my data been deleted or still retained?

The lending company is generally the personal information controller because it decides why and how your data is processed. If it uses a collection agency, call center, or third-party service provider, the lender may still be accountable for what those agents do with your data.

2. SEC rules on unfair debt collection

If the lender is a financing company or lending company, it is also regulated by the SEC. SEC Memorandum Circular No. 18, Series of 2019 prohibits unfair debt collection practices by financing companies, lending companies, and their third-party service providers. The prohibited acts include threats of violence, threats to take illegal action, insults or profane language, false representations, disclosure or publication of borrowers’ names and personal information, and contact at unreasonable hours.

Most importantly for online lending app victims, SEC MC No. 18 says that even if the borrower gave consent, contacting people in the borrower’s contact list other than those named as guarantors or co-makers is an unfair debt collection practice.

The 2026 DICT-NPC-SEC advisory is even clearer: for debt collection, lending companies and financing companies may only contact the guarantor. Character references are for identification or verification, while guarantors must separately and expressly consent to assume responsibility for the loan in case of default.

3. Possible cybercrime or criminal liability

If the app or collector posted your name, photo, debt, ID, employer, or other humiliating statements online, the facts may involve cyber libel, identity theft, threats, unjust vexation, coercion, or other offenses.

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, covers offenses committed through computer systems. Its implementing rules define computer systems broadly enough to include mobile phones and similar devices. Cyber libel applies to libel committed through a computer system or similar means, and the Supreme Court-recognized rules apply only to the original author of the online libel, not people who merely receive or react to the post. (Supreme Court E-Library)

The NBI and PNP cybercrime units are the law enforcement authorities for cybercrime investigations. They may investigate cybercrimes involving computer systems, conduct forensic analysis, and assist in evidence preservation. (Supreme Court E-Library)

4. Possible civil damages

Apart from administrative and criminal remedies, you may also have civil claims for damages. Civil Code Articles 19, 20, and 21 require people to act with justice, give everyone their due, observe honesty and good faith, and compensate another person for damage caused contrary to law, morals, good customs, or public policy. Civil Code Article 26 also protects a person’s dignity, personality, privacy, and peace of mind against acts such as meddling with private life or vexing and humiliating another person. (ChanRobles)

In a recent Supreme Court case, Grace M. Trimillos v. FCash Global Lending, Inc., G.R. No. 271360, August 13, 2025, the borrower complained to the NPC that the lending app accessed her phone contacts without authority and informed people about her loan. The NPC awarded nominal damages and recommended prosecution for unauthorized processing and malicious disclosure under the Data Privacy Act; the Supreme Court reinstated the NPC decision after finding that the Court of Appeals erred in reversing it on evidentiary grounds. (Supreme Court E-Library)

What to Do Immediately If Your Contacts Were Posted or Messaged

1. Preserve evidence before anything disappears

Do this first. Many borrowers lose their case because messages are deleted, social media posts are taken down, or screenshots cannot be connected to the sender.

Save the following:

• Screenshots of all messages sent to you and your contacts
• Screen recordings showing the sender’s number, profile, date, time, and full conversation thread
• Links to Facebook posts, group posts, comments, or public shaming content
• Copies of SMS, Viber, WhatsApp, Messenger, Telegram, email, or call logs
• The app name, developer name, Google Play or App Store page, website, and privacy policy
• Loan agreement, disclosure statement, collection notices, and payment history
• Proof that the contacted person was not a guarantor or co-maker
• Affidavits or written statements from contacts who received messages
• Screenshots of app permissions showing access to contacts, photos, storage, SMS, camera, or location

For electronic evidence, keep the original device if possible. Do not rely only on cropped screenshots. Capture the full screen, phone number, profile name, URL, and timestamp. If the harassment is serious, consider asking the recipient to execute a short affidavit identifying the message, the phone number or account that sent it, and how they received it.

2. Revoke app permissions and secure your accounts

Revoke permissions to contacts, photos, SMS, camera, microphone, and storage. On Android, go to Settings > Apps > Permissions. On iPhone, go to Settings > Privacy & Security. Change passwords for email, Facebook, and e-wallets. Turn on two-factor authentication. If you uploaded an ID, monitor your accounts for identity theft.

Do not delete the app until you have documented the app name, version, permissions, loan details, and messages. Deleting too early may remove useful evidence.

3. Send a written demand to stop processing and delete unlawfully used data

You may send a short written notice to the lending app, its data protection officer, customer service email, or collection agent. Keep proof of sending.

Your message can say:

I demand that you immediately stop contacting my phone contacts, employer, relatives, friends, and other third parties regarding my loan. I did not authorize the disclosure of my personal information or loan information to them. I also demand that you block, remove, or destroy unlawfully obtained or unauthorized personal information under my rights as a data subject under Republic Act No. 10173. Please identify the personal data you collected, the recipients of the data, the purpose of processing, and your Data Protection Officer or responsible representative.

This does not mean you admit the debt. It simply creates a written record that you objected to the unauthorized processing and disclosure.

4. Tell your contacts what happened

This is uncomfortable, but it helps reduce panic and gather evidence. Ask them not to argue with collectors. Ask them to screenshot the message, save the sender’s number or account, and forward the evidence to you.

A simple message is enough:

An online lending app may have accessed my contacts without permission and may send messages about me. Please do not engage with them. Kindly screenshot any message, including the sender’s number/account and date/time, and send it to me for my complaint.

5. File the right complaints

You may file with more than one office because each agency handles a different aspect of the problem.

Problem	Where to complain	What the office can address
Unauthorized access, use, disclosure, or posting of personal data	National Privacy Commission	Data privacy violations, orders, damages, referral for prosecution
Harassing collection, contacting contacts, false threats, abusive debt collection	SEC Financing and Lending Companies Department	Administrative sanctions against lending/financing companies
Threats, scams, fake accounts, cyber libel, identity theft, online harassment	NBI Cybercrime Division or PNP Anti-Cybercrime Group	Criminal investigation and evidence preservation
App is still live and abusing users	NPC, SEC, app store reporting channels	Regulatory action, takedown requests, compliance action

The 2026 DICT-NPC-SEC advisory directs the public to report unfair debt collection practices to the SEC through its iMessage portal, and other harassment, threats, frauds, or scams to DICT, NBI Cybercrime Division, or PNP Anti-Cybercrime Group.

How to File a Complaint With the National Privacy Commission

The NPC handles complaints involving violations of the Data Privacy Act. Its official complaint page says a formal complaint must follow a specific format: download the form, print and fill it out, have it notarized, and submit it in person, by courier, or by scanned email to the NPC. (National Privacy Commission)

The NPC also announced that a new Complaint-Affidavit template took effect on July 1, 2025, and that the previous version would no longer be accepted after the transition period. Always use the current NPC template before notarizing. (National Privacy Commission)

Practical NPC complaint checklist

Prepare:

1. Completed NPC Complaint-Affidavit using the latest template
2. Valid government ID
3. Screenshots, screen recordings, call logs, URLs, and app details
4. Loan agreement, privacy notice, payment proof, and collection messages
5. Affidavits or written statements from contacted persons
6. A short chronology of events
7. Proof that the contacted persons were not guarantors or co-makers
8. Proof of your written demand to stop processing, if any
9. Notarization of the complaint-affidavit

Once the complaint is sufficient, NPC procedure may include evaluation, discovery conference, responsive comment from the respondent, fact-finding, and decision. In Trimillos v. FCash, the Supreme Court described NPC procedure: if allegations are sufficient, the investigating officer may issue an order for the parties to confer for discovery; the respondent may be ordered to submit a responsive comment within 10 days; and if the respondent fails to comment, the complaint may be submitted for resolution. (Supreme Court E-Library)

Expected timeline

Simple complaints may move faster, but contested NPC cases can take months or even years, especially if the respondent appeals. In Trimillos, the original complaint was filed in 2019, the NPC decision came in 2020, the Court of Appeals ruled in 2023, and the Supreme Court decision came in 2025. That timeline is not unusual when a case is appealed. (Supreme Court E-Library)

How to File a Complaint With the SEC

If the app is operated by a lending company or financing company, file a complaint with the SEC. The SEC’s iMessage portal allows the public to open a new ticket and check ticket status. (Securities and Exchange Commission)

When filing, include:

• Name of the lending app
• Corporate name of the lender, if known
• Screenshots of the app store listing and website
• SEC registration number or certificate of authority, if shown
• Collection messages sent to you and your contacts
• Proof that contacts were not guarantors or co-makers
• Timeline of calls, messages, and threats
• Your loan agreement and payment history

SEC MC No. 18 provides administrative penalties for violations. For lending companies, the circular lists fines for first and second offenses and, for a third offense depending on circumstances, possible higher fines, suspension of lending or financing activities, or revocation of the certificate of authority to operate.

If You Are an OFW, Foreigner, or Currently Abroad

You may still complain if the lending app is operating in the Philippines, processing data in the Philippines, targeting Philippine borrowers, or has links to the Philippines. The Data Privacy Act has extraterritorial application in certain situations, including processing that relates to personal information of a Philippine citizen or resident, or where the entity has links with the Philippines. (National Privacy Commission)

The main practical issue abroad is notarization. If the NPC complaint-affidavit must be notarized and you are outside the Philippines, check whether you can execute it before a Philippine Embassy or Consulate. Philippine embassies commonly notarize private documents such as affidavits for use in the Philippines, and personal appearance is usually required. (Philippine Embassy)

In some countries, a document executed abroad may need an apostille or consular notarization before it has legal effect in the Philippines. For example, the Philippine Embassy in Australia explains that documents executed, signed, or issued in Australia for use in the Philippines must either bear consular notarization or an Apostille Certificate from the Australian authority. (Philippine Embassy Canberra)

Common Mistakes That Weaken Complaints

Deleting messages too early

Do not delete harassment messages just because they are upsetting. Save them first. If a contact received the message, ask that person to preserve the original message on their phone.

Sending emotional replies to collectors

Avoid threats, insults, or admissions. Keep replies short and factual. A good reply says: “I dispute your unauthorized disclosure of my personal data. Stop contacting third parties. Send all communications to me in writing.”

Assuming “I clicked allow” means the lender can do anything

Consent under the Data Privacy Act must be specific and informed. A lending app may need some information to process a loan, but that does not mean it can use your contact list for public shaming or collection pressure.

Ignoring the debt issue completely

Harassment is illegal, but the existence of harassment does not automatically erase a valid loan. Treat these as separate issues: complain about the unlawful collection practice, while separately reviewing whether the principal, interest, penalties, and charges are lawful and properly disclosed.

Relying on screenshots without context

A screenshot should show who sent the message, who received it, the date, the time, and the full message. If the sender used a fake account, preserve profile links, phone numbers, and other identifiers.

Frequently Asked Questions

Can an online lending app message my contacts if I gave phone permission?

Not for debt collection just because you allowed phone permissions. The 2026 DICT-NPC-SEC advisory says online lending platforms may only access contacts for limited legitimate purposes, such as allowing you to select character references or guarantors, and unbridled processing of contact lists is prohibited.

Can they call my character reference to collect payment?

A character reference is not the same as a guarantor. Character references are for identification or verification. A guarantor must separately and expressly consent to assume responsibility for the loan. For debt collection, the advisory says lenders may only contact the guarantor.

What if the app told my contacts they are guarantors?

That is a red flag. A person does not become a guarantor simply because their name appears in your contact list or because the app calls them one. A guarantor must have agreed to be bound. Save the message and include it in your NPC and SEC complaints.

Can I sue the lending app for damages?

Yes, depending on the evidence. Possible bases include the Data Privacy Act, Civil Code provisions on damages and privacy, and other laws. In Trimillos v. FCash, the NPC awarded nominal damages and recommended prosecution after finding that the lending app gathered excessive information and used messages to shame the borrower; the Supreme Court reinstated the NPC decision. (Supreme Court E-Library)

Should I file with NPC or SEC first?

If the main issue is unauthorized access, use, disclosure, or posting of personal data, file with the NPC. If the main issue is abusive collection by a lending or financing company, file with the SEC. In many online lending harassment cases, filing with both is reasonable because the same facts may involve both privacy violations and unfair debt collection.

Can the collector still file a case against me for the loan?

Yes, if there is a valid debt, the lender may pursue lawful collection remedies, such as a civil collection case or small claims action. But it cannot use unlawful threats, public shaming, fake legal claims, or unauthorized disclosure of your personal information to force payment.

What if the app is unregistered or uses a different company name?

Include every identifier you can find: app name, developer name, website, email, phone number, bank or e-wallet account, SEC registration if any, screenshots of the app store page, and names used by collectors. Regulators often need these details because some apps change names or use multiple collection numbers.

Can my relatives or co-workers file their own complaint?

Yes. If their own names, numbers, photos, accounts, or private messages were processed or used without authority, they may also be data subjects. They should preserve the messages they received and state that they were not guarantors, co-makers, or parties to your loan.

Can I ask Facebook, Google, or the app store to remove the post or app?

Yes. Report the post, page, fake profile, or app through platform reporting tools, especially if it involves harassment, doxxing, impersonation, threats, or posting private information. This does not replace NPC, SEC, NBI, or PNP complaints, but it can help stop continuing harm.

What is the most important evidence?

The strongest evidence usually shows three things clearly: the lender or collector’s identity, the actual disclosure or message sent to third parties, and the fact that the recipients were not guarantors or co-makers. Full screenshots, screen recordings, URLs, call logs, app details, and witness statements are often more useful than cropped images.

Key Takeaways

• Online lending apps in the Philippines cannot use your contact list for public shaming or debt collection pressure.
• Contacting people in your phone contacts, except actual guarantors or co-makers who consented, is prohibited under SEC rules and reiterated in the 2026 DICT-NPC-SEC advisory.
• File with the NPC for data privacy violations, with the SEC for unfair debt collection, and with NBI or PNP cybercrime units for threats, cyber libel, identity theft, or serious online harassment.
• Preserve evidence before deleting the app, messages, posts, or call logs.
• A character reference is not automatically a guarantor.
• Harassment does not automatically cancel a valid loan, but it may expose the lender, its officers, or its collectors to administrative, civil, and criminal liability.
• If you are abroad, use the current NPC complaint-affidavit and check notarization, consular notarization, or apostille requirements before filing.