CookieHub Logo
CookieHub Logo
Product
Solutions
Pricing
Resources
Google Consent Mode Checker
Getting Started
FAQ's
Support
About Cookies
Partners
Become a Reseller
Become an Affiliate
Blog

Data Privacy Act of 2012 (DPA) Philippines’ (Republic Act No 10173) cookie consent and compliance

The Philippines’ Data Privacy Act of 2012 (Republic Act No. 10173) requires organizations to obtain consent before processing personal data. This includes all data collected through cookies and other tracking technologies. Are your website and apps ready for compliance?

What your business needs to know about DPA Philippines

What your business needs to know about DPA Philippines

The Data Privacy Act of 2012 (DPA) establishes comprehensive rules governing the collection, processing, storage, and transfer of personal data in the Philippines. The DPA seeks to balance the right to privacy with the legitimate needs of businesses and government organizations to process data and is aligned with other global data privacy regulations, such as GDPR. 

Under the DPA, organizations must obtain informed and explicit consent before processing personal data, unless another lawful basis applies (such as contractual necessity, legal obligation, or legitimate interest recognized under the law). 

Organizations are also required to: 

Provide clear, accessible notices detailing why data is collected, how it will be used, and how long it will be stored. 

Ensure data transfers, particularly cross-border transfers, comply with DPA safeguards and may require the National Privacy Commission (NPC)’s approval or the data subject’s explicit consent.

What does DPA Philippines compliance require?

To comply with the DPA, businesses must review how they collect, process, and store personal data. A compliant setup typically includes:

Use cookie banners:

A cookie banner that clearly explains cookie categories and purposes.

Update privacy policy:

An up-to-date privacy policy that aligns with DPA principles.

Implement consent management:

Consent mechanisms that are explicit, freely given, and easy to withdraw.

Audit:

Regular audits and staff training to ensure continued compliance.

Assess third parties:

Vendor assessments for third-party analytics, marketing, or advertising tools that process user data. 

Who needs to comply with the DPA Philippines?

Who needs to comply with the DPA Philippines?

All organizations, whether public, private, non-profit, and foreign, that process or control the personal data of individuals in the Philippines must comply with the DPA. 

This includes: 

Local businesses and service providers. 

Online platforms and e-commerce websites. 

International companies targeting or serving users in the Philippines.

Consumer rights under DPA Philippines

Under the DPA, individuals (data subjects) in the Philippines are granted the following rights:

Why cookies as part of DPA Philippines compliance

Why cookies as part of DPA Philippines compliance

Cookies and similar tracking technologies are considered personal data processing under the DPA when they identify, or can reasonably identify, an individual. 

Essential cookies necessary for website functionality may not require consent. 

Non-essential cookies, such as analytics, advertising, or personalization cookies, do require explicit opt-in consent. 

Websites must: 

Provide a clear cookie notice or policy explaining types and purposes of cookies. 

Obtain and record explicit consent before using non-essential cookies. 

Allow users to change or withdraw consent easily at any time.

Penalties for DPA Philippines non-compliance

Penalties for DPA Philippines non-compliance

The National Privacy Commission (NPC) can impose significant penalties for non-compliance with the DPA. 

Sanctions may include: 

Administrative fines, which vary depending on the severity and nature of the violation. 

Orders to suspend or stop data processing activities. 

Deletion of unlawfully processed data and other corrective measures. 

Beyond financial penalties, non-compliance can result in severe reputational damage, loss of customer trust, and potential criminal liability for willful violations.

How to comply with the DPA Philippines

To check your compliance with the DPA Philipines, businesses should:

Audit:

Audit all cookies and trackers used on their websites.

Categorize:

Categorize cookies (e.g., necessary, preferences, analytics, marketing).

Implement consent:

Implement and test cookie consent banners for functionality and clarity.

Keep logs:

Keep detailed consent logs and make withdrawal simple and transparent.

Review third-party tools:

Review third-party tools to ensure their compliance with the DPA.

Train employees:

Train employees on data protection responsibilities and best practices.

How CookieHub can help with DPA Philippines compliance

A consent management platform like CookieHub can help businesses achieve DPA compliance by enabling transparent cookie consent collection, managing user preferences, and documenting consent records for auditability.

Frequently Asked Questions

The Data Privacy Act of 2012 (Republic Act No. 10173) governs the collection, processing, storage, and use of personal data in the Philippines. It applies to both public and private sector organizations that control or process personal information, whether the data is processed in the Philippines or abroad, as long as the individual is a Philippine citizen or resident. The law ensures that individuals’ privacy rights are protected and establishes principles of transparency, legitimate purpose, and proportionality in handling personal data.

Under the DPA, personal data refers to any information, whether recorded or not, that can identify an individual, either directly or indirectly. This includes:  Personal information – data that can identify a person, such as name, address, phone number, email, or government-issued ID number.  Sensitive personal information – data that can be used to discriminate against or harm an individual, such as race, ethnic origin, marital status, age, health records, education, genetic or sexual life, social security numbers, or government-issued identifiers.  Privileged information – any data covered by attorney-client privilege or similar protected relationships.

Sensitive personal information includes data that is more private in nature and requires stricter protection. Examples include:  Race, ethnic origin, or religious or political affiliations  Health, education, or genetic data  Sexual life or orientation  Social security numbers and other government-issued identifiers (e.g., passport or driver’s license numbers)  Data issued by government agencies that are unique to an individual (such as SSS, GSIS, or PhilHealth numbers)   The processing of sensitive personal information generally requires explicit consent from the data subject, except in specific cases allowed by law.

The National Privacy Commission (NPC) is the independent government agency tasked with implementing and enforcing the Data Privacy Act. The NPC:  Monitors compliance with the law and its implementing rules  Investigates complaints and data breaches  Issues advisory opinions and compliance orders  Promotes public awareness of data protection rights and obligations

Certain processing activities are exempt from the Data Privacy Act, including:  Data used for personal, family, or household affairs that are not publicly available  Information necessary for journalistic, artistic, or literary purposes in order to uphold freedom of expression  Data processed for research or statistical purposes, provided they are not used to make decisions about individuals  Data processed for information required by law or for legal proceedings  Information necessary for national security, public order, or law enforcement purposes  These exemptions are limited and subject to conditions defined by the NPC.

You can visit the National Privacy Commission (NPC) website for official guidelines, advisories, compliance tools, and updates related to the Data Privacy Act.

Disclaimer: The information provided on this page is for general reference purposes only and is not intended to constitute legal or regulatory advice. Data privacy regulations are complex and subject to frequent updates, interpretations, and jurisdictional variations. While efforts are made to keep the material accurate and up to date, we cannot guarantee its completeness or applicability to your specific circumstances. For guidance on compliance or legal obligations, please consult qualified legal professionals or the appropriate regulatory authorities.

CookieHub Logo
United KingdomDenmarkGermanySpainFranceItaly

Products

CookieHub CMPWordPress PluginCompliance CheckerConsent Mode CheckerPrivacy Policy Generator Cookie Policy Generator

Solutions

Google Consent ModeMicrosoft UET Consent ModeIAB TCF v2.2IAB GPPGlobal Privacy Control (GPC)Global Privacy Platform (GPP)WordPress Consent APIShopify Customer Privacy API

Regulations

GDPR (EU)Digital Markets Act (EU) UK GDPR - DUAACCPA (California)CPA (Colorado)CNIL (France)LGPD (Brazil)PDPL (Saudi Arabia)DPDP (India)PIPL (China)

Integrations

Google Tag ManagerMatomo Tag ManagerWordPressShopifyMagentoSquarespaceWixWebflowDrupalUmbraco

Resources

BlogCase StudiesWhitepapersNewslettersChecklistsSupportAPI

Company

About usContact usReseller programAffiliate program

©2018-2025 CookieHub ehf.

CookieHub CMP offers tools and services for managing cookies and online privacy.

Terms & ConditionsPrivacy PolicyCookie Policy
ISO-27001IAB TCF Certification