Every Filipino website you visit shows a cookie banner. Most of them are wrong — either too aggressive (collecting consent for tracking that does not need it), too vague (a single "we use cookies" line that satisfies nobody), or completely absent.
Under the Philippine Data Privacy Act and recent NPC advisories, cookie consent has clear rules. Here is what your business actually needs in 2026.
What Cookies Trigger Data Privacy Act Obligations
Not all cookies are equal. The Data Privacy Act applies when cookies are used to process personal data — which includes anything that can identify a specific user, alone or in combination with other data.
In practice, this means:
- Strictly necessary cookies (login session, cart, security tokens) — no consent required. You can drop these without asking.
- Functional cookies (language preference, theme) — consent recommended but not always mandatory.
- Analytics cookies (Google Analytics, Facebook Pixel) — consent required if they identify users.
- Marketing/Advertising cookies (retargeting, tracking pixels, third-party ad networks) — consent always required.
If your site uses Google Analytics or Facebook Pixel — and most Philippine business sites do — you need a proper cookie consent banner.
The 4 Requirements of a Compliant Cookie Banner
NPC Advisory Opinion 2019-074 and related guidance set clear expectations:
1. Information Before Consent
The banner must tell the user:
- What cookies you use (by category at minimum)
- What each category is for
- Which third parties receive the data (Google, Meta, etc.)
- How long each cookie persists
- How to withdraw consent later
This information cannot be buried 3 clicks deep. It must be visible from the banner itself, even if collapsed.
2. Genuine Choice — Reject Must Be as Easy as Accept
The single biggest issue with most Philippine business cookie banners: there is only an "Accept" button, no "Reject."
NPC has clarified that genuine consent requires equal-prominence Reject and Accept buttons. A small "Manage preferences" link that opens a modal with 12 toggles, where the user has to manually disable each, is not equivalent to Accept.
The compliant minimum:
- Accept All — prominent button
- Reject All — equally prominent button
- Customize — optional secondary link for granular control
3. Consent Must Be Unbundled and Granular
You cannot ask a user to consent to "analytics + marketing + functional" as a single yes/no. Each category needs its own toggle. A user must be able to accept analytics while rejecting marketing.
4. No Loading Tracking Cookies Before Consent
Most Philippine business websites violate this. They load Google Analytics or Facebook Pixel on page load — BEFORE the user has seen the cookie banner, let alone agreed.
That is a violation regardless of what the banner says. Tracking cookies must only fire AFTER explicit consent.
This usually requires a "consent management platform" (CMP) integration. Cookiebot, OneTrust, and CookieYes all do this for free at small scale.
Required Information in Your Privacy Notice
In addition to the banner itself, your Privacy Notice (linked from the banner) must include:
- Categories of cookies used
- Purpose of each category
- Specific third parties (Google, Meta, Hotjar, etc.)
- Data retention periods
- How users can withdraw consent
- How users can exercise their data subject rights
We covered the broader Privacy Notice requirements in Privacy Notice Template for Philippine Businesses.
What a Compliant Cookie Banner Looks Like
A working 2026 cookie banner has, at minimum:
- Brief explanation of cookie use (2-3 sentences)
- 3 buttons: Accept All, Reject All, Customize
- Link to full Privacy Notice
- No tracking cookies loaded until consent is given
- A way to change preferences later (footer link, usually)
If you click "Reject All" and your Google Analytics still loads — the implementation is broken regardless of how nice the banner looks.
Free Tools That Get This Right
- CookieYes — free for up to 100 monthly visitors with reasonable PH support
- Cookiebot — paid past free tier but very robust
- OneTrust — enterprise-grade, free tier available
- Klaro — open-source, self-hosted option for technical teams
All four properly block tracking cookies before consent.
Common Cookie Consent Mistakes in the Philippines
- One-button "Accept" banner with no Reject option
- Banner that loads AFTER tracking has already started
- "Consent" given by scrolling or clicking anywhere on the page
- Pre-checked "Accept" boxes for each cookie category
- No way to change preferences after initial consent
- Vague banner text that does not list third parties
Each of these is technically a violation. The NPC has not yet sanctioned individual SMEs for cookie banner issues alone, but they have been raised in complaint investigations.
Frequently Asked Questions
Does my website really need a cookie banner?
If you use Google Analytics, Facebook Pixel, or any third-party tracking — yes. If you have a static site with no tracking — probably not, but a brief notice in your Privacy Notice is still good practice.
Will adding a Reject button hurt my analytics?
Yes, somewhat. Typical opt-out rates are 30-60% for marketing cookies. But "fewer but consent-given visitors" is the law, and the analytics you do collect are legally usable.
What about cookies set by social media embeds (YouTube, Facebook)?
Same rule. If you embed a YouTube video on a page, YouTube drops tracking cookies. You need consent before loading that embed, or use privacy-friendly versions (YouTube nocookie domain, lazy-loaded iframes).
Get Your Cookie Setup Right
A proper cookie consent setup takes 1 to 3 hours for most Philippine business websites — and protects you from regulatory exposure. At RDahunan I.T. Services we audit and implement DPA-compliant cookie consent as part of our DPO service. Want a free 15-minute audit of your current cookie banner? Send us a message.
General DPO guidance. Not legal advice.