Data Privacy Act Consent Form Requirements in the Philippines

Philippine Legal Context

In the Philippines, consent forms are often used by businesses, schools, employers, clinics, associations, websites, apps, and government-facing service providers to justify the collection and use of personal information. However, under the Data Privacy Act of 2012, consent is not merely a signature on a form. It is a legal basis for processing personal data, and it must meet specific standards to be valid.

A poorly written consent form can create legal risk. It may fail to inform the data subject properly, authorize processing that is too broad, or give the false impression that consent can be used for every kind of data processing. A proper consent form must be clear, specific, informed, freely given, and tied to a legitimate purpose.

This article explains the requirements, structure, content, legal effect, and practical use of consent forms under Philippine data privacy law.

I. The Legal Framework

The main law is the Data Privacy Act of 2012, also known as Republic Act No. 10173.

It is implemented through rules, regulations, advisories, and issuances of the National Privacy Commission, commonly called the NPC.

The law protects the processing of:

  1. Personal information
  2. Sensitive personal information
  3. Privileged information

The law applies to the processing of personal data by persons or entities in government and the private sector, subject to certain exceptions.

II. What Is a Data Privacy Consent Form?

A data privacy consent form is a document, physical or electronic, by which a data subject agrees to the collection, use, storage, sharing, disclosure, or other processing of personal data.

It is commonly used when an organization needs the data subject’s permission for a specific processing activity.

Examples include:

  1. Patient intake forms
  2. Student enrollment forms
  3. Employee onboarding forms
  4. Customer application forms
  5. Membership forms
  6. Website registration forms
  7. Marketing subscription forms
  8. Event registration forms
  9. CCTV notices with consent components
  10. App permissions and electronic consent screens
  11. Waivers and releases involving personal data
  12. Authorization forms for release of records

A consent form is not merely an administrative document. It is part of the organization’s legal basis for processing data and part of its accountability documentation.

III. Consent Is Only One Legal Basis for Processing

One common mistake is assuming that every data processing activity requires consent. That is not always correct.

Under the Data Privacy Act, personal information may be processed based on several legal grounds, such as:

  1. Consent of the data subject
  2. Necessity for contract
  3. Compliance with law or legal obligation
  4. Protection of vitally important interests
  5. Response to national emergency or public order requirements
  6. Legitimate interests pursued by the personal information controller or a third party, subject to limits

For sensitive personal information, the rules are stricter. Processing is generally prohibited unless an exception applies, such as:

  1. Consent of the data subject
  2. Processing allowed by law or regulation
  3. Protection of life and health
  4. Medical treatment by health professionals or institutions
  5. Protection of lawful rights and interests in legal proceedings
  6. Processing by certain organizations for legitimate and lawful purposes, subject to limits

Therefore, a consent form is not always required. But when consent is used as the legal basis, the consent must be valid.

IV. What Makes Consent Valid?

Under Philippine data privacy principles, consent must generally be:

  1. Freely given
  2. Specific
  3. Informed
  4. An indication of will
  5. Evidenced by written, electronic, or recorded means

Consent should not be vague, hidden, forced, bundled improperly, or obtained through misleading statements.

A valid consent form must allow the data subject to understand what he or she is agreeing to.

V. Freely Given Consent

Consent must be voluntary.

This means the data subject must have a real choice. Consent may be questionable if the person is pressured, deceived, threatened, or denied an essential service for refusing data processing that is not necessary for that service.

Example

A clinic may need a patient’s medical information to provide medical treatment. But if the clinic asks the patient to consent to receiving promotional messages from partner companies, that marketing consent should be separate and optional.

If refusal to receive marketing messages prevents the patient from receiving treatment, the consent may not be considered freely given.

VI. Specific Consent

Consent must be specific to a particular purpose.

A consent form should not simply say:

“I consent to the processing of my personal data for any lawful purpose.”

That is too broad.

A better formulation would identify the specific processing purposes, such as:

  1. To verify identity
  2. To process an application
  3. To provide the requested service
  4. To communicate updates
  5. To comply with legal and regulatory obligations
  6. To process payments
  7. To issue receipts
  8. To respond to inquiries
  9. To send marketing messages, if separately consented to
  10. To share information with named or described service providers for identified purposes

The data subject must know what the data will be used for.

VII. Informed Consent

Consent must be informed.

This means the data subject should be told the essential information about the processing before giving consent.

A proper consent form should usually explain:

  1. The identity of the personal information controller
  2. The personal data to be collected
  3. The purpose of collection and processing
  4. The method of processing
  5. The recipients or classes of recipients of the data
  6. Whether data will be shared with third parties
  7. Whether data will be transferred abroad
  8. The retention period
  9. The rights of the data subject
  10. How to withdraw consent
  11. How to contact the data protection officer or privacy contact
  12. Whether providing the data is mandatory or optional
  13. The consequences of refusing or withdrawing consent

Without this information, the data subject cannot meaningfully consent.

VIII. Consent Must Be Evidenced

Consent must be capable of being proven.

The organization should keep records showing that consent was obtained.

Consent may be evidenced by:

  1. A signed paper form
  2. A signed digital document
  3. A tick-box with timestamp
  4. An electronic signature
  5. A recorded verbal consent
  6. A logged click-through consent
  7. A scanned copy of a signed consent form
  8. A recorded call, where allowed and properly disclosed
  9. An online form submission record

For accountability, the organization should be able to show:

  1. Who gave consent
  2. When consent was given
  3. What exactly the data subject consented to
  4. What version of the consent notice was used
  5. How consent was captured
  6. Whether consent was later withdrawn

IX. Consent Must Be Obtained Before Processing

As a rule, consent should be obtained before the processing activity that depends on consent.

For example, if a company wants to use a customer’s email address for promotional messages, it should obtain consent before sending those messages.

Consent obtained after the fact may not cure unauthorized processing that already occurred.

X. The Form Must Be Clear and Understandable

A consent form should be written in clear language.

It should avoid excessive legal jargon. The wording should be understandable to the intended audience.

For ordinary consumers, students, patients, employees, or website users, the consent form should use plain language.

For minors, vulnerable persons, or persons with limited literacy, the form should be adapted accordingly.

A consent form that is technically detailed but incomprehensible may fail the requirement of informed consent.

XI. Essential Parts of a Philippine Data Privacy Consent Form

A strong consent form usually contains the following sections.

1. Title

The document should be clearly identified.

Examples:

  • Data Privacy Consent Form
  • Consent to Process Personal Data
  • Privacy Consent and Authorization Form
  • Personal Data Processing Consent Form

2. Identity of the Organization

The form should identify the personal information controller.

This may include:

  1. Legal name of the company, school, clinic, employer, association, or organization
  2. Business address
  3. Contact details
  4. Data protection officer or privacy contact information

3. Description of Personal Data Collected

The form should list or describe the personal data involved.

Examples:

  1. Full name
  2. Address
  3. Email address
  4. Mobile number
  5. Date of birth
  6. Gender
  7. Civil status
  8. Government-issued identification numbers
  9. Photograph
  10. Signature
  11. Employment information
  12. Financial information
  13. Health information
  14. Educational records
  15. Location data
  16. Device identifiers
  17. Biometrics, where applicable
  18. CCTV footage, where applicable

The organization should not collect more data than necessary.

XII. Personal Information vs. Sensitive Personal Information

A consent form should be especially careful when sensitive personal information is involved.

Personal Information

Personal information is information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or information that when combined with other information would directly and certainly identify an individual.

Examples:

  1. Name
  2. Address
  3. Email address
  4. Contact number
  5. Photograph
  6. Customer number
  7. Account identifier

Sensitive Personal Information

Sensitive personal information includes data such as:

  1. Age
  2. Marital status
  3. Color
  4. Religious, philosophical, or political affiliations
  5. Health
  6. Education
  7. Genetic or sexual life information
  8. Proceedings involving offenses
  9. Government-issued identifiers
  10. Tax returns
  11. Information specifically classified by law as sensitive

Because sensitive personal information receives higher protection, consent language must be more precise.

XIII. Privileged Information

Privileged information refers to information protected by legal privilege under the Rules of Court and other laws.

Examples may include certain communications between:

  1. Lawyer and client
  2. Doctor and patient
  3. Priest and penitent
  4. Other legally protected relationships

Processing privileged information requires special care. A generic consent clause may be insufficient.

XIV. Purpose of Processing

The consent form must identify the purpose of processing.

Common purposes include:

  1. Identity verification
  2. Account creation
  3. Application processing
  4. Service delivery
  5. Customer support
  6. Billing and payment
  7. Compliance with legal obligations
  8. Fraud prevention
  9. Security and access control
  10. Employment administration
  11. Health assessment
  12. Academic administration
  13. Research, if applicable
  14. Marketing, if separately consented to
  15. Data analytics, if properly described
  16. Recordkeeping
  17. Communication with the data subject

The purpose must be legitimate, specific, and declared.

XV. Scope of Processing

The form should explain what will be done with the data.

Processing includes many activities, such as:

  1. Collection
  2. Recording
  3. Organization
  4. Storage
  5. Updating
  6. Retrieval
  7. Consultation
  8. Use
  9. Consolidation
  10. Blocking
  11. Erasure
  12. Destruction
  13. Sharing
  14. Disclosure
  15. Transfer
  16. Profiling or automated processing, if applicable

A good consent form does not merely say “process.” It explains the relevant processing activities in practical terms.

XVI. Data Sharing and Disclosure

If personal data will be shared, the consent form or privacy notice should identify the recipients or categories of recipients.

Possible recipients include:

  1. Affiliates
  2. Subsidiaries
  3. Parent companies
  4. Payment processors
  5. Delivery providers
  6. IT service providers
  7. Cloud storage providers
  8. Marketing service providers
  9. Professional advisers
  10. Government agencies
  11. Regulators
  12. Insurers
  13. Hospitals or clinics
  14. Schools or training providers
  15. Background check providers
  16. Research partners

A consent form should not vaguely authorize disclosure to “any person or entity.” The recipients should be named or described with reasonable specificity.

XVII. Outsourcing and Service Providers

Organizations often use third-party processors, such as payroll providers, cloud platforms, HR systems, customer relationship management tools, couriers, or billing processors.

The consent form may disclose that service providers process data on behalf of the organization.

However, consent alone is not enough. The organization should also have proper data processing agreements or outsourcing contracts with service providers, containing privacy and security obligations.

XVIII. Cross-Border Transfers

If personal data will be transferred outside the Philippines, this should be disclosed.

Examples include:

  1. Cloud servers located abroad
  2. Offshore customer support
  3. Foreign parent company access
  4. Regional HR systems
  5. International payment gateways
  6. Global software platforms
  7. Overseas medical or insurance processing

The form should state that data may be transferred to other countries and that appropriate safeguards will be observed.

For particularly sensitive processing, more detailed disclosure is advisable.

XIX. Retention Period

A consent form should state how long the data will be kept.

The retention period may be expressed as:

  1. A specific period
  2. A period required by law
  3. A period necessary for the declared purpose
  4. A period needed to establish, exercise, or defend legal claims
  5. A period tied to the duration of a contract or relationship

Poor language:

“We will keep your data indefinitely.”

Better language:

“We will retain your personal data for as long as necessary to fulfill the purposes stated in this form, comply with legal and regulatory requirements, resolve disputes, enforce agreements, and establish or defend legal claims. After the applicable retention period, the data will be securely disposed of or anonymized.”

Where possible, an organization should maintain a data retention schedule.

XX. Data Subject Rights

A consent form should inform the data subject of his or her rights under the Data Privacy Act.

These rights generally include:

  1. Right to be informed
  2. Right to object
  3. Right to access
  4. Right to rectification
  5. Right to erasure or blocking
  6. Right to damages
  7. Right to data portability
  8. Right to file a complaint with the National Privacy Commission

The form should explain how these rights may be exercised.

XXI. Right to Withdraw Consent

If processing is based on consent, the data subject should be told that consent may be withdrawn.

The form should explain:

  1. How withdrawal may be made
  2. Where the withdrawal request should be sent
  3. What happens after withdrawal
  4. Whether some processing may continue based on another legal ground
  5. Whether withdrawal affects services that require the data

Withdrawal of consent does not necessarily invalidate processing that occurred before withdrawal. It also does not prevent processing that is required by law or necessary for legal claims.

XXII. Consequences of Refusing Consent

The consent form should state whether consent is required or optional.

For example:

  1. Some data may be necessary to provide a service.
  2. Some data may be optional.
  3. Marketing consent may be optional.
  4. Data sharing with a required payment processor may be necessary for a transaction.
  5. Data sharing with unrelated advertisers should generally be optional.

The data subject should understand the practical consequences of refusal.

XXIII. Avoid Bundled Consent

Bundled consent occurs when multiple purposes are lumped together in one all-or-nothing consent.

This can be problematic.

For example, a customer may need to provide data to buy a product, but should not be forced to consent to marketing, profiling, and third-party promotional sharing as a condition of purchase, unless each is necessary and properly justified.

Better practice is to separate consent into categories:

  1. Consent for service delivery
  2. Consent for marketing messages
  3. Consent for sharing with promotional partners
  4. Consent for publication of photos or videos
  5. Consent for research participation
  6. Consent for processing sensitive personal information

Separate tick boxes are often advisable.

XXIV. Consent Must Not Be Hidden in Fine Print

Consent should be prominent enough for the data subject to notice.

It should not be hidden in:

  1. Long terms and conditions
  2. Small-font footnotes
  3. Pre-checked boxes
  4. Ambiguous website banners
  5. General waivers
  6. Broad employment contracts
  7. Unreadable legal blocks

A consent clause may be included in a larger form, but it should be clearly labeled and distinguishable.

XXV. Pre-Checked Boxes Are Risky

For online forms, consent is stronger when the user takes an affirmative action, such as ticking an unchecked box or clicking an “I agree” button after being shown the relevant information.

Pre-checked boxes may be questioned because they do not clearly show active consent.

Better practice:

  • Use unchecked boxes.
  • Use separate boxes for separate purposes.
  • Record timestamp, IP address, version of notice, and consent choices.

XXVI. Electronic Consent

Electronic consent may be valid if properly captured and evidenced.

Examples include:

  1. Clicking “I agree”
  2. Ticking a checkbox
  3. Using an electronic signature
  4. Submitting an online form after a clear consent statement
  5. Confirming consent by one-time password or account login
  6. Recorded consent in an app

The system should record proof of consent, including:

  1. User identity
  2. Date and time
  3. Consent text shown
  4. Form version
  5. Specific choices selected
  6. Device or session information, where appropriate

XXVII. Consent for Minors

Processing personal data of minors requires special care.

A minor may not always be legally capable of giving consent on his or her own, especially for contracts or significant data processing activities. Consent from a parent or legal guardian is often required.

For schools, clinics, apps, events, and organizations dealing with children, consent forms should:

  1. Identify the parent or guardian
  2. Establish authority to give consent
  3. Explain the data collected from the child
  4. State the purposes of processing
  5. Address photos, videos, and online publication separately
  6. Provide contact details for privacy concerns
  7. Use child-appropriate explanations where applicable

XXVIII. Consent in Schools

Schools commonly process student data for enrollment, grading, discipline, health services, security, parent communication, scholarships, extracurricular activities, and regulatory compliance.

A school consent form may cover:

  1. Student records
  2. Parent or guardian information
  3. Emergency contact details
  4. Health information
  5. Photos and videos
  6. Online learning platforms
  7. Student portals
  8. Educational apps
  9. Publication of achievements
  10. Yearbooks
  11. Graduation programs
  12. Student IDs
  13. Guidance records
  14. Disciplinary records
  15. Data submissions to government agencies

However, schools should not rely solely on consent for everything. Some processing may be based on law, contract, legitimate interest, or the school’s legal obligations.

Publication of student photos, testimonials, achievements, and promotional materials is usually better handled through separate, specific consent.

XXIX. Consent in Employment

Employers process employee data for hiring, payroll, benefits, attendance, performance management, discipline, tax compliance, security, and statutory reporting.

In employment, consent can be sensitive because of the power imbalance between employer and employee.

An employee may feel compelled to sign. Therefore, employers should not rely on consent where another legal basis is more appropriate, such as:

  1. Contract
  2. Legal obligation
  3. Legitimate interest
  4. Establishment, exercise, or defense of legal claims

Consent may still be used for optional processing, such as:

  1. Use of employee photos for promotional materials
  2. Publication of employee profiles
  3. Optional wellness programs
  4. Optional surveys
  5. Optional employee engagement platforms
  6. Sharing data with non-essential third-party partners

Employment consent forms should be carefully drafted to avoid coercion.

XXX. Consent in Healthcare

Healthcare data is sensitive personal information.

Clinics, hospitals, laboratories, pharmacies, dentists, therapists, and health professionals should use consent forms carefully.

A healthcare consent form may cover:

  1. Patient identification
  2. Medical history
  3. Diagnosis
  4. Treatment records
  5. Laboratory results
  6. Prescriptions
  7. Billing and insurance
  8. Referral to specialists
  9. Disclosure to HMOs
  10. Disclosure to family members
  11. Telemedicine platforms
  12. Medical certificates
  13. Health research, if applicable

Medical treatment may have its own consent requirements separate from data privacy consent. A medical procedure consent is not the same as a data privacy consent, although both may appear in the same packet of documents.

XXXI. Consent for Marketing

Marketing consent should be specific and optional.

A proper marketing consent clause should identify:

  1. Type of marketing communications
  2. Channels used, such as SMS, email, phone call, messaging app, or push notification
  3. Sender or brand
  4. Whether affiliates or partners may send messages
  5. How the data subject may opt out
  6. Whether profiling or segmentation will be used

Example:

“I agree to receive promotional messages, offers, and updates from [Company] through email, SMS, phone calls, and messaging applications. I understand that I may opt out at any time by contacting [privacy contact] or using the unsubscribe mechanism provided.”

Marketing consent should not be bundled with necessary service consent.

XXXII. Consent for Photos, Videos, and Recordings

Photos, videos, and voice recordings may be personal information, and sometimes sensitive depending on context.

Consent should be obtained when images or recordings will be used beyond ordinary documentation, especially for:

  1. Promotional materials
  2. Social media posting
  3. Website publication
  4. Advertisements
  5. Testimonials
  6. Livestreaming
  7. Press releases
  8. Public event coverage
  9. Internal training videos
  10. Commercial campaigns

Consent should specify:

  1. What media will be captured
  2. Where it will be used
  3. Whether names or captions will be included
  4. Whether use is internal or public
  5. Whether use is commercial
  6. Duration of use
  7. How consent may be withdrawn, if practical

For children, parental or guardian consent is especially important.

XXXIII. Consent for CCTV

CCTV processing is often based on security and legitimate interests rather than individual signed consent, especially in public or semi-public areas.

However, organizations must still provide notice.

A proper CCTV notice should state:

  1. That CCTV monitoring is in operation
  2. The purpose, such as security and safety
  3. The identity of the organization
  4. Contact details for privacy concerns
  5. Retention period, where practical
  6. Authorized access and disclosure conditions

If CCTV footage will be used for purposes beyond security, such as marketing, analytics, or employee monitoring, additional notice and possibly consent or another lawful basis may be required.

XXXIV. Consent for Biometrics

Biometric data is highly sensitive.

Examples include:

  1. Fingerprints
  2. Facial recognition templates
  3. Iris scans
  4. Voice recognition
  5. Hand geometry
  6. Other unique physical or behavioral identifiers

A biometric consent form should be very specific.

It should state:

  1. What biometric data will be collected
  2. Why it is necessary
  3. Whether alternatives exist
  4. How the biometric template is stored
  5. Who has access
  6. Whether the raw image or template is retained
  7. Retention period
  8. Security measures
  9. Consequences of refusal
  10. Withdrawal process
  11. Whether data is shared with vendors

Because biometrics cannot be easily changed if compromised, organizations should avoid collecting biometric data unless necessary and proportionate.

XXXV. Consent for Background Checks

Background checks often involve sensitive personal information.

Consent forms for employment, tenancy, lending, accreditation, or membership screening should state:

  1. Scope of the background check
  2. Sources to be contacted
  3. Types of information verified
  4. Third-party screening providers
  5. Purpose of verification
  6. Retention period
  7. Consequences of refusal
  8. Rights of the data subject

The consent should not authorize unlimited investigation into all aspects of a person’s life. It should be proportionate to the legitimate purpose.

XXXVI. Consent for Sharing with Government Agencies

Some disclosures to government agencies are required by law and may not need consent.

Examples may include reports to tax, labor, social security, health insurance, education, or regulatory authorities.

However, the privacy notice or consent form should still inform data subjects that their data may be disclosed to government agencies when required or permitted by law.

Consent should not be written as though the data subject can prevent legally required reporting.

XXXVII. Privacy Notice vs. Consent Form

A privacy notice and a consent form are related but not identical.

Privacy Notice

A privacy notice informs the data subject about how personal data is processed. It supports the right to be informed.

Consent Form

A consent form captures the data subject’s agreement to processing activities based on consent.

An organization may combine them, but it should still distinguish between:

  1. Information being disclosed to the data subject
  2. Consent being requested from the data subject

Not every privacy notice requires a signature. Not every processing activity requires consent.

XXXVIII. Consent Clause vs. Separate Consent Form

A consent clause may be included inside another document, such as:

  1. Application form
  2. Enrollment form
  3. Employment contract
  4. Patient form
  5. Membership form
  6. Event registration form
  7. Website terms
  8. Mobile app onboarding screen

However, if the processing is significant, sensitive, optional, or high-risk, a separate consent form or clearly separated consent section is better.

Separate consent is advisable for:

  1. Marketing
  2. Sensitive personal information
  3. Photos and videos
  4. Children’s data
  5. Biometrics
  6. Background checks
  7. Data sharing with unrelated third parties
  8. Research participation
  9. Cross-border transfers involving sensitive data
  10. Automated decision-making or profiling, where applicable

XXXIX. Data Minimization

A valid consent form does not authorize excessive collection.

The Data Privacy Act follows the principle of proportionality. Personal data collected should be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose.

For example, a newsletter signup generally does not need a birth certificate, home address, government ID number, or marital status.

Even with consent, excessive data collection may violate privacy principles.

XL. Purpose Limitation

Personal data should be processed only for declared, specified, and legitimate purposes.

If data was collected for one purpose, the organization should not later use it for a materially different purpose without a proper legal basis and appropriate notice.

Example:

A company collects customer phone numbers for delivery coordination. It should not automatically use those numbers for unrelated marketing unless it has a lawful basis, such as valid marketing consent.

XLI. Transparency

The data subject should not be surprised by how the data is used.

A consent form should make the processing understandable.

Transparency requires more than legal compliance. It requires fair disclosure.

Organizations should avoid vague phrases such as:

  1. “For all lawful purposes”
  2. “For business purposes”
  3. “For any purpose deemed necessary”
  4. “For use by our partners”
  5. “For future activities”
  6. “For other purposes”

If additional purposes are expected, they should be explained clearly.

XLII. Security Measures

A consent form does not need to describe every cybersecurity measure, but it may state that the organization uses reasonable and appropriate organizational, technical, and physical security measures.

Examples include:

  1. Access controls
  2. Password protection
  3. Encryption where appropriate
  4. Secure storage
  5. Confidentiality obligations
  6. Limited access
  7. Audit logs
  8. Secure disposal
  9. Vendor controls
  10. Staff training

Security is not optional. Even if a data subject consents, the organization must protect the data.

XLIII. Accountability

The Data Privacy Act requires organizations to be accountable for personal data under their control.

For consent forms, accountability means the organization should be able to prove:

  1. The form was legally adequate
  2. The data subject was properly informed
  3. Consent was freely given
  4. Consent was specific
  5. Consent was recorded
  6. Consent was not used beyond its scope
  7. Withdrawal requests were handled
  8. Data was retained and disposed of properly
  9. Processors and third parties were controlled
  10. Staff followed the form’s stated procedures

Consent documentation should be part of the organization’s privacy management system.

XLIV. Common Mistakes in Consent Forms

1. Using One Blanket Consent for Everything

A broad consent clause covering all possible uses is risky.

2. Failing to Identify the Organization

The data subject must know who is collecting and using the data.

3. Not Listing the Purpose

Consent without a clear purpose is weak.

4. Omitting Third-Party Sharing

If data will be shared, this should be disclosed.

5. No Retention Period

The form should explain how long data will be kept or how retention will be determined.

6. No Withdrawal Mechanism

If consent is the legal basis, the data subject should know how to withdraw it.

7. No Contact Details

The form should identify where privacy questions or requests may be sent.

8. Bundling Necessary and Optional Processing

Essential processing and optional marketing should be separated.

9. Using Pre-Checked Online Boxes

Active consent is safer.

10. Relying on Consent When Another Legal Basis Is Better

Consent may not be appropriate for mandatory legal reporting, employment administration, or contract performance.

11. Using English Only for Audiences Who May Not Understand It

The form should be understandable to the data subject.

12. Not Keeping a Copy of the Consent

An organization should be able to prove consent.

XLV. Consent Form Requirements for Websites and Apps

For websites and apps, consent may be obtained electronically.

A compliant consent flow should include:

  1. A privacy notice link
  2. Clear statement of purposes
  3. Separate consent for optional processing
  4. Cookie or tracking disclosures, where applicable
  5. Unchecked boxes for marketing consent
  6. Age or parental consent mechanism if children are involved
  7. Log of consent choices
  8. Easy withdrawal or unsubscribe mechanism
  9. Version control of privacy notices
  10. Secure storage of consent logs

Apps should not request permissions unrelated to their function. For example, a flashlight app should not request contacts, microphone, and location unless there is a legitimate and explained purpose.

XLVI. Consent and Cookies

Cookie consent depends on the kind of cookies or tracking technologies used.

Essential cookies needed for website functionality may be treated differently from analytics, advertising, profiling, or third-party tracking cookies.

A cookie notice should explain:

  1. What cookies are used
  2. Purpose of cookies
  3. Whether third parties place cookies
  4. How users may manage choices
  5. Whether cookies are necessary or optional
  6. Link to the privacy or cookie policy

For advertising and profiling cookies, active consent is usually safer.

XLVII. Consent and Automated Decision-Making

If an organization uses automated processing, profiling, scoring, ranking, or algorithmic decisions that significantly affect a person, the data subject should be informed.

Examples include:

  1. Credit scoring
  2. Automated hiring filters
  3. Fraud scoring
  4. Insurance risk assessment
  5. Automated eligibility decisions
  6. Behavioral profiling for targeted offers

A consent form or privacy notice should explain the existence of automated processing, its purpose, and its potential effects, where applicable.

XLVIII. Consent for Research

Research consent forms should be detailed.

They may include:

  1. Research title
  2. Identity of researcher or institution
  3. Purpose of study
  4. Types of data collected
  5. Method of collection
  6. Risks and benefits
  7. Voluntary participation
  8. Withdrawal rights
  9. Anonymization or pseudonymization
  10. Data sharing
  11. Publication of results
  12. Ethics review approval, where applicable
  13. Retention period
  14. Contact information

Research involving sensitive information, minors, indigenous communities, health data, or vulnerable persons requires additional safeguards.

XLIX. Consent for Events

Event organizers often collect participant data and capture photos or videos.

An event privacy consent section may cover:

  1. Registration data
  2. Attendance records
  3. ID verification
  4. Event communications
  5. Certificates
  6. Food restrictions or health needs
  7. Photos and videos
  8. Livestreaming
  9. Publication on social media
  10. Sponsor or partner sharing
  11. Emergency contact information

Photo and video consent should be separate if the material will be used publicly or commercially.

L. Consent for Associations, Clubs, and Nonprofits

Membership organizations process data for:

  1. Membership applications
  2. Dues collection
  3. Communications
  4. Events
  5. Directories
  6. Elections
  7. Governance records
  8. Volunteer coordination
  9. Donations
  10. Public advocacy

Consent forms should distinguish between internal membership administration and optional public disclosure, donor recognition, directories, or marketing.

LI. Consent in Real Estate Transactions

Brokers, developers, property managers, and lessors process personal data for:

  1. Client verification
  2. Reservation applications
  3. Lease documentation
  4. Credit checks
  5. Know-your-client procedures
  6. Payment processing
  7. Turnover records
  8. Condominium administration
  9. Utilities coordination
  10. Marketing

Consent should not be used to justify unnecessary sharing of buyer or tenant data with unrelated parties.

LII. Consent in Financial Services

Banks, lenders, fintech companies, insurers, and payment platforms process sensitive and financial information.

Consent forms may involve:

  1. Identity verification
  2. Credit evaluation
  3. Fraud prevention
  4. Account opening
  5. Loan processing
  6. Insurance underwriting
  7. Claims handling
  8. Transaction monitoring
  9. Regulatory compliance
  10. Data sharing with credit bureaus
  11. Sharing with payment networks
  12. Cross-border processing

In regulated industries, some processing is required by law and does not depend solely on consent. The form should be careful not to mischaracterize mandatory legal processing as optional consent.

LIII. Consent in E-Commerce

E-commerce platforms process data for:

  1. Account creation
  2. Order processing
  3. Payment
  4. Delivery
  5. Returns
  6. Customer support
  7. Fraud prevention
  8. Reviews
  9. Loyalty programs
  10. Marketing
  11. Seller-buyer communication

Marketing, behavioral profiling, and sharing with unrelated advertisers should be separated from transaction processing.

LIV. Consent in Government Transactions

Government agencies process personal data to perform public functions and comply with law.

Consent may not always be the main legal basis. Many government processing activities are based on official authority or law.

However, government forms should still provide privacy notices and inform citizens about:

  1. Data collected
  2. Purpose
  3. Legal basis
  4. Recipients
  5. Retention
  6. Rights
  7. Contact details
  8. Security measures

Consent may be needed for optional processing or disclosures not required by law.

LV. Valid Consent Language

A basic consent clause may read:

“I have read and understood the Privacy Notice of [Organization]. I consent to the collection, use, storage, disclosure, and other processing of my personal data by [Organization] for the purposes of [specific purposes]. I understand that my personal data may be shared with authorized personnel, service providers, and government authorities when necessary for these purposes or when required by law. I understand that I may exercise my rights as a data subject, including the right to access, correction, objection, and withdrawal of consent, by contacting [privacy contact].”

This is only a starting point. Actual wording should be tailored to the organization’s processing activities.

LVI. Sample Structure of a Data Privacy Consent Form

DATA PRIVACY CONSENT FORM

1. Personal Information Controller

[Name of Organization] [Address] [Contact Number] [Email Address] Data Protection Officer / Privacy Contact: [Name or Office] Privacy Contact Email: [Email]

2. Personal Data Collected

We may collect and process the following personal data:

  • Name
  • Address
  • Contact details
  • Date of birth
  • Identification documents
  • Transaction records
  • Payment information
  • Other information necessary for the purposes stated below

3. Purpose of Processing

Your personal data will be processed for the following purposes:

  • To verify your identity
  • To process your application or transaction
  • To provide requested services
  • To communicate with you
  • To comply with legal and regulatory requirements
  • To maintain records
  • To protect the rights and interests of the organization

4. Data Sharing

Your personal data may be shared with authorized personnel, service providers, professional advisers, regulators, government agencies, and other parties when necessary for the purposes stated above or when required by law.

5. Retention

Your personal data will be retained only for as long as necessary to fulfill the stated purposes, comply with legal requirements, resolve disputes, enforce agreements, and establish or defend legal claims. After the applicable retention period, your data will be securely disposed of or anonymized.

6. Rights of the Data Subject

You have rights under the Data Privacy Act, including the right to be informed, object, access, rectify, erase or block, claim damages, data portability, and file a complaint.

7. Withdrawal of Consent

You may withdraw consent for processing activities based on consent by contacting [privacy contact]. Withdrawal may affect our ability to provide certain services where the processing is necessary for such services. Withdrawal does not affect processing conducted before withdrawal or processing required or permitted by law.

8. Consent

By signing below, I confirm that I have read and understood this Data Privacy Consent Form and voluntarily consent to the processing of my personal data for the purposes stated above.

Name: ___________________________ Signature: ________________________ Date: ____________________________ Contact Details: ___________________

For minors:

Parent/Guardian Name: ____________________ Relationship to Minor: _____________________ Signature: _______________________________ Date: ___________________________________

LVII. Separate Optional Consent Clauses

For optional processing, use separate consent boxes.

Marketing Consent

☐ I agree to receive promotional messages, offers, and updates from [Organization] through email, SMS, phone calls, messaging apps, and other communication channels. I understand that I may opt out at any time.

Photo and Video Consent

☐ I consent to the capture and use of my photos, videos, voice, and likeness during [event/activity] for documentation, publication, promotional, social media, website, and related communication purposes.

Third-Party Partner Sharing

☐ I consent to the sharing of my personal data with selected partners of [Organization] for their own promotional offers and related communications.

Research Consent

☐ I consent to the use of my personal data for research, statistical, or analytical purposes, subject to appropriate safeguards such as anonymization or pseudonymization where applicable.

These optional clauses should not be pre-checked.

LVIII. When Consent Is Not Enough

Consent does not excuse an organization from complying with the rest of the Data Privacy Act.

Even with consent, the organization must still observe:

  1. Transparency
  2. Legitimate purpose
  3. Proportionality
  4. Data minimization
  5. Security
  6. Retention limits
  7. Data subject rights
  8. Accountability
  9. Breach management
  10. Proper disposal
  11. Vendor management
  12. Internal access controls

A signed consent form is not a shield against unlawful, excessive, unfair, or insecure processing.

LIX. Withdrawal, Objection, and Erasure

Data subjects may request withdrawal of consent, object to processing, request correction, or ask for erasure or blocking.

The organization should have a procedure for handling these requests.

A good process includes:

  1. Receiving the request
  2. Verifying the identity of the requester
  3. Determining the applicable right
  4. Checking the legal basis for continued processing
  5. Acting within a reasonable period
  6. Documenting the response
  7. Notifying processors or recipients where appropriate

Withdrawal does not always mean all data must be deleted. Some data may need to be retained for legal, contractual, accounting, regulatory, or litigation purposes.

LX. Consent Records and Version Control

Organizations should keep records of consent forms and privacy notices.

For paper forms, this means storing signed copies securely.

For online forms, this means storing:

  1. Timestamp
  2. User ID or account
  3. IP address, where appropriate
  4. Consent choices
  5. Version of the privacy notice
  6. Version of the consent language
  7. Method of consent
  8. Withdrawal records

Version control is important because privacy notices and forms change over time. The organization should know what the person actually agreed to at the time consent was given.

LXI. Translation and Accessibility

If the intended data subjects are more comfortable in Filipino or another Philippine language, the organization should consider providing translations.

Accessibility matters. Consent forms should be readable by persons with disabilities, elderly persons, and persons with limited digital access.

For online forms, accessibility may involve:

  1. Readable font sizes
  2. Screen-reader compatibility
  3. Clear buttons
  4. Avoidance of confusing dark patterns
  5. Easy access to privacy information
  6. Simple withdrawal mechanisms

LXII. Dark Patterns and Manipulative Consent

Organizations should avoid manipulative design.

Examples of bad practices include:

  1. Making “Accept” large and “Reject” hidden
  2. Using confusing double negatives
  3. Making refusal unnecessarily difficult
  4. Requiring unnecessary clicks to withdraw consent
  5. Using guilt-based language
  6. Pre-selecting optional sharing
  7. Hiding privacy information behind vague links
  8. Making service access conditional on unrelated processing

Consent obtained through manipulation may be challenged.

LXIII. Consent and Data Breach Notification

A consent form does not eliminate the obligation to manage and report data breaches when required.

Organizations should have a breach response plan addressing:

  1. Detection
  2. Containment
  3. Assessment
  4. Notification
  5. Remediation
  6. Documentation
  7. Communication with affected data subjects
  8. Communication with the National Privacy Commission, where required

The consent form may mention security generally, but breach management must be handled through actual internal procedures.

LXIV. Penalties and Liability

Violations of the Data Privacy Act may result in legal consequences.

Potential consequences include:

  1. Administrative proceedings
  2. Orders from the National Privacy Commission
  3. Fines or penalties, where applicable
  4. Criminal liability for certain violations
  5. Civil liability for damages
  6. Reputational harm
  7. Loss of customer trust
  8. Contractual liability
  9. Regulatory consequences

A defective consent form can be evidence of non-compliance, especially where the organization cannot prove that the data subject was properly informed or that the processing was lawful.

LXV. Practical Drafting Checklist

Before using a data privacy consent form, check whether it answers these questions:

  1. Who is collecting the data?
  2. What personal data is being collected?
  3. Is sensitive personal information involved?
  4. Why is the data being processed?
  5. Is consent the correct legal basis?
  6. Is the processing necessary and proportionate?
  7. Is the purpose specific?
  8. Is the language clear?
  9. Is consent freely given?
  10. Are optional purposes separated?
  11. Are third-party recipients identified or described?
  12. Is cross-border transfer disclosed?
  13. Is the retention period stated?
  14. Are data subject rights explained?
  15. Is withdrawal of consent explained?
  16. Are consequences of refusal stated?
  17. Is the form signed or electronically recorded?
  18. Is the consent record stored securely?
  19. Is the form aligned with the privacy notice?
  20. Are internal practices consistent with the form?

LXVI. Best Practices for Organizations

Organizations should:

  1. Avoid overusing consent.
  2. Identify the correct legal basis for each processing activity.
  3. Use separate consent for optional processing.
  4. Keep privacy notices clear and accessible.
  5. Keep consent forms short enough to be understood.
  6. Avoid blanket language.
  7. Maintain consent logs.
  8. Train staff on privacy obligations.
  9. Review forms regularly.
  10. Update forms when processing changes.
  11. Conduct privacy impact assessments for high-risk processing.
  12. Execute proper contracts with processors.
  13. Implement retention and disposal policies.
  14. Respect withdrawal and objection requests.
  15. Keep evidence of compliance.

LXVII. Best Practices for Individuals

Before signing a consent form, a data subject should check:

  1. Who is collecting the data
  2. What data is being collected
  3. Why the data is needed
  4. Whether sensitive data is included
  5. Whether the data will be shared
  6. Whether marketing consent is optional
  7. How long the data will be kept
  8. How to withdraw consent
  9. Who to contact for privacy requests
  10. Whether refusal has consequences

A person should avoid signing blank or overly broad consent forms without understanding how the data will be used.

LXVIII. Common Examples of Defective Consent Clauses

Defective Clause 1

“I consent to the use of my personal data for any purpose.”

Problem: Too broad and not specific.

Defective Clause 2

“I waive all my rights under the Data Privacy Act.”

Problem: Data subject rights cannot simply be waived by a blanket clause.

Defective Clause 3

“I consent to disclosure to any third party.”

Problem: Recipients and purposes are not properly identified.

Defective Clause 4

“By entering this website, you consent to everything.”

Problem: Consent is vague and may not show informed, specific, affirmative agreement.

Defective Clause 5

“Your data will be kept forever.”

Problem: Retention must be justified and proportionate.

LXIX. Improved Consent Language Examples

Service Processing

“I consent to the processing of my personal data by [Organization] for purposes of verifying my identity, processing my application, providing the requested service, communicating with me, maintaining records, and complying with legal and regulatory requirements.”

Sensitive Personal Information

“I understand that the information I provide may include sensitive personal information, such as health information, government-issued identification numbers, and financial details. I consent to the processing of such information only for the purposes stated in this form and the related Privacy Notice.”

Data Sharing

“I understand that my personal data may be shared with authorized personnel, service providers, professional advisers, payment processors, delivery providers, regulators, and government agencies when necessary for the stated purposes or when required by law.”

Withdrawal

“I understand that I may withdraw consent for processing activities based on consent by contacting [privacy contact]. I understand that withdrawal may affect services that require such processing and does not affect processing already lawfully conducted before withdrawal.”

LXX. Data Privacy Consent Form vs. Waiver

A data privacy consent form should not be confused with a waiver of liability.

Consent to process personal data does not mean the data subject waives all claims if the organization mishandles the data.

A clause saying the data subject releases the organization from all liability for data misuse may be challenged, especially if it attempts to excuse negligence, unlawful processing, or violations of law.

LXXI. Consent Form vs. Authorization Letter

An authorization letter allows another person or entity to act or receive information on behalf of the data subject.

A consent form authorizes processing of personal data.

Sometimes both are needed.

Example:

A patient authorizes a relative to claim medical records. The document should both:

  1. Authorize the hospital to release the records to the named representative; and
  2. Confirm that the patient understands the data privacy implications of the disclosure.

LXXII. Consent and Legitimate Interest

Legitimate interest is a separate legal basis from consent.

An organization may rely on legitimate interest when processing is necessary for a lawful and legitimate purpose and does not override the rights and freedoms of the data subject.

Examples may include certain fraud prevention, security, internal administrative, or customer relationship activities.

However, legitimate interest must be assessed carefully. It should not be used as a shortcut to avoid consent where consent is clearly required.

LXXIII. Consent and Contract

If processing is necessary to perform a contract with the data subject, contract may be the better legal basis.

Example:

An online store needs the buyer’s name, address, and contact number to deliver the purchased item.

That processing is necessary for the transaction. Consent may still be included in the privacy notice, but the legal basis may be contract rather than consent.

This matters because if the data subject withdraws consent, the organization may still need to process certain data to complete the contract, issue receipts, handle returns, or comply with legal requirements.

LXXIV. Consent and Legal Obligation

Some processing is required by law.

Examples include:

  1. Tax reporting
  2. Employment records required by labor law
  3. Social security, PhilHealth, and Pag-IBIG reporting
  4. Anti-money laundering checks
  5. Corporate records
  6. Regulatory compliance
  7. Court orders
  8. Government reporting

Consent is not the proper basis for processing that the law requires. The data subject cannot withdraw consent to prevent legally required processing.

LXXV. Consent and Publicly Available Information

The fact that personal information is publicly available does not automatically mean it can be processed for any purpose.

Organizations should still observe legitimate purpose, proportionality, fairness, and applicable legal basis.

For example, scraping publicly available social media profiles for unrelated profiling, harassment, or unauthorized marketing may raise privacy concerns.

LXXVI. Consent and Publication Online

Posting personal data online can greatly increase privacy risk.

Consent should be specific for online publication, especially for:

  1. Names
  2. Photos
  3. Videos
  4. Student achievements
  5. Employee profiles
  6. Testimonials
  7. Event participation
  8. Winners of contests
  9. Sensitive stories
  10. Health or charitable assistance information

The form should state where publication will occur, such as the organization’s website, Facebook page, YouTube channel, printed materials, or public reports.

LXXVII. Consent for Testimonials

Testimonials often involve name, image, voice, story, occupation, and other identifying details.

A testimonial consent form should specify:

  1. Exact testimonial content or general scope
  2. Whether editing is allowed
  3. Where the testimonial may appear
  4. Whether the person’s name and image may be used
  5. Duration of use
  6. Whether compensation is involved
  7. Withdrawal process

Sensitive testimonials, such as medical, financial, religious, or social welfare stories, require heightened care.

LXXVIII. Consent for Data Portability

The right to data portability allows a data subject to obtain a copy of electronically processed personal data in a structured, commonly used format, where applicable.

Consent forms should mention the right if relevant, but operational procedures must also exist to handle such requests.

LXXIX. Consent and Anonymized Data

If data is truly anonymized so that individuals can no longer be identified, it may fall outside personal data rules.

However, organizations should be careful. Pseudonymized data may still be personal data if re-identification is possible.

A consent form for analytics or research may state that data may be anonymized or aggregated for statistical purposes.

LXXX. Consent and Data Disposal

The organization should securely dispose of personal data after the retention period.

Disposal may include:

  1. Shredding paper records
  2. Secure deletion of digital files
  3. Wiping storage devices
  4. Destruction of backup copies where feasible
  5. Anonymization
  6. Vendor-certified destruction

A consent form may briefly state that data will be securely disposed of after the retention period, but the organization should also have an internal disposal policy.

LXXXI. Consent in Franchise, Agency, and Group Company Settings

Where multiple entities are involved, the consent form should clarify who controls the data.

For example:

  1. A franchisor and franchisee may both process customer data.
  2. An agency may collect data for a principal.
  3. A corporate group may share HR or customer data.
  4. A school system may share data with central administration.
  5. A clinic may share data with a laboratory or HMO.

The data subject should not be left guessing which entity is responsible.

LXXXII. Consent for Call Recording

If calls are recorded, the data subject should be informed.

A call recording notice may state:

  1. That the call may be recorded
  2. Purpose, such as quality assurance, documentation, training, or dispute resolution
  3. Retention period
  4. How to contact the organization for privacy concerns

If the recording will be used for unrelated purposes, additional consent may be required.

LXXXIII. Consent for Location Data

Location data can be sensitive depending on context.

Apps, delivery services, transport services, field employee systems, and security tools may collect location data.

Consent or notice should specify:

  1. Whether location is collected continuously or only while using the service
  2. Purpose of collection
  3. Whether location is shared
  4. Retention period
  5. Whether the user can disable location access
  6. Consequences of disabling it

Continuous tracking requires stronger justification and clearer notice.

LXXXIV. Consent for Employee Monitoring

Employee monitoring may include:

  1. CCTV
  2. Email monitoring
  3. Internet logs
  4. Device monitoring
  5. GPS tracking
  6. Productivity tools
  7. Access logs
  8. Call recording
  9. Biometric attendance
  10. Security checks

Employers should provide clear notice and identify the legal basis. Consent may not always be the best basis due to the employment relationship.

Monitoring should be proportionate and not excessive.

LXXXV. Consent for Data of Representatives and Emergency Contacts

Organizations often ask for information about third persons, such as:

  1. Emergency contacts
  2. Authorized representatives
  3. Beneficiaries
  4. Dependents
  5. Character references
  6. Family members
  7. Corporate officers
  8. Guarantors

The person providing the information should be asked to confirm that he or she is authorized to provide the third person’s data, where appropriate.

Organizations should also consider how to provide notice to those third persons.

LXXXVI. Consent for IDs and Copies of Documents

Collecting copies of IDs increases risk.

A consent form should identify:

  1. Why the ID is needed
  2. What information will be copied
  3. Whether the copy will be retained
  4. How it will be protected
  5. How long it will be kept
  6. Whether masking or redaction is possible

Organizations should not collect ID copies if merely viewing the ID is sufficient.

LXXXVII. Consent in Dispute Resolution and Legal Claims

Personal data may be processed to establish, exercise, or defend legal claims.

A consent form may state that data may be retained and used for dispute resolution, enforcement of agreements, investigations, and legal proceedings.

However, legal claims may be an independent basis for processing, especially for sensitive personal information under recognized exceptions.

LXXXVIII. Data Protection Officer Contact Details

A proper consent form should provide a privacy contact.

This may be:

  1. Data Protection Officer
  2. Compliance Officer for Privacy
  3. Privacy Office
  4. Customer support channel for privacy requests

The contact details should be functional and monitored.

A form that gives no way to exercise rights is incomplete in practice.

LXXXIX. Review and Updating of Consent Forms

Consent forms should be reviewed when:

  1. New data is collected
  2. New systems are implemented
  3. Data is shared with new parties
  4. Processing purposes change
  5. Laws or regulations change
  6. Security practices change
  7. The organization expands abroad
  8. Marketing practices change
  9. New technologies are introduced
  10. Breach or complaint history reveals weaknesses

Old consent forms should not be reused indefinitely without review.

XC. Consent Form for Data Sharing Agreements

Where organizations share data, they should not rely only on individual consent forms.

They should also have appropriate agreements that define:

  1. Roles of each party
  2. Purpose of sharing
  3. Security measures
  4. Access controls
  5. Retention
  6. Return or disposal
  7. Breach notification
  8. Restrictions on further use
  9. Audit or compliance rights
  10. Responsibility for data subject requests

Consent is only one part of lawful data sharing.

XCI. Consent for Sensitive Personal Information: Higher Standard

When sensitive personal information is involved, the consent form should be explicit.

It should not merely refer to “personal data” if the organization is collecting medical records, government IDs, financial details, biometrics, or information about religion, politics, or sexual life.

Better wording:

“I understand that the personal data to be processed includes sensitive personal information, including [specific categories]. I consent to the processing of such sensitive personal information for [specific purposes].”

The more sensitive the data, the more specific the form should be.

XCII. The Role of Privacy Impact Assessments

For high-risk processing, organizations should conduct a privacy impact assessment.

A consent form alone is not enough for activities involving:

  1. Large-scale sensitive data
  2. Biometrics
  3. Children’s data
  4. Surveillance
  5. Profiling
  6. Automated decision-making
  7. Cross-border processing
  8. Health records
  9. Financial records
  10. Data sharing among multiple entities

A privacy impact assessment helps determine whether consent is appropriate and what safeguards are needed.

XCIII. Data Privacy Consent Form for Small Businesses

Small businesses often use simple forms, but they still need to comply.

A small business consent form should at least include:

  1. Business name
  2. Contact details
  3. Personal data collected
  4. Purpose of processing
  5. Recipients, if any
  6. Retention
  7. Data subject rights
  8. Withdrawal method
  9. Signature or clear affirmative consent

Even small businesses should avoid collecting unnecessary IDs, birthdates, or sensitive information.

XCIV. Data Privacy Consent Form for Professionals

Lawyers, doctors, accountants, engineers, architects, brokers, consultants, and other professionals process client data.

Professional consent forms should account for:

  1. Client identity
  2. Engagement purpose
  3. Professional confidentiality
  4. Legal or regulatory obligations
  5. Billing
  6. Conflict checks
  7. File retention
  8. Use of staff or service providers
  9. Disclosure to government agencies or courts where required
  10. Privileged information, where applicable

Professional privilege and data privacy obligations should be harmonized.

XCV. Do Consent Forms Need Notarization?

A data privacy consent form generally does not need to be notarized to be valid.

However, notarization may be used for certain authorization forms, affidavits, or documents involving release of records, legal claims, property transactions, or representation.

For ordinary privacy consent, notarization is usually unnecessary.

What matters more is that consent is valid, informed, specific, voluntary, and properly evidenced.

XCVI. Does a Signature Always Mean Valid Consent?

No.

A person’s signature is evidence of consent, but it does not automatically prove that the consent was legally valid.

Consent may still be challenged if:

  1. The form was misleading
  2. The language was vague
  3. The person was forced to sign
  4. The purposes were not explained
  5. The processing exceeded the consent
  6. The person lacked capacity
  7. The form hid important terms
  8. Optional processing was bundled with mandatory processing

A signature is important, but the surrounding circumstances also matter.

XCVII. Can Consent Be Implied?

Consent may sometimes be inferred from conduct, but for Data Privacy Act compliance, especially with sensitive data or significant processing, express and recorded consent is safer.

For example, a person who voluntarily gives an address for delivery may reasonably expect the address to be used for delivery. But that does not imply consent to unrelated marketing or sharing with advertisers.

For sensitive personal information, explicit consent is strongly preferred and often necessary.

XCVIII. Can Consent Be Verbal?

Verbal consent may be valid if it is recorded or properly documented.

However, verbal consent can be harder to prove.

If verbal consent is used, the organization should document:

  1. Date and time
  2. Person obtaining consent
  3. Identity of data subject
  4. Exact consent script
  5. Purpose explained
  6. Confirmation given
  7. Recording or written note

Written or electronic consent is usually better for accountability.

XCIX. Consent Form Storage and Confidentiality

Consent forms themselves contain personal data and must be protected.

Organizations should:

  1. Store paper forms in locked cabinets
  2. Restrict access to authorized personnel
  3. Encrypt digital copies where appropriate
  4. Avoid emailing unprotected scans unnecessarily
  5. Limit retention
  6. Dispose securely
  7. Keep access logs where possible
  8. Train staff handling forms

A privacy consent form should not become a privacy risk.

C. Key Takeaways

Data privacy consent forms in the Philippines must be treated as legal compliance documents, not mere formalities.

The most important rules are:

  1. Consent must be freely given, specific, informed, and evidenced.
  2. Consent is only one legal basis for processing.
  3. The form must identify the organization, data collected, purposes, recipients, retention, rights, and withdrawal process.
  4. Sensitive personal information requires clearer and more explicit consent.
  5. Optional processing, such as marketing or public photo use, should be separated.
  6. Consent should not be bundled, hidden, vague, or forced.
  7. A signed form does not cure excessive, unlawful, or insecure processing.
  8. Organizations must still comply with transparency, legitimate purpose, proportionality, security, retention, and accountability.
  9. Consent records must be stored and managed properly.
  10. The form should match actual data processing practices.

In short, a valid Data Privacy Act consent form in the Philippines must tell the data subject clearly who will process the data, what data will be processed, why it will be processed, how it will be used and shared, how long it will be kept, what rights the data subject has, and how consent may be withdrawn. A well-drafted form protects both the data subject and the organization by making the processing transparent, lawful, and accountable.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login