Franchette M. Acosta, Senior Partner
Pauline Marie R. Gairanod-Mañalac, Associate
An abbreviated version of this Guidance Note has been published by OneTrust DataGuidance, a global privacy intelligence and research platform which monitors regulatory developments in data privacy. You may access said version of the Guidance Note here .
The Philippines’ Data Privacy Act of 2012 (“DPA”) does not specifically regulate cookies. However, in National Privacy Commission (“NPC”) Advisory Opinion No. 2017-063, the NPC opined that information acquired from the use of cookies, when combined with other pieces of information, may allow an individual to be distinguished from others and may, therefore, be considered personal information.
The DPA applies to the processing of all types of personal information and to any natural and juridical person involved in the processing of such personal information, including those personal information controllers (each a “PIC”) and personal information processors (each a “PIP”) who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines. The use of cookies to collect, use or otherwise process personal information is within the purview of the DPA (Section 4, DPA).
In addition to the DPA, the following are laws that generally govern data privacy and protection in the Philippines:
1.2 Regulatory Authority Guidance
The regulatory authority responsible for the administration and enforcement of the DPA is the National Privacy Commission (“NPC”).
The NPC has issued implementing rules and regulations of the DPA (“DPA IRR”) to provide the necessary particulars for the enforcement of the DPA. It has likewise issued circulars, compliance with which is mandatory, as well as advisories and advisory opinions which, though not binding, are instructive as to the NPC’s standards in implementing the DPA.
Cookies and Similar Technologies: There is no definition of “cookies” in the DPA, the DPA IRR or any NPC issuances.
Consent: Consent is defined in the DPA IRR as a freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent must be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so (Section 3, DPA IRR).
Consent is required prior to the collection and processing of personal data, subject to exemptions provided in law. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn. Further, in obtaining consent, the data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing (Section 19, DPA IRR). Specifically as to data sharing, consent for the same shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships (Section 20, DPA IRR).
As a general rule, in the case of the processing of personal information, the data subject must give his or her consent prior to its collection or as soon as practicable and reasonable (Section 21, DPA IRR). In comparison, when the subject of the processing is sensitive personal information, unless any of the exceptions in the DPA apply, consent must be given by the data subject strictly prior to the processing (Section 22, DPA IRR).
Personal information is any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3(l), DPA IRR). Sensitive personal information, on the other hand, refers to personal information: (i) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (ii) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (iii) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or (iv) specifically established by an executive order or an act of Congress to be kept classified (Section 3(t), DPA IRR).
When processing personal information, consent may be dispensed with if:
When processing sensitive personal information, meanwhile, there is no need to acquire prior consent if:
No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the consent of the data subject (Section 48, DPA IRR).
When a data subject objects or withholds consent, the PIC must no longer process the personal data, unless: (i) the personal data is needed pursuant to a subpoena; (ii) the collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or (iii) the information is being collected and processed as a result of a legal obligation (Section 34(b), DPA IRR).
The NPC has not issued guidelines on the use of cookies and acquiring data subjects’ consent for the same.
The NPC, however, discussed cookies briefly in Advisory Opinion No. 2017-63, in which it opined that cookies when combined with other pieces of information, may allow an individual to be distinguished from others and may therefore be considered personal information. As such, when the use of cookies involves the processing of a data subject’s personal information, it is within the scope of the DPA.
Further, in Advisory Opinion No. 2017-47, the NPC opined on the matter of whether information about the use of cookies in pop-up format is still required by the DPA if it such use is already stated in the privacy policy of which data subjects are aware. The NPC opined that the PIC or PIP has discretion as to whether additional means of informing the data subjects, such as through pop-ups in the website, would still be beneficial in complying with the DPA and upholding data subjects’ rights, particularly if the privacy policy is already adequate, accessible and comprehensible. Accordingly, each PIC and PIP are in the best position to determine the best mechanism to show their adherence to the principle of transparency given their unique circumstances. Thus, the use of pop-ups, while not required, may serve as an immediately accessible notice to data subjects.
As there are no specific requirements for acquiring consent for the use of cookies or similar technologies under the DPA or pursuant to NPC issuances, the general requirements for consent, as discussed above, apply.
There are likewise no guidelines on the further processing of personal information acquired from the use of cookies. The DPA, however, provides that further processing of personal data collected from a party other than the data subject, such as the sharing of data acquired from the use of cookies, shall be allowed under any of the following conditions (Section 20, DPA IRR):
There are no specific rules on third-party cookies or cookies used by websites or platforms other than the website the user is visiting. However, as third-party cookies involve the processing of personal information, they are subject to the DPA. Thus, the discussions above on consent apply.
There are no specific rules on cookie retention periods or retention periods for similar technologies. The DPA IRR, however, provides that retention of personal data shall only be for as long as necessary: (i) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; (ii) for the establishment, exercise or defense of legal claims; or (iii) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by the appropriate government agency. Further, personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. (Section 19, DPA IRR).
There are no penalties specific to violations committed while using cookies to process users’ personal information. The use of cookies without the consent of the data subject, however, may render a party liable for unauthorized processing (Section 52, DPA IRR) or processing for unauthorized purposes (Section 55. DPA IRR) of personal information and/or sensitive personal information. These offenses are punishable with imprisonment and a fine, which depend on the type of personal data subject of the processing.
If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime (Section 61, DPA IRR).