Philippines – Cookies & Similar Technologies

By: Atty. Edsel F. Tupaz (Senior Partner) & Atty. Hans R. Ong (Junior Associate)  

* Special thanks to Mr Joaquin Balina for his research contribution.

July 22, 2025

1. GOVERNING TEXTS

1.1. Legislation

Not applicable.

1.2. Regulatory Authority Guidance

The National Privacy Commission (NPC) has not issued any circulars or regulations specifically on the use of cookies or similar technologies.

Though the NPC has not yet released any specific rules on cookies, it has released an advisory opinion on the use of cookies and similar tracking tools. NPC Advisory Opinion No. 2017-047: Use of Pop-ups for Information on the Use of Cookies provides general guidance for fulfilling the transparency requirement with regard to the use of cookies.

2. DEFINITIONS

Cookies & similar technologies: There is no definition of cookies and similar technologies in the law. However, cookies and similar technologies may fall under the definition of personal information.

Consent: Consent under the Philippines Data Privacy Act of 2012 (Republic Act No. 10173) (the Act) refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to themself. Consent is evidenced by written, electronic, or recorded means.

This is best read with NPC Circular No. 2023-04 (Guidelines on Consent), which provides further guidance on consent as a lawful basis for data processing and qualifies what constitutes valid consent under the Act and how it shall be obtained and managed.

Personal data: In the Philippines, the Act defines ‘personal data’ as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

The NPC in its Advisory Opinion No. 2017-63: Personal and Sensitive Information clarified that cookies and similar technologies, which often collect data that can be used to track and identify individuals, such as IP addresses, browsing history, or device identifiers, may fall under the category of personal information. These technologies collect data that, taken collectively with other pieces of information, can reasonably be linked to an individual.

Data processing: The Act defines processing as any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.

In relation to cookies and similar technologies, the activities these technologies perform – such as collecting user data, storing it for later retrieval, organizing browsing patterns, or using the data for targeted advertising – can be considered as forms of processing under the Act.

Online identifiers: While not specifically defined under Philippine law, online identifiers fall under the definition of personal information as being pieces of information that can be used to identify the individual.

3. CONSENT MANAGEMENT

3.1. Is consent required?

As cookies may be considered personal information, the processing of cookies and similar technologies must be done in a manner that would satisfy the criteria for lawful processing of personal information as provided under the Act.

The processing of personal information shall be permitted only if it is not otherwise prohibited by law, and when at least one of the following conditions exists:

1. The data subject has given consent;
2. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject;
3. The processing is necessary for compliance with a legal obligation to which the personal information controller (PIC) is subject;
4. The processing is necessary to protect the vitally important interests of the data subject, including life and health;
5. The processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
6. The processing is necessary for the purposes of the legitimate interests pursued by the PIC or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Constitution of the Republic of the Philippines.

PICs are not strictly required to obtain the consent of data subjects for the processing of cookies, provided that another lawful basis exists for processing.

3.2. Conditions for valid consent

As provided under the NPC Circular No. 2023-04, the Guidelines on Consent, consent must be:

Freely given: The data subject must have genuine choice and control over their decision to consent to the processing of their personal data. Consent obtained through coercion, deception, or undue pressure is not considered valid.

Specific: Consent must be granular and specific to the purposes of the processing. When personal data is processed for multiple but unrelated purposes, the data subject should be able to select which purposes they consent to, rather than providing blanket consent.

Informed: The data subject must be provided with all relevant information necessary to make an informed decision about the processing of their personal data. The information should be clear, understandable, and easily accessible to ensure that the data subject fully understands what they are consenting to.

Indicated by clear assent: Consent must be indicated through a clear action by the data subject that signifies agreement to the processing. This could include a written signature, a click of a checkbox, or any other explicit action.

Evidenced by written, electronic, or recorded means: The consent obtained must be documented in a manner that can be demonstrated if necessary. This ensures that there is proof that the data subject provided their consent for the specific processing activity.

Further, when obtaining consent, a layered privacy notice should be presented to the data subject at the time of or before the use of cookies. To address different levels of detail and prevent overwhelming the data subject, the use of layered notices should be employed. A layered notice approach allows for an initial brief overview that covers the essential information, with links or options to access more detailed explanations. Additionally, employing just-in-time notices – which present relevant information precisely when the data subject is about to make a decision – can enhance the transparency, fairness, and effectiveness of the consent process.

This notice must include key details such as the type of personal data being collected, the purposes for which the cookies are being used, the identity of the PIC, and how the data subject’s rights can be exercised. The notice should be concise and use clear and straightforward language that is easily understandable by the average user.

To further ensure that consent is informed and freely given, it is important to avoid creating consent fatigue – where repeated or overly complex requests for consent can lead to the data subject ignoring or misunderstanding the implications. This can be mitigated by streamlining the consent process, ensuring that each request is relevant and clearly presented, and by avoiding unnecessary or redundant consent prompts.

3.3. Analytics and audience measurement cookies

While there are no specific requirements or guidance regarding consent for analytics and audience measurement cookies, the general rules related to consent as outlined in the Act and the NPC Guidelines on Consent will apply. This means that the use of these cookies must adhere to the same standards for obtaining valid consent as any other type of personal data processing.

Specifically, the data subject’s consent must be freely given, specific, informed, and indicated by clear assent. The processing of analytics and audience measurement cookies must be transparently disclosed to the data subject, including the purpose of the processing, and the data subject must be given the genuine choice to consent or refuse the use of cookies. Additionally, consent must be documented, and the data subject should have an easy way to withdraw consent at any time.

In lieu of consent, the Guidelines on Consent provide that PICs may resort to legitimate interest as their lawful basis for processing cookies for analytics and audience measurement.

Note that the NPC has issued additional guidance under NPC Advisory No. 2024-04, which governs the training and use of Artificial Intelligence (AI) systems. Accordingly, the use of AI for analytics purposes is subject to further compliance requirements beyond those applicable to conventional analytics tools.

Under NPC Advisory No. 2024-04, PICs that utilize AI systems shall inform data subjects of the nature, purpose, and extent of personal data processing when their data is used in the development or deployment of such systems. This information must be easily accessible and presented in clear and plain language, while retaining necessary technical terms.

In addition, PICs must be able to demonstrate that they have implemented effective AI governance policies and procedures in compliance with the DPA. These include the conduct of Privacy Impact Assessments (PIAs), integration of privacy-by-design and privacy-by-default principles, adherence to common industry security standards, continuous monitoring of AI system operations, establishment of a dedicated AI ethics board, regular retraining and data scrubbing of AI systems, and mechanisms for human oversight and review of AI-generated outputs.

Where automated decision-making is involved, PICs shall implement meaningful human intervention mechanisms to be carried out by individuals with the necessary competence and authority. PICs shall also provide avenues for data subjects to question and contest automated decisions, particularly where such decisions may pose a significant risk to the rights and freedoms of the individuals concerned.

3.4. Exemptions

Under the Consent Guidelines, consent is not required for the processing of cookies when the PIC turns to legitimate interest as its lawful basis for processing under the Act. However, the PIC should conduct a Legitimate Interest Assessment (LIA), as prescribed by NPC Circular No. 2023-07: Guidelines on Legitimate Interest, to determine if the PIC can rely on legitimate interest as its lawful basis for processing.

The LIA shall determine whether the following conditions are satisfied prior to any processing of personal data based on legitimate interest:

1. The legitimate interest is established;
2. The means to fulfil the legitimate interest is both necessary and lawful; and
3. The interest is legitimate and lawful, and it does not override fundamental rights and freedoms of data subjects.

3.5. Cookie information requirements

While there are no specific cookie information requirements, the NPC provides that, at a minimum, the following information should be provided to the user at the moment consent is obtained:

1. A description of the personal data to be processed;
2. The purpose, nature, extent, duration, and scope of processing for which consent is used as basis;
3. The identity of the PIC;
4. The existence of the rights of the data subject; and
5. How these rights can be exercised.

3.6. Cookie consent mechanism

Not applicable. Please see the discussion under Conditions for valid consent, Analytics and audience measurement cookies, and Exemptions above for requirements under Philippine law in relation to the obtaining of consent as a general rule.

3.7. Cookie walls

Cookie walls are not expressly prohibited by the NPC or the Act. However, the use of cookie walls must be consistent with the Consent Guidelines and the rules applicable to deceptive design patterns in NPC Advisory No. 2023-01: Guidelines on Deceptive Design Patterns. Under this Advisory, a deceptive design pattern refers a deceptive design pattern refers to any design technique, whether in analog or digital form, that is intentionally crafted to manipulate or mislead a data subject into performing a specific action related to the processing of their personal data. The Guidelines on Deceptive Design Patterns provide that the use of deceptive design patterns may result in the invalidation of consent given by a data subject, which may render the processing activity unlawful for lack of a valid lawful basis.

Under Philippine privacy law, cookie walls that force users to accept cookies before being allowed access to a website may infringe upon the data subject’s ability to freely give consent. Cookie walls may also be considered a deceptive design pattern if they prohibit a data subject from categorically disallowing the processing of their personal data.

3.8. Consent duration

While there are no specific rules for cookies, the general principles set forth in the NPC Guidelines on Consent will apply. Consent remains valid as long as the information communicated to the data subject – regarding the scope, purpose, nature, and extent of the processing – remains accurate and unchanged. If there is a significant change in how the cookies are used, such as a shift in their purpose, the type of data collected, or the parties with whom the data is shared, the original consent is no longer valid. In such cases, consent must be obtained anew from the data subject, ensuring that they are fully informed about the new aspects of the processing.

Furthermore, consent for cookies should not be seen as a one-time event. Website operators should periodically review consent obtained and provide users with mechanisms to easily manage and update their preferences. If a user revisits the website after a substantial period or if the context of data processing evolves, it may be necessary to prompt them to renew their consent to ensure continued compliance with transparency and validity requirements.

4. COOKIES & THIRD PARTIES

4.1. Conditions for placement of third-party cookies

The rules outlined here apply uniformly to first-party and third-party cookies.

When disclosing data to third parties, the disclosure (or sharing or transfer) must be embodied within a data sharing agreement (DSA) or data outsourcing agreement (DOA), depending on the nature of the relationship with the third party.

A DSA is required when personal data is shared by a PIC with another PIC, a third party that will process the data for its own purposes. The DSA must outline the specifics of the data sharing arrangement, including the purposes for which the data will be used, the categories of personal data involved, the identities of the parties, and the rights of the data subjects. The DSA must also include provisions on transparency, security, and accountability, ensuring that both parties adhere to the Act’s requirements.

On the other hand, a DOA is appropriate when data processing is outsourced to a personal information processor (PIP), one who processes data on behalf of the PIC. The DOA must clearly define the scope of the data processing activities, the responsibilities of the third party, and the security measures to be implemented to protect the data. The third-party must act only under the instructions of the PIC and must ensure that the processing activities are compliant with the Act and relevant privacy laws.

4.2. Roles and responsibilities

While there are no specific provisions under the Act that specifically address the placement of third-party cookies, the general rules regarding personal data processing apply. These principles set out the responsibilities of both website operators and third parties involved in the use of cookies to ensure compliance with data protection laws.

Website operators

As the entities responsible for collecting and processing personal data through cookies, website operators, typically acting as PICs, have several key responsibilities:

Ensuring lawful processing: Even though there is no specific rule for third-party cookies, the general requirement remains that the processing of personal data, including through cookies, must be lawful. This means obtaining valid consent (or another lawful basis) from users before cookies are placed and ensuring that the data processing is necessary, transparent, and aligned with declared purposes.

Transparency and consent: PICs are obligated to clearly inform users about the use of third-party cookies, the type of data collected, the purposes for which it is processed, and the involvement of any third parties. Users must be able to easily manage their cookie preferences, with the PIC ensuring that consent is both informed and freely given.

Accountability: Despite third parties being involved in processing, the PIC remains ultimately accountable for ensuring compliance with the Act. This means that if a third party fails to meet data protection standards or violates the data sharing agreement, the PIC is accountable and may be held liable for breach or non-compliance.

Contractual obligations: To safeguard the processing of personal data, PICs must establish clear DOAs or DSAs with third parties. These agreements should outline each party’s roles and responsibilities, ensuring that third parties uphold the same or comparable data protection standards applicable to the PIC.

Third parties

Third parties, such as analytics providers or advertisers, must also adhere to general data protection principles under Philippine privacy law:

Compliance with agreements: Third parties are required to follow the terms outlined in the DOA or DSA. Processors or PIPs must process personal data strictly according to the PIC’s instructions.

Implementing safeguards: It is the responsibility of third parties to implement reasonable and appropriate physical, technical, and organizational measures to protect the data they process from unauthorized access, loss, or other security risks.

Reporting obligations: Should a data breach or any other security incident occur, third parties are required to promptly report it to the PIC. This enables the PIC to take appropriate action and, if necessary, notify the affected data subjects and/or the NPC in compliance with the law.

4.3. International data transfers

International data transfers are governed by the Act’s provision on accountability, which makes PICs responsible for all personal information under their control or custody that is transferred internationally. This entails the responsibility of PICs to use contractual or other reasonable means to protect personal information processed by a third party. PICs must also guarantee that personal information transferred abroad receives a comparable level of protection that the Act guarantees.

To aid PICs engaged in international data transfers, the NPC released NPC Advisory No. 2024-01: Model Contractual Clauses for Cross-Border Transfers of Personal Data. The Advisory provides the NPC’s preferred model contractual clauses that it deems sufficient to guarantee personal information transferred abroad is sufficiently protected.

5. COOKIE RETENTION

While there are no specific rules regarding the retention periods for cookies and similar technologies, the Act provides that personal data shall not be retained longer than necessary. Specifically, retention of personal data is only permitted for as long as needed to fulfill the declared, specified, and legitimate purpose for which it was collected, or until the processing relevant to that purpose has been terminated. Additionally, data may be retained for the establishment, exercise, or defense of legal claims, or for legitimate business purposes that are consistent with industry standards or approved by an appropriate government agency.

Retention beyond these purposes is only allowed when provided by law. Once the data is no longer needed, it must be disposed of securely, ensuring that further processing, unauthorized access, or disclosure is prevented. Secure disposal is crucial to protect the interests and rights of the data subjects involved.

6. ADDITIONAL INFORMATION

For the latest information on Philippine privacy laws and regulations, please directly refer to the NPC.

7. CASE LAW & ENFORCEMENT DECISIONS

There is no relevant case law in relation to the placement or use of cookies or similar technologies under Philippine law.

8. PENALTIES

Under the Act and its Implementing Rules and Regulations of Republic Act No. 10173, various penalties may apply to violations involving cookies and similar technologies, especially when these technologies are used to process personal data without proper compliance with the provisions of the Act.

Unauthorized processing of personal information

Processing personal information through cookies without the data subject’s consent or without authorization under the Act can lead to imprisonment of one to three years and fines of between PHP 500,000 (approx. $8,945) and PHP 2 million (approx. $35,780).

If sensitive personal information is involved, the penalties increase to three to six years of imprisonment and fines of between PHP 500,000 (approx. $8,945) and PHP 4 million (approx. $71,570).

Access due to negligence

If personal information accessed through cookies is made accessible to unauthorized individuals due to negligence, this can result in one to three years of imprisonment and fines ranging from PHP 500,000 (approx. $8,945) to PHP 2 million (approx. $35,780).

For sensitive personal information, the penalties increase to three to six years of imprisonment and fines of between PHP 500,000 (approx. $8,945) and PHP 4 million (approx. $71,570).

Improper disposal

Failing to securely dispose of personal information collected through cookies, leading to unauthorized access, can result in imprisonment from six months to two years and fines from PHP 100,000 (approx. $1,790) to PHP 500,000 (approx. $8,945).

For sensitive personal information, the penalties range from one to three years of imprisonment and fines from PHP 100,000 (approx. $1,790) to PHP 1 million (approx. $17,885).

Processing for unauthorized purposes

If cookies are used to collect data for purposes not authorized by the data subject, the Act, or existing laws, the penalties include one year and six months to five years of imprisonment and fines between PHP 500,000 (approx. $8,945) and PHP 1 million (approx. $17,885).

For sensitive personal information, imprisonment ranges from two to seven years, with fines from PHP 500,000 (approx. $8,945) to PHP 2 million (approx. $35,780).

Unauthorized access or intentional breach

Unauthorized access or intentional breaches involving systems where personal data is stored can lead to imprisonment from one to three years and fines of between PHP 500,000 (approx. $8,945) and PHP 2 million (approx. $35,780).

Concealment of security breaches

Failing to notify the NPC about security breaches involving sensitive personal information can result in imprisonment from one year and six months to five years and fines ranging from PHP 500,000 (approx. $8,945) to PHP 1 million (approx. $17,885).

This article was also published under OneTrust Data Guidance. You may find the full article here:  Philippines – Cookies & Similar Technologies | Notes | DataGuidance