In today’s digital economy, data is currency—and in the Philippines, that currency is protected under the Data Privacy Act of 2012 (DPA). For businesses, particularly in marketing, navigating this law is crucial to building customer trust and avoiding hefty penalties.

So how does this law affect your marketing strategies? Whether you’re collecting emails, tracking user behavior, or running personalized ads, the DPA shapes what you can and cannot do.

What is the Data Privacy Law in the Philippines?

The Data Privacy Act (DPA) of 2012, also known as RA 10173, is a comprehensive and strict legislation used to protect people’s privacy while at the same time, ensuring the free flow of information to promote innovation and growth. The main goal of the DPA is to protect people from unauthorized use of their personal information.

A user’s right to be informed regarding the use of their personal data (i.e. address, contact details, occupation, name of parents, and other information that would make them identifiable) and their consent in giving their information is fundamental in the DPA.

Acting as overseer and enforcer of the DPA is the National Privacy Commission (NPC). The NPC can punish those who violate the DPA with fines ranging from PHP 100,000 to PHP 5 million and imprisonment for six months to seven years, depending on the severity of the breach.

Who will be affected by the Data Privacy Law?

The DPA applies to individuals and organizations that process the personal information of its users. The said personal information covered by the DPA has been recorded either online or offline. If an organization has at least 250 employees or has access to the personal information of at least 1,000 people, they are required to register with the NPC and comply with the DPA.

This act does not apply to processing personal information in the Philippines of data that was legally collected from those living outside the country, whether Filipino or a foreigner.

How does one comply with the Data Privacy Act of 2012?

For compliance with the DPA, organizations must follow these six steps:

  1. Appoint a Data Protection Officer (DPO).
    Organizations that collect or process personal data must designate a DPO or at least a Compliance Officer for Privacy (COP).
  • The DPO is responsible for ensuring compliance with the DPA, issuing privacy notices, managing data subjects’ rights, and coordinating with the NPC.
  • The DPO must be registered with the NPC through the DPO registration platform.
  1. Conduct a Privacy Impact Assessment (PIA).
    A PIA evaluates how projects, systems, or processes affect data privacy.
  • It identifies privacy risks and measures to mitigate them.
  • The PIA must be updated regularly, especially when introducing new technologies or processes involving personal data.

Note: The NPC has released updated templates and guidance on how to conduct a PIA under its Privacy Toolkit.

  1. Create a Privacy Management Framework.
    A Privacy Management Framework (PMF) is a holistic approach used to contain any data breaches and helps members of the organization comply with the DPA and other issuances of the NPC. Formerly referred to as a Privacy Management Framework, the NPC now recommends developing a PMP, which includes:
  • Privacy policies and procedures
  • Risk management strategies
  • Training and awareness programs
  • Data governance practices

A PMP aligns internal privacy efforts with the DPA and ensures organization-wide compliance.

  1. Implement Privacy and Data Protection Measures. 

Organizations must apply appropriate organizational, physical, and technical security measures.
 These include:

  • Access controls
  • Encryption and secure storage
  • Data minimization and retention policies
  • Staff training and privacy awareness

These safeguards must be reviewed regularly and documented in a Security Incident Management Plan (SIMP). Organizations must follow through on their responsibility of protecting their users’ data. They are required to assess, review, and revise their protection measures when necessary.

  1. Exercise Breach Reporting Procedures.
    When there is a personal data breach or suspicion of a personal data breach, organizations are required to notify the users affected and the NPC. They must also conduct an assessment of the breach to lessen its impact.
  • If a personal data breach occurs and is likely to result in harm to affected individuals, it must be reported to the NPC within 72 hours from discovery.
  • Organizations must also notify the affected data subjects without undue delay.
  • Maintain an internal breach register/log for all security incidents.
  1. Register your company with the NPC.
    Organizations should register with the NPC and make sure they have all necessary documentation. They must include all automated processing operations that have a legal effect on their users as well as annual reports involving security incidents.

Core Principles of the Data Privacy Act That Affect Marketing

The DPA is built on key principles that every marketer should understand:

  1. Transparency – Individuals must be informed of how their data will be used.
  2. Legitimate Purpose – Data collection must be for a clearly defined and lawful purpose.
  3. Proportionality – Only the minimum necessary data must be collected and processed.

In marketing, this means you can’t just gather as much information as you want for future use. Everything needs to be purposeful and disclosed.

How does this affect your marketing campaigns?

If your marketing campaign does not involve collection of any personal data, you don’t have to worry about the DPA. However, if your campaign requires people to provide personal information, then you must comply with two basic rules:

  1. You must properly inform the user that their data will be used upon request. This is usually in the form of a Terms and Conditions page and the like.
  2. You must provide a simple and easy way for users to opt out of sharing their personal information. This could be accomplished with an unsubscribe option during registration.

Before asking for or using any personal data of anyone, your organization must notify them of the following:

  • Description of the personal data being collected
  • Exact use of the data (direct marketing, research, statistics, etc.)
  • Basis for processing the data
  • Scope and method of personal data processing
  • Who will receive the data
  • Effects on the user after they agree to share the data
  • Identity and contact details of the person controlling the personal information
  • How long the organization will keep the data
  • The user’s rights to their personal information

The key rule here is for organizations to always ask for consent from users who will be sharing with them their personal information. Moreover, an organization cannot gather information regarding an individual or their family members without their consent.

Non-adherence to the appropriate data privacy and protection procedures could lead to the compromise of your clients’ personal information. This may adversely affect your company’s trustworthiness and credibility in the marketing sphere and negatively impact your campaigns. All these, on top of the sky-high fines and severe penalties for any mismanagement of client information that could most likely occur without the proper data security measures.

Security Obligations for Marketing Data

Per Section 20, organizations must adopt reasonable and appropriate organizational, physical, and technical measures to secure personal data. In marketing, this includes:

  • Using secure email marketing platforms
  • Encrypting stored data
  • Restricting access to contact lists
  • Keeping your privacy policy and cookie settings up-to-date
  • Training your marketing team on data protection practices

The level of security should reflect the type of data collected, risk level, and organization size.

What Consent Looks Like Under the Data Privacy Act

The DPA defines consent as:

“Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal data.”

In marketing, this means:

  • You cannot use implied consent (e.g., “By browsing this site, you agree…”).
  • Consent must be recorded, and users should be allowed to withdraw it anytime.

Penalties for Non-Compliance

Violating the DPA can result in:

  • Fines ranging from ₱500,000 to ₱5 million
  • Imprisonment of 1 to 6 years for serious offenses
  • Loss of customer trust and damage to your brand reputation

Best Practices for Privacy-Compliant Marketing Campaigns

Here are key steps to stay compliant:

  •  Include a privacy notice in every data collection form
     Use double opt-in for subscriptions
     Create a clear and accessible privacy policy
     Keep records of all consents obtained
     Train your marketing team on data privacy principles
     Audit third-party tools for compliance
     Ensure data minimization—collect only what’s needed

How does compliance benefit your campaign and overall business? 

Apart from avoiding the stiff penalties for non-compliance, complying with the DPA while executing your marketing campaign can prove beneficial for your organization’s bottom line.

  • Compliance proves your business’s legitimacy and demonstrates your transparency to your clients
  • Compliance assures your clients that your organization is serious about properly managing their personal information, thus building trust and earning their loyalty

Compliance ensures your organization’s longevity and competitiveness in an international setting where data privacy frameworks like the European General Data Protection Regulation and the Asia-Pacific Cooperation Privacy Framework have been set up. 

… and you might just need our assistance.

Need help regarding Data Privacy Law? Set up a consultation with FilePino today! Call us at (02) 8478-5826 (landline) and 0917 892 2337 (mobile) or send an email to info@filepino.com.