Guidance Note on Cookies and Similar Technologies under the Philippine Data Privacy Act of 2012


Franchette M. Acosta, Senior Partner

Pauline Marie R. Gairanod-Mañalac, Associate


An abbreviated version of this Guidance Note has been published by OneTrust DataGuidance, a global privacy intelligence and research platform which monitors regulatory developments in data privacy. You may access said version of the Guidance Note here .




  1. Legislation

The Philippines’ Data Privacy Act of 2012 (“DPA”) does not specifically regulate cookies. However, in National Privacy Commission (“NPC”) Advisory Opinion No. 2017-063, the NPC opined that information acquired from the use of cookies, when combined with other pieces of information, may allow an individual to be distinguished from others and may, therefore, be considered personal information.

The DPA applies to the processing of all types of personal information and to any natural and juridical person involved in the processing of such personal information, including those personal information controllers (each a “PIC”) and personal information processors (each a “PIP”) who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines. The use of cookies to collect, use or otherwise process personal information is within the purview of the DPA (Section 4, DPA).

In addition to the DPA, the following are laws that generally govern data privacy and protection in the Philippines:


  • the Cybercrime Prevention Act of 2012 (Republic Act No. 10175), which prohibits, among others: (i) offenses against the confidentiality, integrity and availability of computer data, including illegal access, illegal interception, data interference, system inference and misuse of devices; and (ii) computer-related offenses, such as computer-related forgery, computer-related fraud and computer-related identity theft;


  • the Electronic Commerce Act of 2000 (Republic Act No. 8792), which applies to any kind of data message and electronic document used in the context of commercial and non-commercial activities, including domestic and international dealings, transactions, arrangements, agreements contracts and exchanges and storage of information;


  • the Access Devices Regulation Act of 1998 (Republic Act No. 8484), which prohibits access device fraud, which includes disclosing any information imprinted on the access device, such as, but not limited to, the account number or name or address of the device holder, without the latter's authority or permission,


1.2 Regulatory Authority Guidance


The regulatory authority responsible for the administration and enforcement of the DPA is the National Privacy Commission (“NPC”).


The NPC has issued implementing rules and regulations of the DPA (“DPA IRR”) to provide the necessary particulars for the enforcement of the DPA. It has likewise issued circulars, compliance with which is mandatory, as well as advisories and advisory opinions which, though not binding, are instructive as to the NPC’s standards in implementing the DPA.




Cookies and Similar Technologies: There is no definition of “cookies” in the DPA, the DPA IRR or any NPC issuances.


Consent: Consent is defined in the DPA IRR as a freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent must be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so (Section 3, DPA IRR).


Consent is required prior to the collection and processing of personal data, subject to exemptions provided in law. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn. Further, in obtaining consent, the data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing (Section 19, DPA IRR). Specifically as to data sharing, consent for the same shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships (Section 20, DPA IRR).


As a general rule, in the case of the processing of personal information, the data subject must give his or her consent prior to its collection or as soon as practicable and reasonable (Section 21, DPA IRR). In comparison, when the subject of the processing is sensitive personal information, unless any of the exceptions in the DPA apply, consent must be given by the data subject strictly prior to the processing (Section 22, DPA IRR).


Personal information is any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3(l), DPA IRR). Sensitive personal information, on the other hand, refers to personal information: (i) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (ii) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (iii) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or (iv) specifically established by an executive order or an act of Congress to be kept classified (Section 3(t), DPA IRR).


When processing personal information, consent may be dispensed with if:


  1. The processing involves the personal information of a data subject who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the said agreement;
  2. The processing is necessary for compliance with a legal obligation to which the PIC is subject;
  3. The processing is necessary to protect vitally important interests of the data subject, including his or her life and health;
  4. The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;
  5. The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority; or
  6. The processing is necessary to pursue the legitimate interests of the PIC, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution (Section 21, DPA IRR).


When processing sensitive personal information, meanwhile, there is no need to acquire prior consent if:


  1. The processing of the sensitive personal information is provided for by existing laws and regulations, provided that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data;


  1. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;


  1. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, provided that:
    1. Processing is confined and related to the bona fide members of these organizations or their associations;
    2. The sensitive personal information are not transferred to third parties; and
    3. Consent of the data subject was obtained prior to processing;


  1. The processing is necessary for the purpose of medical treatment, provided that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or


  1. The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate (Section 22, DPA IRR).


No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the consent of the data subject (Section 48, DPA IRR).


When a data subject objects or withholds consent, the PIC must no longer process the personal data, unless: (i) the personal data is needed pursuant to a subpoena; (ii) the collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or (iii) the information is being collected and processed as a result of a legal obligation (Section 34(b), DPA IRR).




The NPC has not issued guidelines on the use of cookies and acquiring data subjects’ consent for the same.


The NPC, however, discussed cookies briefly in Advisory Opinion No. 2017-63, in which it opined that cookies when combined with other pieces of information, may allow an individual to be distinguished from others and may therefore be considered personal information. As such, when the use of cookies involves the processing of a data subject’s personal information, it is within the scope of the DPA.


Further, in Advisory Opinion No. 2017-47, the NPC opined on the matter of whether information about the use of cookies in pop-up format is still required by the DPA if it such use is already stated in the privacy policy of which data subjects are aware. The NPC opined that the PIC or PIP has discretion as to whether additional means of informing the data subjects, such as through pop-ups in the website, would still be beneficial in complying with the DPA and upholding data subjects’ rights, particularly if the privacy policy is already adequate, accessible and comprehensible. Accordingly, each PIC and PIP are in the best position to determine the best mechanism to show their adherence to the principle of transparency given their unique circumstances. Thus, the use of pop-ups, while not required, may serve as an immediately accessible notice to data subjects.


As there are no specific requirements for acquiring consent for the use of cookies or similar technologies under the DPA or pursuant to NPC issuances, the general requirements for consent, as discussed above, apply.


There are likewise no guidelines on the further processing of personal information acquired from the use of cookies. The DPA, however, provides that further processing of personal data collected from a party other than the data subject, such as the sharing of data acquired from the use of cookies, shall be allowed under any of the following conditions (Section 20, DPA IRR):


  1. When it is expressly authorized by law, provided that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality;


  1. When, in the private sector, the data subject consents to data sharing and the following conditions are complied with:
    1. Consent for data sharing is acquired, even when the data is to be shared with an affiliate or mother company or similar relationships;
    2. When the data sharing is for commercial purposes, including direct marketing, it is covered by a data sharing agreement that establishes adequate safeguards for data privacy and security and upholds the rights of data subjects, which data sharing agreement may be subject to review by the NPC on its own initiative or upon a data subject’s complaint;


  1. The data subject is provided with the following information prior to collection or before data is shared: (i) identity of the PICs or PIPs that will be given access to the personal data; (ii) purpose of data sharing; (iii) categories of personal data concerned; (iv) intended recipients or categories of recipients of the personal data; (v) existence of the rights of data subjects, including the right to access and correction, and the right to object; (vi) other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing; and


  1. The further processing of shared data shall adhere to the DPA, DPA IRR and NPC issuances.




There are no specific rules on third-party cookies or cookies used by websites or platforms other than the website the user is visiting. However, as third-party cookies involve the processing of personal information, they are subject to the DPA. Thus, the discussions above on consent apply.




There are no specific rules on cookie retention periods or retention periods for similar technologies. The DPA IRR, however, provides that retention of personal data shall only be for as long as necessary: (i) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; (ii) for the establishment, exercise or defense of legal claims; or (iii) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by the appropriate government agency. Further, personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. (Section 19, DPA IRR).




There are no penalties specific to violations committed while using cookies to process users’ personal information. The use of cookies without the consent of the data subject, however, may render a party liable for unauthorized processing (Section 52, DPA IRR) or processing for unauthorized purposes (Section 55. DPA IRR) of personal information and/or sensitive personal information. These offenses are punishable with imprisonment and a fine, which depend on the type of personal data subject of the processing.


If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime (Section 61, DPA IRR).