NPC ADVISORY NO. 2023-01 (GUIDELINES ON DECEPTIVE DESIGN PATTERNS) AND ITS RELATION TO THE INTERNET TRANSACTIONS ACT
—Carlo E. Abarquez, Partner
—Justine Abigail C. Sablan, Senior Associate
—Carl Vincent G. Reinante, Associate
—Basilio Gerardo B. Apolinario VIII, Associate
The public is advised to be more wary of Deceptive Design Patterns, which deceive one to give his/her consent to the disclosure of personal information. Recently, the National Privacy Commission (“NPC”) issued guidelines on these patterns. Here, we discuss the implications of the NPC guidelines, and their relation to the Internet Transaction Act of 2023 (the “ITA”).
Issuances of the National Privacy Commission
With the prevalence of e-marketplaces, the Philippine government recognized the need to have an effective regulation of e-commerce in place to protect consumer rights and data privacy, and secure internet transactions. This initiative is apparent in the recently issued NPC Advisory No. 2023-10 (“Advisory”), NPC Circular No. 2023-04 (“Circular”), and the ITA.
On 07 November 2023, the NPC issued the Advisory, otherwise known as the “Guidelines on Deceptive Design Patterns”,[1] to provide guidance for personal information controllers (“PIC”) on the nature of Deceptive Design Patterns, and their impact on the lawful processing of personal data based on the data subject’s consent.[2]
In relation to the Advisory, the NPC also issued the Circular, otherwise known as the “Guidelines on Consent”, on 07 November 2023.[3] The Circular similarly provides guidance to all PICs on what constitutes valid consent, and how it shall be obtained and managed in compliance with the Data Privacy Act (“DPA”) and its Implementing Rules and Regulations (“IRR”).
Considering these recent NPC issuances, PICs must now be more aware of the different Deceptive Design Patterns in order to not undermine general data privacy principles and the right of data subjects.
Deceptive Design Patterns
The Advisory and the Circular define Deceptive Design Patterns as design techniques embedded on an analog or digital interference that aim to manipulate or deceive a data subject to perform a specific act relating to the processing of their personal data. [4] The Circular further adds “dark patterns” to this definition.[5]
A Deceptive Design Pattern is considered a vitiation of consent. The Circular provides that consent is not freely given in instances where there is any element of pressure, intimidation, possibility of adverse consequences for refusal to give consent, or any inability to exercise free will by the data subject. Deceptive Design Patterns could either be “Appearance-Based Deceptive Design Patterns” or “Content-Based Deceptive Design Patterns”.[6]
The Circular further provides the guidelines on specific processing activities, including processing for “Direct Marketing”[7] purposes which may require consent in certain instances, especially in relation to analog or digital interfaces. These interfaces should prevent “consent fatigue” which undermines the purpose of obtaining consent through numerous and lengthy forms and notices.[8]
Data Privacy in Relation to the Internet Transactions Act of 2023
On 05 December 2023, the ITA was enacted to promote and maintain a robust e-commerce environment.[9] The law is a recognition that e-marketplaces are now considered a way of life and more protection should be given to consumers and sellers.
One form in which this protection is shown is by placing a premium on the data privacy and protection of the consumers. The ITA provides that e-retailers shall take the necessary precautions to protect the data privacy of consumers, at all times, in relation to the DPA and comply with the minimum information security standards set by the NPC and other issuances of relevant government agencies.[10] Digital platforms and e-marketplaces shall be covered by the provisions of the DPA, its IRR, and other issuances by the NPC.
Due to the recent NPC issuances and given the enactment of ITA, PICs and users of e-marketplaces should be guided accordingly regarding Deceptive Design Patterns, and determine whether any of their acts within the e-marketplace would constitute any violation. Such violation may result in the vitiation of the consent of the other party and the possible annulment of the transaction.
[1] NPC Advisory No. 2023-01, Guidelines on Deceptive Design Patterns (“NPC Advisory No. 2023-01”), 07 November 2023.
[2] Id., Section 1.
[3] NPC Circular No. 2023-04, Guidelines on Consent, 07 November 2023.
[4] NPC Advisory No. 2023-01, Section 2; NPC Circular No. 2023-04, Section 2.
[5] NPC Circular No. 2023-04, Section 2.
[6] NPC Advisory No. 2023-01, Section 2.
[7] NPC Circular No. 2023-04, Section 14.
[8] Id. Section 9.B.
[9] Republic Act No. 11967, An Act Protecting Online Consumers and Merchants Engaged in Internet Transactions, Creating for this Purpose the Electronic Commerce Bureau, Appropriating Funds Therefor, and for Other Purposes, 05 December 2023.
[10] Id. Section 22(f).