If you opened an account with an online casino, sportsbook, e-bingo, e-casino, poker, or gaming app in the Philippines, the platform may be holding much more than your username. It may have your mobile number, email, government ID, selfie, facial verification data, e-wallet details, betting history, deposit and withdrawal records, device information, IP address, location signals, affiliate tracking data, and customer support chats. Under Philippine law, you can request the deletion, blocking, or removal of personal data that is no longer necessary, unlawfully obtained, inaccurate, or being used for an unauthorized purpose. But gambling platforms may also have legal reasons to keep some records, especially for anti-money laundering, fraud prevention, regulatory compliance, responsible gaming, tax, audit, or pending disputes.
What “deletion of personal data” means under Philippine law
In the Philippines, the usual legal term is not simply “delete my account.” The stronger and more precise request is to exercise your right to erasure or blocking under the Data Privacy Act of 2012, Republic Act No. 10173, its Implementing Rules and Regulations, and issuances of the National Privacy Commission.
A person whose data is collected or used is called a data subject. The company that decides why and how your personal data is processed is usually the personal information controller or PIC. For an online gambling platform, the PIC may be:
- the licensed gaming operator;
- the brand owner;
- the local Philippine company operating the gaming site;
- an affiliated gaming system administrator;
- a payment or wallet-linked partner, depending on how the transaction is structured.
A company that processes data only on behalf of the PIC is a personal information processor or PIP. Examples may include hosting providers, ID verification vendors, payment processors, customer support vendors, analytics tools, and fraud screening providers.
When you request deletion, you are usually asking the platform to do one or more of the following:
- close or deactivate your player account;
- delete personal data that is no longer necessary;
- block further processing of your personal data;
- withdraw your consent to marketing, profiling, or data sharing;
- remove your data from active systems;
- stop sending promotional messages;
- delete or anonymize data held by processors or affiliates;
- tell you what data must be retained and the legal basis for keeping it.
The National Privacy Commission explains the right to erasure or blocking as the right to request the suspension, withdrawal, blocking, removal, or destruction of personal data from a PIC’s filing system, including live and backup systems, where the legal grounds exist. See the NPC’s official page on the right to erasure or blocking.
Your legal rights when an online gambling platform has your data
1. Right to be informed
Under Section 16 of RA 10173 and Rule VIII of the IRR, you have the right to know whether your personal data is being processed, why it is being processed, who receives it, how long it will be stored, and how you can exercise your rights.
For online gambling platforms, this matters because privacy notices are often long, generic, or spread across several pages. A proper privacy notice should help you understand:
- what IDs and verification data are collected;
- whether your selfie, facial scan, or liveness check is stored;
- whether your data is shared with affiliates, advertisers, payment partners, fraud detection vendors, or regulators;
- how long KYC and transaction data are retained;
- how to contact the platform’s Data Protection Officer or privacy contact.
2. Right to object and withdraw consent
You may object to processing, especially processing based on consent or legitimate interest, such as marketing, profiling, promotional SMS, push notifications, bonus offers, affiliate retargeting, or sharing with advertising partners.
But objection does not automatically erase data that the platform must still process under law. For example, even after you withdraw consent to marketing, a licensed gambling operator may still retain transaction and KYC records required for legal, regulatory, AML, or dispute purposes.
3. Right to access
You may request reasonable access to your personal data, including the contents of the data processed, sources, recipients, processing methods, reasons for disclosure, automated processing information, and the identity of the PIC.
This is useful before asking for deletion because many users do not know exactly what the platform has stored. A practical access request may ask for:
- account profile data;
- KYC documents submitted;
- selfie or biometric verification status;
- wallet or bank-linked transaction records;
- login history and device records;
- bonus, promotion, and affiliate tagging data;
- list of third parties that received your data;
- retention period for each category.
4. Right to rectification
If the platform has wrong, outdated, or incomplete data about you, you may ask for correction. This is important if your name, birth date, ID number, mobile number, or e-wallet details were encoded incorrectly.
For gambling platforms, incorrect KYC data can cause account locks, withdrawal delays, false fraud flags, or failed identity verification.
5. Right to erasure or blocking
You may request erasure or blocking when there is substantial proof that your personal data is:
- incomplete, outdated, false, or unlawfully obtained;
- being used for a purpose you did not authorize;
- no longer necessary for the purpose for which it was collected;
- being processed unlawfully;
- connected to a violation of your rights as a data subject;
- subject to withdrawn consent or objection, and there is no other lawful basis to continue processing.
The key phrase is “no longer necessary.” A platform may delete marketing data, inactive account data, duplicate ID uploads, or old support records sooner than it can delete legally required KYC and transaction records.
Why gambling platforms may not delete everything immediately
A deletion request is not a magic eraser. Philippine law recognizes that some personal data may be retained when necessary for legal obligations, legitimate business purposes, legal claims, investigations, or regulatory compliance.
This is especially important in gambling because the industry is heavily regulated.
PAGCOR states that it regulates games of chance and licenses gaming operations within Philippine territory, including electronic gaming operations such as eCasino, eBingo, sports betting, online poker, specialty games, and numeric games through its Electronic Gaming Licensing Department.
Casinos are also covered persons under anti-money laundering law. RA 10927 amended the Anti-Money Laundering Act to designate casinos, including internet and ship-based casinos, as covered persons. This means gaming operators may have customer due diligence, transaction monitoring, and recordkeeping obligations.
In practical terms, a Philippine gambling platform may refuse full immediate deletion of:
| Type of data | Can it usually be deleted right away? | Practical reason it may be retained |
|---|---|---|
| Marketing consent, promotional tags, SMS/email subscription | Often yes | Usually no longer needed once consent is withdrawn |
| App notification preferences | Often yes | Can usually be disabled or deleted |
| Duplicate ID uploads or failed verification attempts | Sometimes | Depends on fraud, audit, or KYC rules |
| Core KYC file: name, birth date, ID, selfie verification | Not always | May be needed for AML, age verification, fraud prevention, audit, or regulator checks |
| Deposit, withdrawal, and betting transaction history | Usually not immediately | May be needed for AML, tax, accounting, disputes, chargebacks, or investigations |
| Fraud flags, abuse reports, banned-account records | Often retained | Needed to prevent duplicate accounts, bonus abuse, identity fraud, or unlawful activity |
| Self-exclusion or responsible gaming records | Usually retained during exclusion | Needed to enforce the ban and prevent reactivation |
| Customer support chats | Sometimes | May be retained for disputes, complaints, or legal claims |
| Backup copies | Not always immediately | May be removed according to backup rotation, while blocked from active use |
A good deletion response from the platform should not merely say “denied.” It should explain what data was deleted, what data was blocked, what data was retained, why it was retained, and how long it will be kept.
First: check whether the gambling platform is licensed or illegal
Before sending sensitive documents to any gambling site, verify whether the platform is listed in PAGCOR’s official regulatory pages. PAGCOR warns that unauthorized online betting operations expose users to legal and fraud risks and advises the public to refer to its official regulatory site for authorized gaming entities and websites. See PAGCOR’s public advisory on illegal online betting operations.
This matters because your practical remedies differ:
| Situation | Practical implication |
|---|---|
| PAGCOR-licensed Philippine platform | You can send a data subject request to the operator/DPO and escalate to the NPC if ignored or improperly denied |
| Licensed platform using third-party service providers | The operator remains accountable for processors and should coordinate deletion/blocking where appropriate |
| Foreign offshore site with no Philippine presence | The Philippine Data Privacy Act may still apply if there is a Philippine link, but enforcement may be harder |
| Illegal or suspicious site | Avoid sending more IDs; preserve evidence; report to PAGCOR, NPC, and cybercrime authorities if data misuse, threats, fraud, or identity theft occurred |
Step-by-step guide to request deletion of your data
1. Preserve evidence before closing the account
Before you delete the app, block the agent, or lose access to the account, save evidence. This is important if you later need to file a complaint with the platform, NPC, PAGCOR, your e-wallet provider, or cybercrime authorities.
Save:
- screenshots of your account profile;
- username, account ID, player ID, or registered mobile number;
- platform URL, app name, brand name, and operator name;
- privacy policy and terms of service;
- KYC submission page or confirmation;
- deposit and withdrawal records;
- SMS, email, Telegram, Messenger, WhatsApp, or in-app messages;
- proof of your deletion request;
- proof that the platform received your request;
- any refusal, delay, threat, or suspicious response.
Do not fabricate screenshots or alter timestamps. Keep original files when possible.
2. Withdraw funds and download needed records
If your account still has a legitimate balance, resolve withdrawals first. Some platforms lock accounts after closure or require KYC before release of funds.
Download or save:
- transaction history;
- withdrawal confirmations;
- pending dispute records;
- tax or accounting records if relevant;
- responsible gaming or self-exclusion confirmation, if any.
Deletion can make later account recovery harder.
3. Find the correct privacy contact or Data Protection Officer
Look for the platform’s:
- privacy policy;
- Data Protection Officer email;
- support ticket system;
- official company name;
- registered office address;
- PAGCOR license or accreditation details;
- official domain listed by PAGCOR.
Avoid sending deletion requests through random agents, affiliate promoters, Facebook pages, or Telegram accounts unless the platform itself identifies those channels as official.
4. Send a written data subject request
Use a clear subject line, such as:
Exercise of Data Subject Rights: Request for Account Closure, Erasure/Blocking, and Withdrawal of Consent
Your request should include enough information for the platform to identify you, but not more than necessary.
Include:
- your full name;
- registered email and mobile number;
- username or player ID;
- platform name and website/app;
- date you created or last used the account, if known;
- a clear request to close the account;
- a clear request to delete or block personal data no longer necessary;
- withdrawal of consent to marketing, profiling, and data sharing not required by law;
- request to stop SMS, email, push, and messenger promotions;
- request for a list of retained data and legal basis for retention;
- request for confirmation once deletion or blocking is completed.
5. Ask for a retention explanation, not just deletion
A strong request should recognize that some records may be legally retained. This makes your request more practical and harder to dismiss.
You can write:
For any personal data you claim must be retained, please identify the data category, purpose of retention, legal basis, retention period, and whether the data has been restricted from marketing, profiling, or unnecessary access.
This is often more effective than simply saying “delete everything now,” because gambling operators commonly retain KYC and transaction data.
6. Attach only necessary proof of identity
The platform may need to verify that the request is really from the account owner. But you should avoid oversharing, especially with suspicious sites.
Practical approach:
- use the platform’s secure in-app ticket or official privacy email if available;
- provide account details first;
- if an ID is required, ask why and how it will be protected;
- consider watermarking the ID copy: “For data privacy rights request to [Platform Name] only”;
- cover information not needed for verification where appropriate, such as full address or full ID number, unless the platform reasonably needs it;
- never send your OTP, password, full card number, wallet PIN, or seed phrase.
7. Give the platform 15 calendar days before escalating
Under the NPC’s amended 2021 Rules of Procedure, a complaint generally requires proof that you informed the PIC, PIP, or concerned entity in writing and that it did not take timely or appropriate action, or gave no response, within 15 calendar days from receipt of your written notice. The rules also state that the NPC may waive this requirement in serious cases, such as grave and irreparable harm or patently illegal action. See the 2021 Rules of Procedure of the NPC, as amended.
For ordinary deletion requests, give the platform a clear deadline:
Please respond within fifteen (15) calendar days from receipt of this request.
Sample deletion request email
Subject: Exercise of Data Subject Rights: Request for Account Closure, Erasure/Blocking, and Withdrawal of Consent
To the Data Protection Officer / Privacy Team:
I am exercising my rights as a data subject under Republic Act No. 10173, the Data Privacy Act of 2012, and its Implementing Rules and Regulations.
Please close or permanently deactivate my account and delete, remove, block, or destroy personal data that is no longer necessary for the purposes for which it was collected, or that is being processed based only on my consent.
Account details:
- Full name:
- Registered mobile number:
- Registered email:
- Username / Player ID:
- Platform / app / website:
- Approximate date account was created or last used:
I also withdraw my consent to the processing of my personal data for marketing, promotional messages, profiling, affiliate marketing, retargeting, and data sharing not required by law. Please stop all SMS, email, push notification, in-app, and messenger-based promotional communications.
For any personal data you claim must be retained, please identify:
1. the category of data retained;
2. the purpose of retention;
3. the legal basis for retention;
4. the retention period;
5. whether the data has been blocked from marketing, profiling, or unnecessary access.
Please also confirm whether my data has been shared with affiliates, service providers, payment partners, verification vendors, or other third parties, and what steps you will take to notify them of this request where applicable.
Please respond within fifteen (15) calendar days from receipt of this request.
Thank you.
What to do if the platform ignores or denies your request
Send one follow-up
If there is no response after 15 calendar days, send a short follow-up attaching your first request and proof of delivery.
State:
- the date of your original request;
- the channel used;
- that 15 calendar days have passed;
- that you are requesting final action or a written explanation.
File a complaint with the National Privacy Commission
If the platform ignores you, refuses without proper basis, continues marketing after withdrawal of consent, exposes your ID, or uses your data for unauthorized purposes, you may file a complaint with the NPC.
The NPC’s official filing formal complaints page states that a formal complaint must be in a specific format, printed and filled out, notarized, and submitted in person, by courier, or by scanned email to the NPC.
Based on the amended NPC Rules, a complaint should generally include:
- written, signed, verified complaint;
- your identity and contact details;
- identity of the platform or respondent;
- narration of material facts;
- supporting evidence;
- reliefs requested;
- copies of correspondence with the platform;
- proof that you first informed the platform in writing;
- statement of what action the platform took, if any;
- affidavits of witnesses, if needed;
- certification against forum shopping;
- Special Power of Attorney if a representative is filing for you.
The NPC’s Schedule of Fees and Charges lists a ₱500 filing fee for complaints, with additional fees if you claim damages. Indigent litigants may request exemption if they meet the stated requirements, such as a barangay certificate of indigency and supporting affidavits.
If you are abroad
Filipinos overseas and foreigners outside the Philippines may still exercise data subject rights if the platform or processing has a sufficient Philippine connection.
Practical points:
- A representative in the Philippines should have a Special Power of Attorney.
- Documents signed abroad may need notarization before a Philippine Embassy or Consulate, or an apostille certificate from the country of origin, depending on the document and country.
- Keep all emails, screenshots, and delivery confirmations because they may serve as proof of prior written notice.
- If the gambling operator has no Philippine office, no local representative, and no real Philippine link, enforcement may be more difficult, but the evidence can still be useful for payment disputes, foreign regulator reports, or cybercrime complaints.
When to report to PAGCOR, not only the NPC
The NPC handles data privacy violations. PAGCOR regulates Philippine gaming operations. In some cases, both may be relevant.
Report to PAGCOR when:
- the platform claims to be PAGCOR-licensed but is not on official lists;
- the site uses a fake PAGCOR seal;
- the operator refuses to identify its license or legal entity;
- the platform operates through suspicious mirror sites;
- the platform continues targeting you despite self-exclusion;
- the issue involves responsible gaming controls, licensing, or illegal online betting.
PAGCOR’s regulatory contact page lists the Electronic Gaming Licensing Department and other regulatory departments on its official regulatory contact page.
If your ID or account was misused
A deletion request may not be enough if your ID, selfie, phone number, or wallet details were misused.
Consider separate action if:
- someone opened a gambling account using your identity;
- your ID was posted, sold, or shared;
- you are being threatened by agents or collectors;
- your e-wallet was linked without permission;
- withdrawals were made to an account you do not control;
- the site demands more IDs before releasing funds;
- your data appears in other gambling or lending apps.
Possible legal issues may include violations of the Data Privacy Act, fraud, unauthorized access, or computer-related identity theft under the Cybercrime Prevention Act of 2012, RA 10175. For cybercrime concerns, users commonly preserve evidence and report to the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or appropriate law enforcement office.
Deletion request vs. self-exclusion
Do not confuse data deletion with self-exclusion.
Deletion is about personal data. Self-exclusion is about preventing gambling access.
If your main concern is gambling harm, addiction, relapse, or repeated promotional targeting, account deletion alone may not protect you. The operator may delete marketing data but still allow you to create another account later unless responsible gaming controls apply.
PAGCOR’s responsible gaming page explains that patrons may request self-exclusion or banning for periods such as 6 months, 1 year, or 5 years, with requirements including a self-exclusion form, government-issued photo ID, and recent 2x2 photos. See PAGCOR’s official page on responsible gaming and exclusion.
For many people, the strongest practical combination is:
- withdraw remaining legitimate funds;
- request account closure;
- request deletion or blocking of unnecessary personal data;
- withdraw marketing consent;
- apply for self-exclusion if gambling access is the real risk;
- keep proof of all requests.
Common mistakes that weaken deletion requests
Asking only through live chat
Live chat agents often handle basic support, not data privacy rights. Use the official privacy email, DPO contact, or support ticket system and keep proof.
Saying only “delete my account”
Account closure and data erasure are different. Say that you are exercising your rights under RA 10173 and specifically request erasure, blocking, withdrawal of consent, and a retention explanation.
Deleting evidence too early
Do not uninstall the app or delete emails before saving proof of your account, KYC submission, payments, messages, and requests.
Sending full IDs to suspicious sites
If the site is unlicensed or suspicious, sending more documents may increase your risk. Verify the operator first. Use official channels only.
Expecting AML and transaction records to disappear immediately
Licensed gambling operators may lawfully retain certain KYC and transaction records. Your stronger demand is to stop unnecessary processing, delete what is no longer needed, block marketing use, and explain retention.
Ignoring third-party sharing
Ask whether your data was shared with affiliates, payment partners, verification vendors, or marketing partners. A platform may need to coordinate with processors or notify third parties where appropriate.
Not stopping promotional messages separately
Deletion requests can take time. Also expressly withdraw consent to marketing and demand that SMS, email, push notifications, and messenger promotions stop immediately.
Practical timelines
| Step | Typical timing | Notes |
|---|---|---|
| User sends deletion request | Day 0 | Use official DPO/privacy/support channel |
| Platform acknowledgment | Same day to several days | Some platforms issue only a ticket number |
| Waiting period before NPC escalation | 15 calendar days | NPC rules generally require prior written notice and no timely/appropriate action |
| Internal review by platform | 1–4 weeks | Longer if KYC, AML, fraud, or disputes are involved |
| Deletion from active systems | Varies | Marketing and inactive profile data may be faster |
| Removal from backups | Varies by backup cycle | Often not immediate, but data should be protected from active use |
| NPC complaint filing | After requirements are complete | Formal complaint must be verified, notarized, and supported by evidence |
Documents to prepare
| Purpose | Documents or evidence |
|---|---|
| Request to platform | Account ID, registered email/mobile, screenshots, written request, minimal proof of identity |
| Proof of prior notice | Email receipt, ticket number, courier receipt, screenshots of support submission |
| NPC complaint | Verified complaint, notarization, annexes, correspondence, certificate against forum shopping, proof of 15-day non-response or inadequate action |
| Filing through representative | Special Power of Attorney and representative’s ID |
| Filing from abroad | Consular notarization or apostille where required |
| PAGCOR report | Platform URL, app name, screenshots, claimed license, deposit/withdrawal proof, communications |
| Cybercrime or identity theft report | Original screenshots, URLs, phone numbers, wallet details, transaction IDs, threat messages, ID misuse evidence |
Frequently Asked Questions
Can I force an online gambling platform to delete my KYC documents?
Not always immediately. You can request deletion or blocking, but the platform may retain KYC documents if needed for AML, regulatory, fraud prevention, legal claims, audit, or other lawful purposes. The platform should explain what it is keeping, why, and for how long.
Can I ask them to stop sending gambling promotions?
Yes. You can withdraw consent and object to processing for direct marketing, profiling, promotional SMS, email, push notifications, and affiliate retargeting. Even if some account records are retained, they should not keep using your data for unnecessary marketing after you object.
What if the online casino says account closure means my data is deleted?
Ask for written confirmation. Account closure usually means you can no longer log in or play. It does not always mean your KYC, transaction, device, fraud, or support records were deleted. Request a breakdown of deleted, blocked, and retained data.
What if the site is not PAGCOR-licensed?
Be careful about sending more personal documents. Preserve evidence, check PAGCOR’s official regulatory lists, and consider reporting the site to PAGCOR. If your personal data was misused, also consider NPC and cybercrime reporting.
Can foreigners request deletion from Philippine gambling platforms?
Yes. The Data Privacy Act protects data subjects, not only Filipino citizens. A foreigner whose personal data is processed by a Philippine-linked platform may exercise data subject rights. If filing from abroad, documents may need consular notarization or apostille.
Can I file an NPC complaint immediately?
Usually, you must first inform the platform in writing and allow it to take timely or appropriate action. The NPC Rules refer to a 15-calendar-day period from receipt of your written notice. In serious cases, the NPC may waive this requirement, such as where there is grave and irreparable damage or patently illegal action.
How much does it cost to file a privacy complaint with the NPC?
The NPC’s published fee schedule lists a ₱500 filing fee for complaints, with possible additional fees if damages are claimed. Indigent litigants may request exemption if they submit the required supporting documents.
Can deletion remove my gambling losses or transaction history?
No. A data deletion request does not erase legal transaction records, debts, chargebacks, fraud reviews, AML records, or evidence in disputes. It is about personal data rights, not rewriting financial history.
Can I demand deletion from e-wallets or banks linked to gambling?
You may send separate data subject requests to e-wallets, banks, or payment providers, but financial institutions also have strict legal retention obligations. They may stop unnecessary processing or marketing, but they generally cannot erase legally required financial records immediately.
What if my ID was used to create a gambling account without my consent?
Treat it as a possible identity misuse issue. Preserve evidence, notify the platform in writing, demand blocking of the account and investigation, notify your e-wallet or bank if linked, and consider reporting to the NPC and cybercrime authorities.
Key Takeaways
- The correct Philippine legal request is usually erasure or blocking under RA 10173, not merely “delete my account.”
- Online gambling platforms may delete marketing and unnecessary account data, but may retain KYC and transaction records for AML, regulatory, tax, fraud, audit, or legal reasons.
- Put your request in writing, send it to the official DPO/privacy channel, and keep proof of receipt.
- Ask the platform to identify what data was deleted, blocked, retained, the legal basis for retention, and the retention period.
- Give the platform 15 calendar days before escalating to the NPC, unless the situation involves serious harm or urgent illegality.
- Verify whether the platform is PAGCOR-authorized before sending more sensitive documents.
- For gambling harm, combine data deletion with account closure, marketing opt-out, and self-exclusion where appropriate.
- If your ID or account was misused, treat the issue as a privacy and possible cybercrime matter, not just an account deletion request.