

Jul 8, 2026
NPC just closed a loophole that Philippine businesses didn't know they were relying on - and it touches everything from Lead Generation to Background Checks.
Sales Team builds prospect lists from LinkedIn profiles.
Your HR Team googles job applicants before an interview.
Marketing pulls customer leads from public directories.
If any of these are practiced in your organization, then you have been "scraping" personal data, and you have probably assumed it was fine because the information was already public.
In April 2026, the National Privacy Commission (NPC) issued Advisory No. 2026-01, "Guidelines on Data Scraping of Publicly Available Personal Data," and it says no, it isn't automatically fine.
This advisory doesn't ban scraping outright. What it does is close off the most common excuse organizations use to justify collecting and reusing personal information they didn't obtain directly from the person it belongs to. For any business that touches customer, employee, or applicant data sourced from the open internet - this is worth understanding now, rather than after a complaint is submitted to the NPC.
Realization #1: "Public" Does Not Mean "Consented"
Many organizations treat publicly visible information - a social media profile, a business directory listing, a published obituary or announcement - as fair game for any use, on the theory that the person already chose to make it public. The NPC Advisory rejects this reasoning directly. Under the DPA, the fact that personal data is accessible does not mean the individual consented to it being collected, compiled, and reused for a different purpose than the one it was originally shared for.
Call to action:
Inventory where your organization currently sources personal data from public online sources (social media, directories, public records, news sites)
For each source, identify the actual lawful basis you are relying on - consent, legitimate interest, contractual necessity, or legal obligation - rather than defaulting to "it was public"
When Legitimate Interest is the basis, document the balancing test: does your interest in using the data outweigh the individual's reasonable expectation of privacy?
Realization #2: Bulk Collection Changes the Risk Profile
In the NPC's view, looking up one person's public profile is different from systematically compiling data on hundreds or thousands of people - even if each data point was technically public. Aggregation itself can create new privacy risks: a compiled profile can reveal patterns, relationships, or inferences that no single public post disclosed on its own. Automated or Bulk Scraping tools blur this line without anyone deciding, or writing as a policy, that bulk collection was appropriate.
Call to action:
Distinguish in policy between ad hoc searches (e.g. one recruiter checking one applicant) and any tool or process that compiles data on multiple individuals at scale
Any bulk or automated scraping activity should go through a documented risk assessment before deployment, not after a tool is already in use
Set Retention Limits for scraped datasets - don't let compiled leads or applicants research accumulate indefinitely.
Realization #3: Secondary Use Is Where Most Organizations Get Exposed
Even when initial collection is defensible, organizations frequently reuse scraped data for purposes far beyond the original reason it was gathered - a recruiter's background check turns into an internal "watch list," or a one-time lead list gets included into an ongoing marketing database without anyone revisiting whether that's still appropriate. The Advisory is a reminder that Lawful Basis has to hold up for use and purpose, not just the first one.
Call to action:
Map out what happens to scraped data after initial collection: is it Deleted, Archived, Shared with other departments, merged into CRM platform?
Require documented purpose statement before scraped data is repurposed for anything beyond its original and specific use
Train Sales, Marketing, HR staff and the like to recognize when a "quick lookup" is quietly becoming an ongoing data processing activity.
Realization #4: Vendor Accountability
More organizations don't scrape data themselves - they acquire lead lists, use third-party recruitment or background-check platforms, or subscribe to marketing intelligence tools that do the scraping on their behalf. Outsourcing the technical act of scraping does not outsource the legal responsibility; as the Personal Information Controller (PIC), your organization remains accountable for how that data was obtained and whether it can be lawfully used.
Call to action:
Ask every third-party data vendor how they source their datasets and what lawful basis they rely on for collection
Build data-sourcing warranties and audit rights into Vendor contracts, particularly for lead generation and background-check providers
Never assume that Vendors have the same level of compliance - request documentation, not just assurance.
How Cosaint Consulting Inc. can help
Cosaint helps Philippine organizations translate NPC guidance into practical, operational policies - not just paperwork. Our advisory services include: Data Processing and Lawful-basis audits for marketing, sales, and HR functions; review and drafting of data sharing and vendor agreements with data-sourcing warranties; Privacy Impact Assessments (PIA) on scraping, lead-generation, and screening tools; and staff training on lawful data collection practices tailored to your industry.
Data scraping is one of many evolving compliance challenges that organizations across all industries now face. Navigating these challenges requires more than general knowledge of the Data Privacy Act - it requires a compliance partner who understands the specific regulatory environment, operational risks, and data processing realities of your sector.
Cosaint Consulting Inc. has built its expertise through active, hands-on compliance engagements across a wide range of industries, building expertise on the following:
Hospitality — Guest and Employee data governance and privacy frameworks for hotel and resort operations
Education — Student data protection, sensitive personal information management, cross-border transfer programs, and academic institution DPA compliance
Financial Services and Collections — BSP-aligned cybersecurity compliance programs, and lawful personal data use in collection operations
Information Technology — ISO 27001/27005/27701 implementation, vendor security questionnaire readiness, and Privacy-by-Design for technology-driven businesses
Business Process Outsourcing — Multi-jurisdictional compliance covering RA 10173, GDPR overlap, and client-driven security requirements
Professional Organizations and Associations — Membership data governance for HR organizations, manning agencies, chambers of commerce, and industry associations
If your organization relies on publicly sourced data for recruitment, marketing, or screening, now is the time for a quick compliance check - before it becomes an NPC inquiry addressed to your Management Team.
Whether your organization is responding to an NPC advisory, preparing for registration, or building a compliance program from the ground up — Cosaint brings sector-specific expertise that generic approaches cannot deliver.
Get in touch with Cosaint Consulting Inc. at info@cosaintconsulting.com or visit the other sections of the website cosaintconsulting.com, to find out how we can support your compliance journey.