Philippines DPA

Data Privacy Act of 2012 (Republic Act No. 10173)

Flag of PH
PhilippinesOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 8, 2012
Enacted
August 15, 2012
Enforcing Authority
National Privacy Commission (NPC)
Consent Model
Opt-in
Applies To
Any natural or juridical person processing personal information, including government and foreign entities (extraterritorial)

Overview

The Philippines DPA requires consent via clear affirmative action with layered privacy notices. It is one of the few Asian data protection laws with criminal sanctions — up to 6 years imprisonment and PHP 4 million fines for sensitive data violations. The NPC has been actively issuing guidance but has not yet finalized dedicated cookie regulations.

What This Means for Your Website

  • Consent must be freely given, specific, informed, and via clear affirmative action
  • A layered privacy notice must be presented at or before cookie deployment
  • Criminal sanctions of 1-6 years imprisonment apply depending on the type of violation
  • Breach notification to the NPC is required within 72 hours
  • A DPO is required for organizations processing data of 1,000+ individuals
  • Extraterritorial application to foreign entities processing Filipino data

Key Requirements

The NPC enforces the DPA with both criminal and administrative penalties. Processing without consent carries 1-3 years imprisonment and PHP 500K-2M fines. Sensitive data violations carry 3-6 years and PHP 500K-4M. Consumer requests and breach notification must follow statutory timelines.

How ConsentStack Handles This

ConsentStack applies affirmative consent with layered privacy notices for Filipino visitors, supporting compliance with the DPA's notification and consent requirements.

Penalties

Processing without consent: 1-3 years and PHP 500K-2M. Sensitive data: 3-6 years and PHP 500K-4M. Unauthorized privileged info: 3-6 years and PHP 500K-4M.

Maximum Fine
PHP4,000,000 per violation

Key Requirements

  • Consent freely given, specific, informed via clear affirmative action
  • Layered privacy notice required at or before data collection
  • Consent evidenced by written, electronic, or recorded means
  • Easy mechanism for withdrawing consent at any time
  • Mandatory breach notification to NPC within 72 hours
  • DPO required for organizations processing 1,000+ individuals

Notable Provisions

  • Criminal and civil penalties — rare among Asian DP laws
  • Layered privacy notice required at cookie deployment
  • NPC has not finalized dedicated cookie regulations
  • DPO threshold: 1,000+ individuals

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does the Philippines have criminal privacy penalties?

Yes. The DPA includes criminal sanctions: 1-3 years for basic violations, 3-6 years for sensitive data violations, with fines up to PHP 4 million.

Does the Philippines require cookie consent?

The DPA requires consent via clear affirmative action for personal data processing. While dedicated cookie rules are pending, cookies collecting personal data are subject to DPA consent requirements.

What is the NPC?

The National Privacy Commission is the independent enforcement authority for the Philippines DPA, with powers to investigate, impose penalties, and issue guidance.

Stay compliant with Philippines DPA

ConsentStack helps you implement Opt-in consent for Philippines automatically.

Get started