By: Atty. Edsel F. Tupaz, Atty. Liane R. Candelario, & Julia S. Unarce
February 20, 2025
Summary
The Philippines National Privacy Commission’s Advisory on Child-Oriented Transparency addresses the vulnerabilities of children in digital environments, emphasizing the importance of transparency in data processing. It mandates age-appropriate privacy notices and Child Privacy Impact Assessments for products or services likely accessed by children, ensuring their protection and rights as data subjects. The Advisory also prohibits deceptive design patterns and stresses the involvement of parents or guardians in data processing activities. Overall, it aims to safeguard children’s data privacy while acknowledging their evolving capacities and the benefits of digitalization.
The NPC’s Advisory on Child-Oriented Transparency aims to protect children’s data privacy in digital environments.
The Philippines holds the distinction of having one of the highest mobile user penetration and social media usage in the world. A significant percentage of these users are children, who are more vulnerable to the threats of a digital environment – such as online bullying and sexual exploitation. In a study conducted by the United Nations International Children’s Emergency Fund (UNICEF), the Philippines was identified as the center of child sex abuse materials production in the world, with 80% of Filipino children being vulnerable to online sexual abuse.
Despite these risks, the opportunities and benefits of technology and digitalization on the growth, learning, and development of children should be acknowledged. For instance, post-pandemic, schools and other educational institutions have adopted remote learning and digital tools as modes of teaching, including tools for parental or guardian monitoring. Online platforms also enable access to general knowledge, the latest news and information, internet games, and other forms of children’s entertainment.
As part of a child’s developmental environment, the digital age has thus ushered data privacy issues that must be addressed concerning children as data subjects. With this, the Philippine National Privacy Commission (NPC) recently issued its Advisory on Child-Oriented Transparency (the Advisory) which applies to personal information controllers (PICs) and personal information processors (PIPs) engaged in the processing of children’s personal data, whether in a digital or physical environment. The Advisory covers products or services specifically intended for children or likely to be accessed by children.
In this Insight article, Edsel F. Tupaz, Liane Stella R. Candelario, and Julia Antoinette S. Unarce, from Gorriceta Africa Cauton & Saaavedra, delve into the Advisory and its main provisions.
Definition of a child in light of international instruments and Philippine law
February 20, 2025
The United Nations Convention on the Rights of the Child (UNCRC) defines a child as a human being below the age of eighteen years unless the national law considers the age of majority attained at an earlier age.
While the Philippines generally adheres to the UNCRC’s definition, this is qualified by Republic Act No. 7610 (RA 7610), also known as the Special Protection of Children Against Abuse, Exploitation and Discrimination Act of 1992, which defines ‘children’ as person(s) either:
- below 18 years of age;
- or those that are unable to fully take care of themselves or protect themselves from abuse, neglect, cruelty, exploitation, or discrimination because of a physical or mental disability or condition.
Thus, RA 7610 expands on the UNCRC’s definition and makes it more inclusive to vulnerable persons, who are often victims of neglect, abuse, and exploitation (regardless of biological age).
The definition of a ‘child’ as set under RA 7610 was adopted as a policy under the Advisory, in the context of a child being a data subject under the Philippines’ data privacy law regime.
Principles of transparency as applied to a child
As its name implies, the Advisory centers its discussion on the general data privacy principle of transparency, which requires PICs to provide data subjects with the necessary information on the nature, purpose, and extent of processing, including the risks and safeguards involved, the identity of the PIC, as well as data subject rights and how these rights can be exercised. Furthermore, ‘transparency’ requires that any information and communication relating to the processing of personal data should be easy to access, concrete and definitive, understood by a member of its target audience, and presented in a simple manner using clear and plain language while retaining necessary technical terms.
Despite their limited capacities, children as data subjects are entitled to the different protections under the principle of transparency. The Advisory prescribes special requirements for children in light of the principles of ‘best interest of the child’ and ‘evolving capacities,’ which are the primordial considerations in all actions involving children. On this note, recognizing that children as rights holders with varying degrees of maturity gives full effect to their best interests and evolving capacities.
Consequences
Privacy notice
One of the key points of the Advisory is the provision for an age-appropriate privacy notice. The NPC instructs PICs to ensure that children are aware of the nature, purpose, and extent of the processing of their personal data. PICs should consider the readability (e.g., vocabulary, tone, or style), comprehension, and granularity of privacy notices that are suitable for children. The age-appropriate privacy notice must also be readily accessible, taking into consideration the application or platform’s user experience (UX) and user interface (UI) geared towards children who are data subjects, and which must clearly inform such children/users how to access information or communication relating to the processing of their personal data.
For the child’s appreciation, PICs may utilize a variety of alternative formats, such as videos, infographics, animations, and audio recordings, to deliver privacy-related information. PICs should design these formats to ensure that the age-appropriate privacy notices are presented in a manner that is simple and easily understandable, taking into consideration the age range of the intended or likely users. In instances where the product or service involves or contemplates children as data subjects, regardless of whether it is also intended for adults, PICs must provide child-friendly privacy notices in addition to standard versions. Just-in-time privacy notices and layered privacy notices must also be provided to complement the age-appropriate privacy notice.
Aside from the basic information on data processing, PICs should inform the children of the:
- appropriate lawful basis of the processing of their data;
- potential consequences and risks associated with the processing of the personal data of the children;
- importance of privacy settings;
- rights as data subjects and the manner and method of exercising these;
- and revisions or updates to the (age-appropriate) privacy notice, if any.
Child Privacy Impact Assessment
Another key obligation of PICs is the conduct Child Privacy Impact Assessment (CPIA) as part of their Privacy Impact Assessment (PIA) before launching products or services intended or likely to be accessed by children and thereafter as may be necessary. This complements the mandate of PICs to adopt a risk-based and child-oriented approach when informing children whose data they are processing, taking into account their age and the risks involved in the specific processing activity. The PIA is a continuing requirement and must be regularly reviewed and updated to account for changes in products, services, processes, or regulations.
PICs should also implement appropriate measures to address any risks identified in the PIA to ensure the protection of children’s personal data. In this regard, PICs may employ age-assurance mechanisms to determine the age range of their users as a tool to adopt age-appropriate practices when processing children’s personal data. In determining the most suitable age assurance mechanism for a specific processing activity, PICs should recognize that relying solely on users’ self-declaration may be inadequate for high-risk processing activities. Children should also understand the purpose of the age assurance process.
Furthermore, PICs must adopt a risk-based approach to determine and implement appropriate and enhanced privacy controls when processing children’s personal data. PICs must ensure that the children’s accounts have privacy settings set to the highest level by default – settling profiles to private, and minimizing data sharing unless necessary for the specific purpose. PICs must also ensure that children are fully aware of the available privacy settings and how to adjust them.
Deceptive design patterns
In the Advisory, the NPC reiterates its stand that PICs should not use deceptive methods or any form of coercion, compulsion, threat, intimidation, or violence in the processing of the children’s personal data. PICs shall not use characters that children know and trust to influence them to provide more information than necessary for the specified and declared purpose. Further, PICs shall not use designs that nudge or steer children toward selecting options that compromise their privacy or are inconsistent with their best interests.
Parents’ or guardians’ involvement and the PICs’ data breach obligation
As holders of parental authority, the Advisory recognizes that the involvement of parents or guardians may be necessary in determining whether children may participate in the specific processing activity, particularly when there are heightened risks to children.
Moreover, in case of a data breach involving children that falls under mandatory notification, PICs must also notify both the children and their parents or guardians (as applicable) when the breach falls under mandatory breach notification. However, the Advisory is notably silent as to the PICs’ verification procedures with respect to the parents/guardians’ relationship with the child, stating only PICs must determine the appropriate methods for securing and verifying this involvement based on the level of risk to children.
At any rate, children as data subjects are also entitled to notification in case there is a breach involving their personal information. When notifying children, PICs must use appropriate language readily understandable to the children, in light of the principle of transparency.
Key takeaways
The unique needs of children as data subjects are often unfortunately overlooked, which creates digital hazards that if unchecked, leaves a child grossly vulnerable to exploitation in a digital environment which can prejudice the growth and development of children. Thus, the Advisory on Child Oriented Transparency is a great step in the right direction and, no less, a triumph for the advocacy on children’s rights, particularly on children’s right to data privacy.
PICs and PIPs should further refine and tailor their data processing activities to curtail the digital risks for children and ensure that their platforms and/or applications protect and contribute towards a healthy learning and entertainment environment that supports a child’s progress in the digital age. The Advisory confirms that children, despite their inherent vulnerability, must be protected and afforded their right to access information. This imposes special obligations unto PICs (and indirectly to PIPs), while taking into consideration the varying degrees of maturity of children who are constantly evolving their own capacities and addressing their respective needs.
Edsel F. Tupaz is a Senior Partner, Head of Data Privacy, Cybersecurity and AI Initiatives Practice Group & Head of Special Projects and Infrastructure Group. Edsel is a Dual-qualified under the Philippine and New York Bars, with over 20 years of expertise across data privacy & protection, technology, cybersecurity, AI, infrastructure, government procurement, corporate law, and banking and financial services. Master of Laws from Harvard Law School, holds economics and law degrees from Ateneo (both with honors), served as Managing Technical Editor of the Harvard Human Rights Journal, and listed under the Experts Directory for Philippine privacy law on OneTrust DataGuidance. Certified Information Privacy Professional – Europe (CIPP/E) and Certified Information Privacy Manager (CIPP) under IAPP. Challenger at the Alan Turing Institute’s Data Challenge – Policy Priorities and AI for Sustainable Development Goals (2023-2024). Awarded “Data Privacy & Protection Lawyer of the Year” at the 2023 Philippine Law Awards and is recognized among the Top 100 Lawyers in the Philippines by Asia Business Law Journal.
Liane Candelario is a Senior Associate who specializes in banking, securities, mergers & acquisitions, finance & technology, corporate, and data privacy law. Liane regularly renders end-to-end legal advisory services – such as business model regulatory review, corporate structuring, M&A, license acquisition, and regulatory compliance on banking, securities, AML/CTF, and data privacy matters – to both onshore and offshore companies ranging from start-ups to publicly-listed entities. She also assists top Philippine banks and non-bank financial institutions in securing licenses from the Philippine Central Bank (Bangko Sentral ng Pilipinas).
Julia Antoinette S. Unarce is a Junior Associate at the Firm and a member of its Litigation, Data Privacy, Anti-Money Laundering, and Environmental, Social, and Governance (ESG) Departments. Her practice spans a broad range of legal matters, including civil, criminal, and administrative cases. She actively represents clients before courts and administrative agencies, and is involved in the negotiation, settlement, and pre-litigation resolution of disputes. In addition to litigation, she provides advisory services on evolving regulatory frameworks, assisting clients with business formation, compliance with reportorial obligations, policy development, and other corporate and regulatory matters.
This article was originally published on OneTrust Data Guidance. You may find the full article here: https://www.dataguidance.com/opinion/philippines-npcs-advisory-child-oriented
