Did I really consent to a lending app's data collection just by installing it?
Last updated: 2026-07-11 · Educational content; not legal advice.
Short answer
Not necessarily. Under the Data Privacy Act (RA 10173), consent must be freely given, specific, and informed — a blanket in-app "Allow" that forces you to surrender your entire contact list, photos, or location before you can borrow is not valid consent for excessive data. RA 10173 §11 requires processing to follow transparency, legitimate purpose, and proportionality, and NPC Circular No. 20-01 (2020) says a lender may only collect data that is adequate, relevant, and not excessive for assessing your loan. Harvesting your whole phone to pressure you later fails that test, and the NPC has repeatedly struck it down.
Primary sources
Frequently asked
What makes consent valid under RA 10173?
RA 10173 §3(b) defines consent as a freely given, specific, informed indication of will. Consent bundled into a take-it-or-leave-it install, or hidden in a long permission prompt, is not freely given or specific — especially where the data grabbed is not needed for the loan.
So can they collect anything if I tick 'Allow'?
No. Even with a tick, §11's proportionality principle and NPC Circular 20-01 cap collection at what is adequate and not excessive for evaluating your loan. A solo cash loan does not need your entire contact list, gallery, or 24/7 location, so that collection stays unlawful regardless of the tick.
Can I withdraw consent later?
Yes. RA 10173 §16(e) lets you order the blocking, removal, or destruction of your personal data, and §34 recognizes the right to withdraw. Put it in writing to the lender and, if ignored, file with the NPC.
Take action
Got a similar problem?
File a complaint and we'll pre-fill BSP, SEC, DTI, and small-claims letters for you.
Contact-list scraping, unauthorized data use, and how to file with the NPC.