Search for:

In brief

On 7 November 2023, the National Privacy Commission (NPC) issued Advisory No. 2023-01  (“Advisory“), which sets out guidance on the nature of deceptive design patterns and how their use by personal information controllers (PICs) and personal information processors (PIPs) when securing consent vitiates the consent of the data subject and consequently renders the data processing to be without lawful basis.

This Advisory supplements the recently issued NPC Circular No. 2023-04, or the comprehensive guidelines on the use of consent as a lawful basis for processing data, which, among others, prohibits the use of deceptive design patterns. For additional information regarding the circular, please check our previous client alert below:


Guidelines against deceptive design patterns, in more detail

The NPC emphasized against the use of deceptive design patterns or those design techniques embedded in an analog (or offline) and/or digital interface that aim to manipulate or deceive a data subject to perform a specific act relating to the processing of their personal data.

PICs and PIPs are reminded to abide by the principle of fairness in securing the consent of their data subjects, such that their analog and/or digital interface must be designed and operated in a way that the processing of information will not be detrimental, discriminatory, unexpected or misleading to the data subjects.

Deceptive design patterns may be appearance-based or content-based. Appearance-based design patterns refer to design patterns that manipulate or deceive a data subject through the display or presentation of information. These include, but are not limited to, patterns that:

  • Prohibit a data subject from categorically disallowing the processing of their personal data, or repeatedly prompt a data subject to take an action to share more information than what is necessary or originally intended
  • Present control settings that confuse a data subject such that it leads them to inadvertently consent to the processing of their personal data
  • Make it easy to consent to the processing of their personal data but make it difficult to withdraw their consent by requiring the data subject to undertake tedious, complex and time-consuming processes
  • Accentuate a choice that results in the processing of more personal data, while blurring or obfuscating the option that enables data minimization
  • Purposely complicate or muddle a data subject’s choices relating to the processing of their personal data
  • Bombard a data subject with excessive information that are not essential to the processing of their personal data
  • Present default options that benefit the PIC but may be detrimental to the data subject, such as: (1) maximizing the amount of personal data that will be processed; or (2) unnecessarily bundling the purposes for processing
  • Use style and design techniques to distract a data subject from the information provided by a PIC: (1) to acquire the data subject’s consent for the processing of their personal data; or (2) for the data subject to provide more information than what is required or necessary for the specified purpose declared
  • Use characters that children know and trust to influence them into providing more information than what is necessary for the declared purpose

On the other hand, content-based deceptive design patterns refer to design patterns that manipulate or deceive a data subject through the actual contents, including the language and context of the information made available to them. Some examples provided in the Advisory are patterns that:

  • Use ambiguous, complex or confusing language or sentence structures to steer a data subject into making a choice that is detrimental or violative of their rights as a data subject
  • Provide contradicting, fabricated or misleading information, or omitting relevant information when acquiring the data subject’s consent for the processing of their personal data
  • Frame choices as better alternatives to shame or steer a data subject from making a choice that better adheres to the general principles of privacy or respects their rights as a data subject

According to the guidelines, the use of deceptive design patterns on analog or digital interfaces violates the fairness principle and may result in the vitiated consent of the data subject, which renders the processing undertaken without a lawful basis. Consequently, PICs and PIPs may be held liable under the Philippine Data Privacy Act and related NPC issuances.

PICs and PIPs are further reminded to comply with their obligation to adopt a Privacy by Design approach1 in the processing of personal data.

Recommended actions

Clients are advised to periodically review the methods by which they secure the consent of their data subjects and ensure compliance with the Advisory and the obligation to adopt a Privacy by Design approach.

* * * * *

LOGO Philippines_QuisumbingTorres_Manila

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Author

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.

Author

Frederick August Jose is a partner in Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and Technology, Media & Telecommunications. He has 12 years of experience in a wide range of IP and IT corporate and litigation matters.
Frederick is a Certified Information Privacy Professional for Europe by the International Association of Privacy Professionals (IAPP). He has been appointed as a member of the Co-Existence Agreement Sub-Committee of the International Trademark Association (INTA) for the term 2022 to 2023. He actively participates as a speaker in various regional and local seminars and trainings on IP, IT and data privacy in the Philippines. He also teaches summer law courses, and Intellectual Property Law.