6 May 2026
The National Privacy Commission (NPC) has issued NPC Advisory No. 2026‑01 (“Advisory”), confirming that the scraping of publicly available personal data remains fully subject to the Data Privacy Act of 2012 (DPA). The Advisory dispels the persistent misconception that public availability equates to consent and clarifies that data scraping, particularly when conducted at scale or for commercial purposes, constitutes regulated personal data processing. It introduces heightened compliance expectations, including mandatory privacy impact assessments, stricter scrutiny of large‑scale scraping, and expanded obligations for entities that host public‑facing personal data.
The Advisory is especially relevant to organizations that scrape, use, purchase, or make available personal data for analytics, artificial intelligence, marketing, profiling, or platform operations. Now that regulatory attention is directed to these activities, organizations must ensure that their respective data processing practices and policies are aligned with the Advisory in order to avoid business disruption, penalties, and liabilities, due to potential violations of the DPA and related issuances.
Key takeaways
The Advisory reflects a more interventionist regulatory stance by the NPC and underscores that publicly available data is not outside the scope of Philippine data protection law. In particular, the Advisory emphasizes the following key points:
- Publicly available personal data remains fully covered by the DPA.
- Data scraping must be supported by a valid lawful basis. Public availability does not constitute consent.
- Privacy Impact Assessments (PIAs) are required for data scraping activities, including those conducted through third‑party personal information processors (PIPs).
- Large‑scale scraping, profiling, data enrichment, and aggregation are subject to heightened regulatory scrutiny.
- Entities that host publicly available personal data now have affirmative transparency and security obligations
In more detail
The Advisory provides structured guidance across the full lifecycle of data scraping activities, addressing not only entities that actively scrape personal data but also those that make personal data publicly accessible through their platforms. Collectively, these provisions emphasize the NPC’s expectation that organizations adopt a documented, risk‑based, and accountability‑driven approach when dealing with publicly available personal data.
- Scope and application. The Advisory applies not only to entities that actively scrape data, but also to personal information controllers (PICs) whose platforms host publicly available personal data that may be scraped by third parties.
- Privacy impact assessments. PICs are required to conduct and regularly update PIAs addressing the scope, risks, and safeguards relating to data scraping activities, including risks arising from data aggregation and downstream use.
- Sensitive and vulnerable data. Scraping sensitive personal information is generally prohibited unless strict statutory conditions are met. Scraping involving vulnerable individuals, such as minors and the elderly, will be subject to heightened scrutiny.
- Obligations of data hosts. Organizations hosting public‑facing personal data must inform users that their data may be scraped, disclose the categories of accessible data, provide mechanisms to object, and implement technical and organizational measures to deter unauthorized scraping.
- Use and secondary processing. Personal data obtained through scraping may not be repurposed beyond the originally declared purpose without a new lawful basis, updated notice to affected data subjects, and a fresh PIA.
Consequences of non-compliance
The Advisory reiterates that unauthorized or non‑compliant data scraping, including scraping that violates website terms, circumvents technical safeguards, or lacks a lawful basis, may expose organizations to criminal, civil, and administrative liability under the DPA, its implementing rules, and related NPC issuances. In particular, organizations may face compliance orders, enforcement actions, and administrative penalties arising from unlawful processing or failure to meet accountability and transparency requirements.
How this affects your business
Organizations that rely on publicly available personal data, whether for AI training, analytics, marketing, risk assessment, or platform operations, should review their existing data scraping and data hosting practices against the Advisory. This includes reassessing lawful bases, updating privacy notices, conducting or refreshing PIAs, reviewing third‑party arrangements, and strengthening safeguards against unauthorized scraping.
If you have questions about how this Advisory applies to your business, or if you would like assistance in reviewing or aligning your data practices with NPC expectations, please feel free to contact us. We would be pleased to assist with compliance assessments, PIAs, policy updates, and regulatory advisory support.