RA 10173 (the Data Privacy Act of 2012) applies to virtually every Philippine business website that collects personal data — even just contact form submissions. Compliance is a baseline expectation.
Required for every PH business website
Privacy Policy. Explains what data you collect, why, how long retained, who has access, and how to request data removal.
Consent on forms. Unchecked checkbox + clear consent language + link to privacy policy.
Data security. SSL certificate. Reasonable security measures (not forwarding form data to a personal Gmail).
Data Protection Officer. Designated person (can be the owner). Contact info available.
Data subject rights. Process for requests to access, correct, delete personal data.
Required for larger operations
NPC registration. For PICs processing personal data of 1,000+ individuals or with 250+ employees, plus all entities in the mandatory categories listed in NPC Circular 17-01 §5 regardless of size — including healthcare, financial services, telcos, BPOs, and government contractors.
Privacy Impact Assessment. Before launching significant new data processing activities.
Data breach notification. Process for notifying NPC within 72 hours of certain breaches.
What “personal data” includes
- Names
- Email addresses
- Phone numbers
- Birth dates
- Addresses
- Health information (sensitive)
- Financial information (sensitive)
Even your contact form collects personal data.
Penalties
RA 10173 §§25–34 set criminal penalties — fines from ₱100,000 to ₱5,000,000 and imprisonment from 6 months to 7 years depending on the offense. Separately, NPC Circular 2022-01 sets administrative fines (up to 3% of annual gross income, capped at ₱5M) which the NPC may impose without criminal proceedings. The NPC may also order cessation of processing.
Practical compliance
- Privacy Policy linked from footer
- Consent checkbox on all forms
- HTTPS (SSL) site-wide
- Form submissions to secure storage, not personal email
- Annual privacy review
Budget
Standard compliance is included in any properly built website build. No additional cost.
Compliance review needed? Send your details through the contact page for a specific recommendation within one Philippine business day.
This article is general guidance, not legal advice. RA 10173, NPC Circulars, and IRR provisions evolve. For your business’s specific obligations, consult a Philippine-licensed privacy lawyer.
Frequently asked questions
- What does RA 10173 require for websites?
- Privacy Policy explaining data collection. Consent on forms. Secure data storage. Designated Data Protection Officer. NPC registration for processing significant personal data. Right of data subjects to access, correct, or delete their data.
Working with webdesigner.ph
- Service tiers — Start, Scale, Sell. What each tier includes and what it doesn't.
- Published pricing — Fixed price ranges per tier, named exclusions, and the payment schedule.
- How the process works — Discovery, design, build, and launch, with milestone-gated payment.
- Maintenance plans — Hosting, security, and content updates from ₱4,000/month.
- Get a specific quote — Reply within one Philippine business day.