Data Privacy Law for Minors (Under 13) in the Philippines
A 2025 practitioner’s guide
1. The policy lens: why “under 13” matters
While Republic Act 10173 (Data Privacy Act – DPA) protects all persons, the National Privacy Commission (NPC) treats children as a particularly vulnerable class. In its 2024 Guidelines on Child-Oriented Transparency the NPC notes that the “age range of intended or likely users” must shape every privacy decision, and specifically mentions age-assurance bands of 0-5, 6-12 and 13-17. Thus, children below 13 trigger the highest protection tier. citeturn1view0
2. Core statute and implementing rules
| Instrument | Key take-aways for children <13 data-preserve-html-node="true" |
|---|---|
| RA 10173 (2012) & IRR | • Constitutional right to privacy incorporated (Art III §3, 1987 Constitution) • Processing must rest on one of six lawful bases; for minors this is almost always verified parental consent (IRR §48 & NPC Circular 23-04) • Extraterritorial reach when data subjects are in the PH • Civil & criminal penalties, plus NPC cease-and-desist powers citeturn0search2turn3search0 |
| NPC Circular 23-04 – Guidelines on Consent (2023) | • Parental/guardian consent required until a child can “understand the consequences of the processing” • Prohibits deceptive design and consent bundling • Requires granular, revocable and documented consent records citeturn3search0 |
| NPC Circular 23-06 – Security of Personal Data (2023) | • Mandates privacy-by-design, encryption at rest & in transit, and breach drills; expressly recommends stronger controls for users <13 data-preserve-html-node="true" at account creation stage citeturn13search0 |
| NPC Advisory 24-03 – Child-Oriented Transparency (2024) | • Obligatory Child Privacy Impact Assessment (CPIA) before launch • Default high-privacy settings (no geolocation, no public profile, no personalised ads) • Layered & just-in-time notices written “in words a child will understand” • Age-assurance: self-declaration alone is insufficient for high-risk processing citeturn1view0 |
3. Related child-protection statutes with privacy hooks
| Law | Relevance to data privacy for <13s data-preserve-html-node="true" |
|---|---|
| RA 11930 (Anti-OSAEC & Anti-CSAEM Act, 2022) | Makes online sexual abuse/exploitation a stand-alone crime. ISPs and platforms must block, preserve, and swiftly disclose evidence to law-enforcement without destroying chain-of-custody; retention must still observe DPA proportionality. citeturn10search0 |
| RA 10175 (Cybercrime Prevention Act, 2012) | Heightens penalties for child-porn offences committed online and empowers courts to order real-time traffic data collection—requiring PICs to balance lawful access with the DPA’s data-minimisation rule. citeturn11search0 |
| RA 11862 (Expanded Anti-Trafficking, 2022) & RA 7610 | Extend liability to digital grooming/enticement; privacy officers must flag any atypical transfer of a child’s images or contact details. citeturn11search8 |
| DepEd Orders 22-023 & 22-035 | Bind all basic-education institutions: learner data may only be posted/share with written parent consent; unused enrolment forms must be shredded. citeturn12search1turn12search6 |
4. What “verifiable parental consent” looks like (NPC practice notes)
- Multi-factor check – upload of parent ID + one-time selfie or digital signature.
- Cool-off window – 24-hour delay before activation so the parent can withdraw.
- Separate child view – the service must not conceal consent terms inside a general ToS (NPC AO 2020-046 on schools). citeturn2search1
5. Rights children (and their parents) may invoke
| Right (DPA §16-18) | Under 13 specificities |
|---|---|
| Access & Copy | May be exercised by the child or the parent/guardian; PIC must supply in child-friendly format (e.g., icon-based report). |
| Erasure / Blocking | Stronger weight where continued processing “is not in the best interests of the child”. |
| Object to processing | If a child is capable of forming his/her own views, PIC should allow a dual-consent model (child + parent). |
NPC has ruled that schools posting class lists online without parent approval infringed both the learner and the parent’s rights (NPC Case 19-498). citeturn3search2
6. Platform & app design checklist (quick compliance for 2025)
- Age-gating + assurance: AI face-estimators + SMS-OTP to parent device.
- Default off: location sharing, direct messaging, public profile, behavioural ads.
- CPIA filed: include risk-scenario modelling for 6-12-year-old cohort.
- High-contrast, icon-based notices: reading level Grade 3 or lower.
- Log retention: 30 days unless RA 11930 preservation order received.
- Breach playbook: dual notice (child + parent) within 72 hours (NPC 24-03 §4).
7. Enforcement landscape
| Body | Powers |
|---|---|
| NPC | Audit; issue compliance orders; administrative fines up to ₱5 m or 1% of annual gross income; criminal referral to DOJ. |
| DICT-CICC & PNP-WCPU | Seize servers, forensically image evidence (RA 11930 §23). |
| Courts | Warrant “production orders” compelling disclosure of logs under RA 10175; penalties ↑ one degree when the victim is <18. data-preserve-html-node="true" |
8. 2024-2025 policy horizon
- Senate Bill 2934 – Internet Safety Education Program (pending) will make digital-safety modules compulsory in every elementary school, complementing RA 11930. citeturn5view0
- NPC draft Guidelines on AI & Children (Advisory 24-04) propose a ban on emotion-recognition for users under 13. citeturn13search4
- Ongoing consultations on a Child Online Safety Act modelled on the UK Age-Appropriate Design Code.
Conclusion
The Philippines has no single “COPPA-style” statute, but an inter-locking regime centred on the Data Privacy Act, buttressed by expanded child-protection laws and a fast-evolving set of NPC circulars. For organisations processing data of children below 13, the regulatory watchwords are parental consent, age assurance, privacy-by-default and the child’s best interests. Given the NPC’s recent focus—and looming legislation—early compliance is vastly cheaper than being the test case that defines the next administrative fine.