
Differences Between and Legal Effects of Opt-in vs Opt-out under Philippine Data Privacy Law
Differentiating between Opt-in and Opt-out
“Opt-in” and “Opt-out” are means by which a Data Processor secures consent from a Data Subject. The primary difference between the two is that the “Opting-in” is an active form of giving one’s consent where the user takes affirmative action to offer their consent, while “Opting-out” is impliedly given by the Data Subject to the Data Processor and where the user takes action to withdraw their consent.
Opting-in would involve, for example, a user logging into a website and having to express consent to the website’s privacy notice by ticking a box. Only once the user has agreed to the privacy notice will he then be allowed access to the contents of the website.[1]
On the other hand, opting-out involves a structure where the Data Processor presumes that the user, by the mere act of engagement, manifests consent to the use of their data – in effect, the opt-out system acts as a tacit “yes”.[2] Such consent persists until the user explicitly withdraws their consent. One example would be a website that that requires users to uncheck a pre-marked box to undo a confirmation that the user consents to certain offers, such as receiving regular news and updates [3].
Consent under the Data Privacy Act
Under the Philippine Data Privacy Act, consent is defined as “x x x any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.” Consent is evidenced “by written, electronic or recorded means, [and] may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.” [4]
Consent is essential as it is generally considered as a requisite in order for Data Processors to be allowed to process personal information of data subjects. Processing data without the consent of the data subject is considered “Unauthorized Processing of Personal Information and Sensitive Personal Information” under the Data Privacy Act. Penalties imposed by the Data Privacy Act include imprisonment and a fine, the gravity of which would depend on the type of personal data processed without the consent of the Data Subject.[5] The Data Privacy Act also punishes “Unauthorized Disclosure”, or the act of disclosing personal information without the consent of the Data Subject.[6]
The Opinion of the National Privacy Commission
On August 14, 2017, the National Privacy Commission issued an Advisory Opinion[7] on the Validity of an Implied form of Consent. The National Privacy Commission cited the definition of consent under the Data Privacy Act and its Implementing Rules and Regulations. It put emphasis on the phrases “freely given specific, informed indication of will, whereby the data subject agrees to the collection and processing” and “evidenced by written, electronic or recorded means”.
Based on the phrases emphasized by the National Privacy Commission in its Advisory Opinion, it concluded that the consent contemplated by the law, is an express consent where the Data Subject voluntarily assents to the collection and processing of personal information, as opposed to implied or inferred consent resulting from the data subject’s inaction. The Advisory Opinion goes on to state that implied or inferred consent is not recognized in this jurisdiction. The Data Processor must never assume the Data Subject’s consent, unless it falls under circumstances which permit the processing of personal or sensitive personal information without consent under the Data Privacy Act and its Implementing Rules and Regulations.
The National Privacy Commission reiterated that consent under the law has three requisites; (1) Freely given; (2) specific and (3) informed indication of will. An implied form of consent would not satisfy the first requisite of consent freely given, due to the absence of an overt act of consent by the data subject. The law also requires a written, electronic or recorded means to evidence the consent, something that would not exist if the consent given is merely implied.
The NPC Advisory Opinion likewise cites with approval Recital 32 of the General Data Protection Regulation of the European Union, which states:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
The NPC Advisory Opinion makes it clear that it is the opinion of the Commission that Data Processors must follow the opt-in system in order to secure consent from Data Subjects. In contrast, doubts are raised by the Advisory Opinion as to an opt-out system would satisfy the requirements for consent under Philippine Data Privacy law.
[1] https://termly.io/resources/articles/opting-in-vs-opting-out/
[2] https://www.inc.com/articles/2002/10/24718.html
[3] https://termly.io/resources/articles/opting-in-vs-opting-out/
[4] Sec 3(b) RA 10173
[5] Sec 25 RA 10173
[6] Sec 32 RA 10173
[7] Advisory Opinion No. 2017-42, National Privacy Commission