Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Philippines: The NPC releases Guidelines on Consent - part one

In today's digital landscape, consent is a cornerstone of effective privacy management and a critical safeguard for the rights of data subjects. In the Philippines, the National Privacy Commission (NPC) released the NPC Circular No. 2023-04 (the Circular) on November 7, 2023, providing guidelines on the use of consent as a lawful basis for data processing, ensuring compliance thereof by affected personal information controllers (PICs), and prohibiting, among others, the use of deceptive design patterns. On the same date, the NPC issued Advisory No. 2023-01 (the Advisory), which comprises the Guidelines on Deceptive Design Patterns. Both the Circular and the Advisory make references to each other and must be read together. 

In this Insight Article, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, discusses the more salient, practical implications of the Circular and the Advisory on affected PICs. He focuses on the Circular's impact on existing mechanisms for privacy notices, timing of consent, withdrawal of consent, and level of granularity, as well as underscoring the use of the 'average member of the target audience' standard, prohibitions against deceptive design patterns, and the compliance period. 

MicroStockHub / Signature collection / istockphoto.com

The layered privacy notice rule 

Transparency empowers data subjects to make informed decisions regarding their personal information. As a mechanism for the transparency principle, the Circular requires, in particular, that a PIC provide 'minimum specific information' - which is defined as the least amount of information specific to a particular processing activity - to the data subject at the point where they are asked to give consent. The Circular provides that a concise statement to the data subject should include a description of the personal data to be processed, the purpose, nature, extent, duration, and scope of processing for which consent is used as a basis, the identity of the PIC, the existence of the rights of the data subject, and how these rights can be exercised.  

The importance of providing minimum specific information is further emphasized by the requirement of a layered privacy notice, which is a mandatory requirement. This is one important method under the Circular that seeks to address the rise of consent fatigue among data subjects. The NPC recognizes that 'if the data subject finds themselves overwhelmed by numerous and lengthy forms and notices, then there is a risk that the consent will be improperly given.' Consent fatigue arises when consent questions are no longer read, as a result of multiple consent requests received by a data subject on a daily basis that require answers and decisions. 

To avoid overwhelming the data subject with overly detailed requests, the layered privacy notice rule requires the PIC to first provide a short privacy notice containing key privacy information and then direct the data subject to more detailed information about the processing of one's data, such as by way of a link to a more comprehensive notice.  

Timing of obtaining consent 

Relevant information should be provided to data subjects at the time of obtaining consent, such as:  

  • an 'at set-up notice' where a privacy notice is shown before a data subject installs a mobile application or software;  
  • a 'just-in-time notice' which is a privacy notice that provides information at the point in time when the PIC is about to process such information; or  
  • a 'context-dependent notice' which is a privacy notice activated by certain aspects of the data subject's context, such as location or particular persons who will have access to the information or warnings about potentially unintended settings (e.g., children).   

As a general rule, when a PIC revises its terms and conditions it may be necessary for the PIC to obtain consent anew. The Circular provides for an exception: if the purpose, scope, method, and extent of processing remain consistent with the information given to the data subject at the time consent was given, then the retaking of consent by the PIC is no longer necessary. This provision recognizes that regular changes to the terms and conditions of a platform operated by a PIC may unnecessarily burden the data subjects with frequent requests for consent, thus causing consent fatigue.  

Double-notice rule for withdrawal of consent 

The NPC applies transparency principles not just in obtaining consent but also upon the withdrawal of consent. The Circular requires PICs to ensure that withdrawal mechanisms are user-friendly and not unduly challenging to the data subject, and 'as easy as, if not easier, than giving consent.' In particular, the Circular provides that a PIC should not utilize a different interface solely for the purpose of consent withdrawal, unless the utilization thereof will make the withdrawal process easier.  

The Circular also imposes a double-notice rule for withdrawal, i.e., the PIC should provide adequate information on the scope and consequences of the withdrawal of the consent at the start of the processing of personal data and at the point where consent is withdrawn. This means that the PIC must discuss the implications of one's withdrawal of consent in both the consent form and the consent withdrawal form. If further processing of data shall occur at any point after consent has been withdrawn, the PIC should inform data subjects accordingly, provided, of course, that there are lawful bases for processing personal data other than consent. 

Specific and granular consent 

As always, information must be conveyed using clear, plain, consistent, and straightforward language. Vague or blanket consent is expressly prohibited, underscoring the importance of granular and specific consent. Especially in cases where personal data is processed for multiple, unrelated purposes, the data subject should be given the option to give or withhold consent for each specific processing activity, or for each distinct purpose for processing. The Circular provides that a PIC shall present a list of purposes and allow the data subject to select which purposes they consent to, instead of requiring an all-inclusive consent to the processing for multiple purposes.  

The Circular prohibits the 'bundling' of consent. Consent that is not necessary for the provision of goods or services should not be bundled with or made a condition for the provision of the same.  

Where there is additional processing needed for an additional purpose, the PIC must ensure that the data subject provides consent separately for such additional processing. However, additional consent is not necessary when:  

  • further processing is within the data subject's reasonable expectation on the purpose, scope, manner, and extent of the processing of personal data; and  
  • when the purpose of further processing is compatible with the original purpose for which the personal data was initially collected and communicated to the data subject.  

In such cases where additional consent is not required, the PIC must establish a 'clear and reasonable link' between the original purpose and the additional purpose. Additionally, the impact of further processing on the data subject should be considered.  

Understandable to the average member of the target audience 

The Circular provides for an additional transparency standard that can further assist PICs in determining the appropriateness of their privacy notices: PICs should frame notices in a manner that is understandable to an 'average member of the target audience.' It further provides that the most suitable language (or dialect) for the intended data subject should be taken into consideration by the PIC. A PIC may use creative options, such as dynamic infographics, auditory notices, short videos, or scripted spiels, in delivering privacy information to make the information easier for its target audience to understand. 

Deceptive design patterns 

The Circular and the Advisory define deceptive design patterns as design techniques embedded in an analog or digital interface that aim to manipulate and deceive a data subject to perform a specific act relating to the processing of their personal data. The Circular prohibits PICs from using deceptive methods or any form of coercion, compulsion, threat, intimidation, or violence in obtaining consent. 

Under the Advisory, deceptive design patterns are not just content-based but also include appearance-based patterns. The former includes the use of ambiguous, complex, or confusing language or contradictory or misleading information in order to manipulate data subjects into giving consent. The latter includes design patterns that manipulate or deceive a data subject through a particular display or presentation of information, bombarding the data subject with information or presenting it in a complicated, confusing, excessive, or overwhelming manner. Other examples of appearance-based deceptive design patterns include consent mechanisms that restrict opt-outs (i.e., prohibit data subjects from categorically disallowing the processing of data), that provide for a difficult consent withdrawal process, accentuate choices that result in processing more personal data, and present manipulative default options (e.g., provide default options that maximize instead of minimize the amount of personal data to be processed).   

The Advisory provides that the use of deceptive design patterns 'may' result in invalidating consent which, in turn, will render the processing without lawful basis. Analysis is context-sensitive and works on a case-by-case basis. 

Effectivity 

The Advisory on deceptive design patterns does not contain penal provisions, but non-compliance may result in the invalidation of users' consent, which in turn will result in the processing of the data becoming unlawful. On the other hand, the Circular provides that the 'processing of personal data in violation [thereof] shall carry criminal, civil, and administrative liabilities' pursuant to Philippine data privacy laws. PICs have 180 days from the effectivity date (which is distinct from the release date) of the Circular (i.e., 180 days from November 22, 2023) to comply with select mandatory provisions, particularly, the provisions applicable to the Privacy Statement, Privacy Policy, and Privacy Notice, usage of just-in-time and layered notices as the default format, and withdrawal of consent.  

The NPC Guidelines on Consent and the Advisory on deceptive design patterns have far-reaching implications for PICs in the Philippines. Businesses and public sector controllers must balance the need for legal compliance with the need to achieve positive user experience[1].  

Edsel F. Tupaz Partner 
[email protected]  
Gorriceta Africa Cauton & Saavedra, Pasig 


[1] The author wishes to thank Berne M. Facinal and Rosegail F. Abas for their valued contributions to this article.