The Data Privacy Act of 2012 (R.a. 10173) and Its Responsiveness to Current Privacy and Data Protection Issues Arising From Online Behavioral Advertising - RAMILO

7/21/2019 The Data Privacy Act of 2012 (R.a. 10173) and Its Responsiveness to Current Privacy and Data Protection Issues …

http://slidepdf.com/reader/full/the-data-privacy-act-of-2012-ra-10173-and-its-responsiveness-to-current 1/38

School of Law

The Data Privacy Act of 2012 (R.A. 10173) andIts Responsiveness to Current Privacy and Data Protection Issues

Arising from Online Behavioral Advertising

In Partial Fulfillment of the Requirements for the DegreeJuris Doctor

Submitted by:

Maria Ediliza Margarita C. Ramilo-Peria

October 2015



Table of Contents

I.

INTRODUCTION ....................................................................................... 1

Background .............................................................................................. 1

Statement of the Problem ....................................................................... 2

Significance of the Study ........................................................................ 3

Scope and Limitations ............................................................................. 4

II.

REVIEW OF RELATED LITERATURE ..................................................... 6

III.

METHODOLOGY .................................................................................... 10

IV.

RESULTS AND DISCUSSION ................................................................ 10

ONLINE BEHAVIORAL ADVERTISING ................................................. 10

Differentiating OBA from other Online Advertising Methods .. 10

Purposes of Online Behavioral Tracking .................................. 11

TRACKING TECHNOLOGIES ................................................................ 12

ISSUES WITH ONLINE BEHAVIORAL TRACKING............................... 18

LEGAL FRAMEWORK FOR PRIVACY AND DATA PROTECTION ...... 19

Scope of Application .................................................................. 20

Right to Consent ......................................................................... 24

V.

CONCLUSION AND RECOMMENDATION ............................................ 29

BIBLIOGRAPHY ................................................................................................ 31



1

I. INTRODUCTION

Background

The World Wide Web is a digital information space which has developed

from an organization-wide collaborative environment for sharing research

documents in nuclear physics1 to a widely subscribed global platform for sharing

information. In fact, as of May 2015, there are over three (3) billion Internet users

around the world2 and roughly forty-four (44) million of which are Filipinos.3

Open access to the internet was said to have revolutionized how individuals

communicate and collaborate, entrepreneurs and corporations conduct business,

and governments and citizens interact.4 Among all the major sectors in the

economy, the impact of the internet is most felt in the consumer, business, and

security sectors respectively.5

PwC’s global entertainment and media outlook for 2015-2019 reveals that

among the many segments of advertising, internet advertising will become the

1 Venkat N, Gudivada, et al., “Information Retrieval in the World Wide Web,” IEEE InternetComputing (1997), http://www.cacs.louisiana.edu/~raghavan/internet97.pdf (October 16, 2015).2 Michael Kende, “Internet Society Global Internet Report 2015: Mobile Evolution andDevelopment of the Internet,”

http://www.internetsociety.org/globalinternetreport/assets/download/IS_web.pdf (October 16,2015).3 The Statistics Portal, “Internet penetration in Asia Pacific as of 1st quarter 2015, by country,”http://www.statista.com/statistics/281668/internet-penetration-in-southeast-asian-countries/ (October 16, 2015).4 Michael Kende, “Internet Society Global Internet Report 2014: Open and Sustainable Access for

All,” http://www.internetsociety.org/sites/default/files/Global_Internet_Report_2014.pdf (October16, 2015).5 Mary Meeker, “Internet Trends 2015 – Code Conference,” KCPB, May 27, 2015,https://drive.google.com/file/d/0B5hEaQKLH-xoUHJjYWpQNXJySFU/view (October 16, 2015).

http://www.cacs.louisiana.edu/~raghavan/internet97.pdf



http://www.internetsociety.org/globalinternetreport/assets/download/IS_web.pdf


http://www.statista.com/statistics/281668/internet-penetration-in-southeast-asian-countries/


http://www.internetsociety.org/sites/default/files/Global_Internet_Report_2014.pdf



https://drive.google.com/file/d/0B5hEaQKLH-xoUHJjYWpQNXJySFU/view









2

largest, with a revenue growth forecast of US$ 135.42 billion in 2014 to US$ 239.87

billion in 2019.6

However, some argue that there are techniques used in advertising which

run afoul of a basic human right, the right to privacy.

There is a giant chasm between the type of tracking that companies are engagedin on the web and what people know or think is occurring. The general public hasvery little idea that every second they are on the Internet, their behavior is beingtracked and used to create a "profile" which is then sold to companies on "stock-market-like" exchanges. According to a Wall Street Journal study, the nation's topfifty websites installed an average of 64 pieces of tracking technology onto thecomputers of visitors, usually without warning, for a total of 3,180 tracking files. Adozen sites installed more than a hundred. Two-thirds of those files were installed

by 131 companies that are in the tracking and online consumer profiling business.7

This shall be discussed in more detail in the following chapters.

Statement of the Problem

Generally, the intention of this research is to analyze the responsiveness of

R.A. 10173 or the Data Protection Act of 2012 on privacy and data protection

issues arising from behavioral tracking as part of profiling for online behavioral

advertising.

Specifically, it aims to answer the following questions:

1. What is online behavioral advertising?

2. What purposes do online behavioral advertising serve?

6 PwC, “Global entertainment and media outlook 2015-2019: Internet Advertising,”http://www.pwc.com/gx/en/industries/entertainment-media/outlook/segment-insights/internet-advertising.html (October 16, 2015).7 Electronic Privacy Information Center , “Online Tracking and Behavioral Profiling,”https://epic.org/privacy/consumer/online_tracking_and_behavioral.html (October 16, 2015).

http://www.pwc.com/gx/en/industries/entertainment-media/outlook/segment-insights/internet-advertising.html



https://epic.org/privacy/consumer/online_tracking_and_behavioral.html







3

3. What are the major online tracking technologies used in online behavioral

advertising?

4. How do these tracking technologies affect the policy of the State to protect

the fundamental human right of privacy?

5. What features of R.A. 10173 secure and protect Filipinos from possible

breach of privacy in the practice of online behavioral advertising?

6. How sufficient are these provisions of R.A. 10173 in providing protection?

7. What lessons can we learn from Spain in their efforts to provide privacy and

data protection to their citizens?

Significance of the Study

The findings of this study will redound to the benefit of the following:

Citizens of the Philippines. Filipinos are known as the most

enthusiastic and engaged internet users in South East Asia, clocking in

more than six (6) hours of internet use per day.8 Considering their

incidental exposure to online behavioral advertising and their perceived

lack of knowledge of the consequent risks to their right of privacy,

studies, such as this, identifying issues and providing recommendations,

are critical for their protection.

8 8Felim McGrath, “GlobalWebIndex informs WeAreSocial’s New Digital, Social and Mobile in2015 Report.” GlobalWebIndex, January 22, 2015,https://www.globalwebindex.net/blog/globalwebindex-informs-wearesocial-new-digital-social-and-mobile-in-2015-report (October 11, 2015).

https://www.globalwebindex.net/blog/globalwebindex-informs-wearesocial-new-digital-social-and-mobile-in-2015-report






4

The Business Sector. Particularly, the online marketing industry, with

their increasing profit attributed to tailored online advertisements, shall

likewise be reminded of the website user’s right to privacy and of how

they can conduct their business ethically, with privacy and data

protection of their respective customers in focus, when employing online

behavioral advertising strategies.

The Philippine Government. The administrative body delegated by

Congress to create the implementing rules and regulations of R.A.

10173, the National Privacy Commission, although yet to be constituted,

shall be introduced to privacy issues which may need resolution through

appropriate legislation.

Scope and Limitations

Online tracking serves a variety of purposes, but this study focuses only on

tracking the behavior and preference of an online user with the view of creating

detailed profiles of the users for serving marketing information or advertisements

to him/her.9

9 Office of the Privacy Commissioner for Personal Data, HongKong, “Online BehaviouralTracking,” https://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf (October 11,2015).

https://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf






5

There are also various means by which organizations may track and record

the online behavior of website users, but this study covers only the following: (1)

cookies; (2) web beacons; (3) HTML5 web storage; (4) browser and device

fingerprinting; (5) online social networks plug-ins; (6) spyware10 and; (7) location

tracking.11

Due to time constraints and the multiplicity and complexity of the online

advertising landscape, only the website user and the website controller/owner, as

major stakeholders, were given focus.

Lastly, in the absence of the implementing rules and regulations for R.A.

10173, only portions of the statute itself may be examined and compared with

Spain’s Royal Decree-Law 13/2012, with regards to regulating tracking

technologies. Spain is a member of the European Union whose laws are regarded

as the gold standard.12

10 Irene P. Kamara, “Privacy and Online Behavioral Tracking: A hide-and-seek game or a feasiblerelationship?,” http://arno.uvt.nl/show.cgi?fid=132828 (October 11, 2015).11 European Union Agency for Network and Information Security (ENISA), “Privacy considerationsof online behavioural tracking,” November 14, 2012,https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking (October 11, 2015).

12 Constance Gustke, “Which countries are better at protecting privacy?,” BBC, June 26, 2013,http://www.bbc.com/capital/story/20130625-your-private-data-is-showing (October 11, 2015).

http://arno.uvt.nl/show.cgi?fid=132828



https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking



http://www.bbc.com/capital/story/20130625-your-private-data-is-showing








6

II. REVIEW OF RELATED LITERATURE

Privacy and data protection is said to constitute core values of individuals

and of democratic societies,13 but recent research reveal that privacy as we have

known it is ending,14 as troves of our personal data are being collected and

analyzed every day with methods which are shockingly opaque and attempts to

protect our privacy are no longer effective.15 For example, Web search histories

contain some of the most personal information revealed online, but some search

engine giants save these data in their servers.

16

Another example is location

check-ins containing both geographical and semantic information about the visited

venues which reveal personal information beyond what users actually want to

disclose.17

Not everyone is comfortable with the idea that data, particularly personal

information, can be collected by website operators/owners or other third party data

processors for varied purposes unknown to the website user. For purposes of

advertising, people’s willingness to share information with online advertisers is not

13 George Danezis, et al., “Privacy and Data Protection by Design - from policy to engineering,”arXiv.org , April 10, 2015, http://arxiv.org/abs/1501.03726 (October 15, 2015).14 Martin Enserink and Gilbert Chin, “The end of privacy,” Science, 347, no. 6221 (2015),

http://www.sciencemag.org/content/347/6221/490.full (October 15, 2015).15 Viktor Mayer-Schönberger , “The Black Box Society: The Secret Algorithms That Control Moneyand Information,” Frank Pasquale Harvard University Press (2015), p. 319,http://www.sciencemag.org/content/347/6221/481.summary(October 15, 2015).16 Jia You, “Camouflaging searches in a sea of fake queries,” Science, January 30 2015,Vol. 347, no. 6221, p. 502, http://www.sciencemag.org/content/347/6221/502.summary (October15, 2015).17 Igor Bilogrevic, et al., “Predicting Users' Motivations behind Location Check-Ins and UtilityImplications of Privacy Protection Mechanisms,” Infoscience (2015),http://infoscience.epfl.ch/record/202202/ (October 15, 2015).

http://arxiv.org/abs/1501.03726


http://www.sciencemag.org/content/347/6221/490.full

http://www.sciencemag.org/content/347/6221/481.summary




http://infoscience.epfl.ch/record/202202/









7

only based on the sensitivity of the information, but also on the scope of collection

and use, perceived necessity of collection, and perceived benefits or harms of

disclosing specific data types.18 However, not many websites controllers/owners

or third party data processors explicitly lay down their reasons for collecting

personal information. Many large companies, companies that are members of self-

regulatory organizations, and nonmember companies are silent in their privacy

policies with regard to important consumer-relevant practices including the

collection and use of sensitive information and linkage of tracking data with

personally-identifiable information.

19

Despite all these concerns, it would be impossible to stop people from

enjoying the many free products and services on the internet, even if some

researchers posit that they are not entirely free because the price website users

pay for it is the aspect of their privacy they relinquish.20 Because of this inevitable

use of the internet, the collection of personal information for targeted advertising

proves to be a very profitable business, as in the case of Facebook whose revenue

climbed 39 percent to $4.04 billion in the first half of 2015.21

18 Pedro Giovanni Leon et al., “Why People Are (Un)willing to Share Information with Online Advertisers,” May 2015, http://reports-archive.adm.cs.cmu.edu/anon/anon/usr/ftp/isr2015/CMU-

ISR-15-106.pdf (October 15, 2015).19 Candice hoke et al., “ Are They Worth Reading? An In-Depth Analysis of Online Trackers’Privacy Policies,” I/S : a journal of law and policy for the information society, Spring 2015,http://engagedscholarship.csuohio.edu/fac_articles/783/ (October 15, 2015).20 Ignacio N. Cofone, “The Value of Privacy: Keeping the Money Where the Mouth is,” RILE Working Paper, 2014-15,http://www.econinfosec.org/archive/weis2015/papers/WEIS_2015_cofone.pdf (October 15,

2015).21 Felix Richter, “Where Facebook's Revenue Growth Comes From,” Statista, July 30, 2015,http://www.statista.com/chart/2496/facebook-revenue-by-segment/ (October 15, 2015).

http://reports-archive.adm.cs.cmu.edu/anon/anon/usr/ftp/isr2015/CMU-ISR-15-106.pdf



http://engagedscholarship.csuohio.edu/fac_articles/783/


http://www.econinfosec.org/archive/weis2015/papers/WEIS_2015_cofone.pdf


http://www.statista.com/chart/2496/facebook-revenue-by-segment/









8

Unfortunately, the risks are real. In September 2015, a Russian court has

found Google guilty of breaching privacy with its targeted advertising.22 In July

2015, personal details of 13,000 Barclays’ customers in England, such as their

names, dates of birth, and addresses, and even their jobs, salaries, debts, etc.

were found to have been subject of data theft.23 In June 2015, the Belgian privacy

watchdog sued Facebook for the tracking of non-users and logged out users for

advertising purposes.24 Similarly, in April 2015, Bell Mobility, Canada’s largest

telecommunications company, was sued for tracking and amassing people’s

mobile-phone usage habits to create a profile that was shared with third-party

marketers for a fee.25

As a response to these threats, governments are said to be restricting the

internet in ways that reduce the ability of businesses and entrepreneurs to use the

internet as a place for international commerce.26

22 AFP, “Google found guilty of privacy breach in Russia,” Times of India, September 17, 2015,http://timesofindia.indiatimes.com/tech/tech-news/Google-found-guilty-of-privacy-breach-in-Russia/articleshow/49001145.cms (October 16, 2015).23 Richard Marsden, “Barclays security scandal: Police find stolen USB stick holding personaldata of 13,000 customers, including National Insurance numbers and passport details,” DailyMail , July 25, 2015, http://www.dailymail.co.uk/news/article-3173866/Security-breach-shambles-Barclays-Fraudsters-personal-financial-details-13-000-customers-seven-years.html (October 15,

2015).24 Samuel Gibbs, “Belgium takes Facebook to court over privacy breaches and user tracking,”The Guardian, June 15, 2015, http://www.theguardian.com/technology/2015/jun/15/belgium-facebook-court-privacy-breaches-ads (October 15, 2015).25 Christina Pellegrini, “Bell faces $750 million lawsuit over targeted ad program,” Financial Post,

April 17, 2015, http://business.financialpost.com/fp-tech-desk/bell-canada-faces-750-million-lawsuit-over-tracking-of-cellphone-customer-internet-usage (October 15, 2015).26 Joshua Paul Meltzer, “The Internet, Cross-Border Data Flows and International Trade,” WileyPublishing Asia Pty Ltd and Crawford School of Public Policy (2014),http://onlinelibrary.wiley.com/doi/10.1002/app5.60/full (October 15, 2015).

http://timesofindia.indiatimes.com/tech/tech-news/Google-found-guilty-of-privacy-breach-in-Russia/articleshow/49001145.cms



http://www.dailymail.co.uk/news/article-3173866/Security-breach-shambles-Barclays-Fraudsters-personal-financial-details-13-000-customers-seven-years.html



http://www.theguardian.com/technology/2015/jun/15/belgium-facebook-court-privacy-breaches-ads




http://business.financialpost.com/fp-tech-desk/bell-canada-faces-750-million-lawsuit-over-tracking-of-cellphone-customer-internet-usage




http://onlinelibrary.wiley.com/doi/10.1002/app5.60/full













9

In general, when it comes to privacy and technology, the law is catching up all over

the world.27 Governments are adopting different approaches to privacy and data

protection, such as those generally categorized as the self-regulation approach,

as used in the United States, and the government approach, as used in the United

Kingdom.28 Whatever approach may be adopted by States, what would matter, in

the end, is the result: a safer world wide web, with less economic interests

sacrificed.

27 Neil M. Richards, “Digital Laws Evolove,” The Wired World UK Edition (2015), p. 83,http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2523748 (October 15, 2015).28 Tiwalade Adelola et al., “Privacy and data protection in e-commerce in developing nations:evaluation of different data protection approaches,” Infonomics Society (2015),https://dspace.lboro.ac.uk/dspace-jspui/handle/2134/18623 (October 15, 2015).

http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2523748


https://dspace.lboro.ac.uk/dspace-jspui/handle/2134/18623






10

III. METHODOLOGY

This is a qualitative research conducted using the descriptive research

method, particularly documentary analysis of the Philippine’s Republic Act No.

10173 and Spain’s Royal Decree-Law 13/2012.

IV. RESULTS AND DISCUSSION

ONLINE BEHAVIORAL ADVERTISING

The Office of the Privacy Commissioner in Canada defines Online

Behavioral Advertising (OBA) as the act of tracking and targeting of individuals’

web activities, across sites and over time, in order to serve advertisements that

are tailored to those individuals’ inferred interests.29

Differentiating OB from other Online dvertising Methods

The Advertising Research Foundation, in its publication called The Online

Advertising Playbook,30 identified at least eight (8) targeting approaches in online

advertising. The top three targeting approaches mentioned were demographic

29 Office of the Privacy Commissioner of Canada, “Policy Position on Online Behavioural Advertising,” https://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp (October 12,2015).30 Joseph Plummer et al., “The Online Advertising Playbook: Proven Strategies and TestedTactics from The Advertising Research Foundation,” Sainsbury ’s eBooks (2007),http://samples.sainsburysebooks.co.uk/9780470140352_sample_382631.pdf (October 12, 2015).

https://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp



http://samples.sainsburysebooks.co.uk/9780470140352_sample_382631.pdf






11

targeting, contextual targeting, and behavioral targeting . The longest-running,

among all targeting approaches, is demographic targeting, which defines

audiences according to their age, gender, income, occupation, and household size

(placing date-matching ads in a bachelor’s Facebook page). On the other hand,

contextual targeting places ads on web pages that have a relationship to the

content of the page (placing hotel ads in travel websites). Behavioral targeting

differs in that it not only uses demographic data but every collectible information

based on a user’s historic behavior such as previous searches, search sessions,

browsing activity, ad-clicks, conversions, etc.

31

Purposes of Online Behavioral Tracking

OBA serves a wide variety of purposes such as (1) remembering a user’s

preference (e.g. on language, font size, colour scheme) so that the look and feel

of a website is kept for a user upon his/her subsequent visits; (2) analyzing how

users navigate a website with a view to optimizing its design; (3) establishing and

maintaining a user’s logged-on identity so that he/she can move around the

website without being asked to log on again; or (4) tracking the behavior and

preferences of an online user with a view to building detailed profiles of the user

for serving marketing information or advertisements to him/her.32

31 Dr. Andrei Broder and Dr. Vanja Josifovski, Lecture Notes on “Introduction to Computational Advertising,” Stanford University, Autumn 2011,https://web.stanford.edu/class/msande239/lectures-2011/Lecture%2007%20Targeting%202011.pdf (October 12, 2015).32 Office of the Privacy Commissioner for Personal Data, Hong Kong, supra note 9.

https://web.stanford.edu/class/msande239/lectures-2011/Lecture%2007%20Targeting%202011.pdf







12

The fourth purpose of OBA mentioned above talks about “building detailed

profiles of the user,” popularly known as profiling . Its value in the marketing

industry is immense because by creating a rich picture of customers, both on and

offline, businesses are able to target customers and ensure that campaign

messaging, channels, locations and times of day are relevant. 33 The process of

constructing this profile using data mining – transforming data into knowledge – is

known as online behavioral profiling .34

The collection of data which makes up such descriptive customer profiles is

made possible through behavior tracking . The European Network and Information

Security Agency35 explains that there are two categories of behavior tracking called

“first-party tracking” and “third-party tracking.” The differentiation between the two

is based on user interaction.

In first-party tracking, the tracking is performed by the site or applicationwith which the user is directly interacting. In third-party tracking, the tracking isperformed by other ‘third party’ entities, different from the entity the user is directlyconnected to (the user being the ‘second party’), that track the user’s browsing

activity over time and across different websites. For example, Facebook tracksacross sites via its ‘Like’ button; each time a user visits a site that contains aFacebook ‘Like’ button, Facebook is informed about it, even if the user does notclick on this button.36

TRACKING TECHNOLOGIES

There are various means by which organizations track online user behavior.

33 Experian Marketing Services, “The Art of Customer Profiling: Why understanding audience isimportant and how to do it,” http://www.experian.co.uk/assets/marketing-services/white-papers/wp-the-art-of-customer-profiling.pdf (October 13, 2015).34 ENISA, supra note 11.35 Id.36 Id.

http://www.experian.co.uk/assets/marketing-services/white-papers/wp-the-art-of-customer-profiling.pdf








13

Cookies. A cookie is a small text file that is placed on a user’s computer by a web

page, collecting not only information about which websites the user visits, but also

the user’s activities on the site.37 BBC categorizes cookies into five (5):

(1) First party cookies are set by the website, you are visiting and they can onlybe read by that site.

(2) Third party cookies are set by a different organisation to the owner of thewebsite you are visiting. For example, the website might use a third partyanalytics company who will set their own cookie to perform this service. Thewebsite you are visiting may also contain content embedded from, for exampleYouTube or Flickr, and these sites may set their own cookies. Moresignificantly, a website might use a third party advertising network to delivertargeted advertising on their website. These may also have the capability totrack your browsing across different sites. xxx

(3) Session Cookies are stored only temporarily during a browsing session andare deleted from the user’s device when the browser is closed.

(4) Persistent cookies are saved on your computer for a fixed period (usually ayear or longer) and is not deleted when the browser is closed. Persistentcookies are used where we need to know who you are for more than onebrowsing session. For example, we use this type of cookie to store yourpreferences, so that they are remembered for the next visit.

(5) Many websites use Adobe Flash Player’s flash cookies to deliver video andgame content to their users. Adobe utilise their own cookies, which are notmanageable through your browser settings but are used by the Flash Playerfor similar purposes, such as storing preferences or tracking users. Thesecookies work in a different way to web browser cookies (the cookie types listed

above are all set via your browser); rather than having individual cookies forparticular jobs, a website is restricted to storing all data in one cookie. You cancontrol how much data can be stored in that cookie but you cannot choosewhat type of information is allowed to be stored. xxx (emphasis supplied)

Flash cookies, mentioned above, are also called “ever -cookies” or “zombie

cookies” for their ability to remain permanently on the user’s terminal device or

computer despite reasonable efforts to remove them.38 If an ever-cookie found that

37 Norman Gervais, “Governmental Internet Information Collection: Cookies Placing PersonalPrivacy at Risk,” Bulletin of the Association for Information Science and Technology 40, no. 2(2014), https://www.asis.org/Bulletin/Dec-13/DecJan14_Gervais.pdf (October 13, 2015).38 Opinion 04/2012 on Cookie Consent Exemption, Data Protection Working Party EuropeanCommission, June 7, 2012, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-

recommendation/files/2012/wp194_en.pdf (October 13, 2015).

https://www.asis.org/Bulletin/Dec-13/DecJan14_Gervais.pdf



http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf








14

the user has removed any of the types of cookies in question, it recreates them.39

In other words, Techopedia40 says that:

A zombie cookie returns to life automatically after being deleted by theuser. Zombie cookies are recreated using a technology called Quantcast, which

creates flash cookies to trace users on the Internet. The flash cookies are thenused to recreate browser cookies, becoming zombie cookies that never die.

Some user benefits attributed to these cookies are automatic log-in to

websites, personalized display of information, and location memory allowing users

to re-enter a site and pick up exactly where the user left off. 41

Web beacons. These are “objects that are embedded into web pages or email

messages; they may also be referred to as web bugs, tracking bugs, tracking

pixels, pixel tags, 1×1 gifs, single-pixel gifs, pixel tags, smart tags, action tags,

tracers, cookie anchors, or clear gifs.” Web beacons, stored in the user’s browser

cache,42 can be used to create anonymous user profiles, to analyze site usage, or

to improve the quality of advertisements delivered to users.43 This is very useful to

companies that want to learn if readers are opening the emails they send because

when the web beacon loads, companies can tell who opened the email and

39 Bruce Schneier , “Evercookies,” Schneier on Security, September 23, 2010, https://www.schneier.com/blog/archives/2010/09/evercookies.html (October 13, 2015).40 Janalta Interactive Inc., “What does Zombie Cookie mean?,” TechnoPedia, https://www.techopedia.com/definition/25736/zombie-cookie (October 13, 2015).

41 Cisco Systems, Inc., “Online Privacy—How to Protect Yourself and Your Family,” Cisco.(2009), https://www.cisco.com/web/about/facts_info/docs/C11-519232-00_online_privacy_WP_v4b.pdf (October 13, 2015).42 Catherine Dwyer , “Behavioral Targeting: A Case Study of Consumer Trackingon Levis.com,”http://citeseerx.ist.psu.edu/viewdoc/download?rep=rep1&type=pdf&doi=10.1.1.215.7616 (October13, 2015).43 The Broadmoor , “Cookies, Web Beacons and Tracking Technologies,” September 19, 2014,http://www.broadmoor.com/pdf/Broadmoor%20Cookie%20Policy%2009-19-14%20(2).pdf (October 13, 2015).

https://www.schneier.com/blog/archives/2010/09/evercookies.html


https://www.techopedia.com/definition/25736/zombie-cookie


https://www.cisco.com/web/about/facts_info/docs/C11-519232-00_online_privacy_WP_v4b.pdf




http://citeseerx.ist.psu.edu/viewdoc/download?rep=rep1&type=pdf&doi=10.1.1.215.7616


http://www.broadmoor.com/pdf/Broadmoor%20Cookie%20Policy%2009-19-14%20(2).pdf










15

when.44 However, turning off the browser's cookies will prevent web beacons from

tracking the user's activity, resulting to the web beacon accounting for an

anonymous visit, and the user's unique information will not be recorded.45

HTML5 Web Storage. HTML5 is a formatting language that programmers and

developers use to create documents on the Web which provides for multimedia file

support like video and audio.46 On the other hand, web storage, also known as

“local storage” or “DOM storage,” allows web developers to store data from web

applications in the user’s local machine though HTML5.

47

Like in the case of

persistent cookies discussed earlier, this data persists even if the user leaves the

application, closes the browser, or turns off the machine.48

Browser and device fingerprinting. A browser fingerprint is a composition of

information gathered from a web browser,49 such as the IP address, the availability

of a specific font set, the time zone, and the screen resolution which are enough

to uniquely identify most users.50 With browser fingerprinting, also known as

44 Joanna Geary, “Tracking the trackers: What are cookies? An introduction to web tracking,” TheGuardian, April 23, 2012, http://www.theguardian.com/technology/2012/apr/23/cookies-and-web-tracking-intro (October 13, 2015).45 Vangie Beal, “Web Beacon,” http://www.webopedia.com/TERM/W/Web_beacon.html (October13, 2015).

46 Nilachala Panigrahy, “Developing Offline Web Applications using HTML5,”http://www.tcs.com/SiteCollectionDocuments/White%20Papers/TEG_Whitepaper_Developing_Of fline_Web_Application_Using_HTML5_0212-1.pdf (October 13, 2015).47 Jennifer Kyrnin, “Web Storage in HTML5,”http://www.html5in24hours.com/chapters/0672334402_ch21.pdf (October 13, 2015).48 Kyrin, supra.49 Erik Flood and Joel Karlsson, “Browser Fingerprinting,” Chalmers University of Technology andUniversity of Gothenburg , May 2012,http://publications.lib.chalmers.se/records/fulltext/163728.pdf (October 13, 2015).

50 Karoly Boda et al., “User Tracking on the Web via Cross-Browser

http://www.theguardian.com/technology/2012/apr/23/cookies-and-web-tracking-intro




http://www.webopedia.com/TERM/W/Web_beacon.html



http://www.tcs.com/SiteCollectionDocuments/White%20Papers/TEG_Whitepaper_Developing_Offline_Web_Application_Using_HTML5_0212-1.pdf



http://www.html5in24hours.com/chapters/0672334402_ch21.pdf


http://publications.lib.chalmers.se/records/fulltext/163728.pdf











16

“stateless tracking,”51 users can be tracked persistently and without modifications

to the user’s browser because browsers can be positively identified solely based

on the information in their cache.52

Online Social Network Plug-ins. A plug-in is a piece of software code that

enables an application or program to do something it couldn’t by itself, such as

plug-ins for social media networking, foreign language alphabets and many other

things.53 Familiar examples of online social media plug-ins are Facebook’s Like

and Google’s +1 buttons, which have raised concerns about their implications to

user privacy, as they enable social networking services to track a growing part of

their members’ browsing activity.54 The presence of a Facebook Like button on a

website would mean Facebook having access to what websites you are visiting, at

what time you are visiting those pages, and from what IP address you are visiting,

even without you clicking on the Like button.55 These data are then linked to the

user’s Facebook account.56

Fingerprinting,” http://pet-portal.eu/files/articles/2011/fingerprinting/cross-browser_fingerprinting.pdf (October 13, 2015).51 ENISA, supra note 11.52 Ralph Broenik, “Using Browser Properties for Fingerprinting Purposes,”http://referaat.cs.utwente.nl/conference/16/paper/7306/using-browser-properties-for-fingerprinting-purposes.pdf (October 13, 2015).

53 Webwise Team, “What are plug-ins?,” BBC , October 10, 2012,http://www.bbc.co.uk/webwise/guides/about-plugins (October 13, 2015).54 Georgios Kontaxis et al., “Privacy-Preserving Social Plugins,”https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final150.pdf (October 13,

2015).55 Mathieu Cunche, Lecture Notes on “Security and Privacy on Online Social Networks,”November 29, 2013,http://mathieu.cunche.free.fr/Teaching/Master-RTS/Security_Privacy_OSN.pdf (October 13,2015).56 Id.

http://pet-portal.eu/files/articles/2011/fingerprinting/cross-browser_fingerprinting.pdf




http://referaat.cs.utwente.nl/conference/16/paper/7306/using-browser-properties-for-fingerprinting-purposes.pdf



http://www.bbc.co.uk/webwise/guides/about-plugins


https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final150.pdf


http://mathieu.cunche.free.fr/Teaching/Master-RTS/Security_Privacy_OSN.pdf











17

Spyware. The US-CERT defines it as one type of malicious software (malware)

that collects information from a computing system without consent by capturing

keystrokes, screenshots, authentication credentials, personal email addresses,

web form data, internet usage habits, and other personal information, which are

then delivered to online attackers who sell it to others or use it themselves for

marketing or spam or to execute financial crimes or identity theft.57 Because

spyware is often introduced to a user’s system embedded within another software

package, even experienced users find it hard to identify.58

Location Tracking. The geolocation API, supported by Firefox, Opera and

Chrome browsers and in Internet Explorer via a plugin,59 allows the users to

provide their location to web applications if they so desire.60 Through this

technology, both the user’s current geographic position and future changes in

position are exposed as longitude and latitude coordinates.61 Common sources of

location information include Global Positioning System (GPS) and location inferred

from network signals such as IP address, RFID, WiFi and Bluetooth MAC

addresses, and GSM/CDMA cell IDs, as well as user input.62

57 United States Computer Emer gency Readiness Team, “Spyware,” https://www.us-cert.gov/sites/default/files/publications/spywarehome_0905.pdf (October 13, 2015).

58 Daniel Jonasson and Johan Sigholm, “What is Spyware?,”https://www.ida.liu.se/~TDDD17/oldprojects/2005/final-projects/prj04.pdf (October 13, 2015).59 ENISA, supra note 11.60 Mozilla Developer Network and individual contributors, “Using Geolocation,”https://developer.mozilla.org/en-US/docs/Web/API/Geolocation/Using_geolocation (October 13,2015).61 Microsoft, “Introduction to the Geolocation API,” https://msdn.microsoft.com/en-us/library/gg589513(v=vs.85).aspx (October 13, 2015).62 Andrei Popescu, “Geolocation API Specification,” July 11, 2014, http://dev.w3.org/geo/api/spec-source.html (October 13, 2015).

https://www.us-cert.gov/sites/default/files/publications/spywarehome_0905.pdf




https://www.ida.liu.se/~TDDD17/oldprojects/2005/final-projects/prj04.pdf


https://developer.mozilla.org/en-US/docs/Web/API/Geolocation/Using_geolocation


https://msdn.microsoft.com/en-us/library/gg589513(v=vs.85).aspx




http://dev.w3.org/geo/api/spec-source.html














18

ISSUES WITH ONLINE BEHAVIORAL TRACKING

The Office of the Privacy Commissioner for Personal Data of Hong

Kong63 identified these concerns website users may have against OBA:

(a) Website users’ information or browsing habits are often collected by thewebsite operator/owner without website users’ knowledge or consent;

(b) Website users’ information or browsing habits may even be collected by athird party without website users’ knowledge or consent;

(c) The collected information may be transferred to other parties by the websiteoperators/owners or the third party without websi te users’ knowledge orconsent;

(d) Information about a website user collected from one website may becombined with information collected from other websites or sources about thatuser, thus building his/her profile without his/her knowledge;

(e) The purpose of collecting the information is not made clear to the websiteusers. Even if this has been made clear, website users are not offered theoption to opt out of the use.

In addition to the list above, it would also be useful to note that there are

other bigger issues involved contributing to the perpetuation of breaches in online

privacy such as the following:

Issue No. 1. The subject matter, OBA, being virtually invisible to the point

of abstraction, is beyond the attention of ordinary people who may be

vulnerable targets of privacy breach.

63 Office of the Privacy Commissioner for Personal Data, Hong Kong, supra note 9.



19

Issue No. 2. There is lack or absence of information, carefully designed for

ease of comprehension, which the public may use to apprise themselves of

their right to online privacy and the breach of such rights brought by OBA.

Issue No. 3. There is lack or absence of information, carefully designed for

ease of comprehension, which the website operators/owners may use to

apprise themselves of the user’s right to online privacy and of their

responsibility to accord such right appropriate respect and protection.

Issue No. 4. There is lack or absence of transparency on the end of the

website operators/owners who employ OBA as to when, where, how, or

what information they are collecting and what they do with it.

Issue No. 5. There is lack or absence of accountability on the end of the

website operators/owners who employ OBA as to what third party

organizations do with the information collected through their websites.

Issue No. 6. There is lack or absence of rules regulating the employment

of the tracking technologies mentioned above and those analogous to them.

LEGAL FRAMEWORK FOR PRIVACY AND DATA PROTECTION

The 1987 Philippine Constitution provides for the protection of privacy of

communication and correspondence stating that such right shall be inviolable

except upon lawful order of the court, or when public safety or order requires



20

otherwise as prescribed by law.64 This provision constitutes the framework and

basis for Republic Act No. 10173, otherwise known as the Data Protection Act of

2012, which declares that the Philippine Government recognizes the vital role of

information and communications technology in nation-building and its inherent

obligation to ensure that personal information in information and communications

systems in the government and in the private sector are secured and protected.65

Scope of pplication

R.A. 10173 applies to the processing of all types of personal information

and to any natural or juridical person involved in personal information processing

including those personal information controllers and processors.66

The law applies as long as the person responsible for information

processing, (1) although not found or established in the Philippines, use equipment

that are located in the Philippines; (2) maintains an office, branch or agency in the

Philippines.67

It also provides for extraterritorial application covering an act done or

practice engaged in and outside of the Philippines by an entity if:68

(a) The act, practice or processing relates to personal information about aPhilippine citizen or a resident;

(b) The entity has a link with the Philippines, and the entity is processing personalinformation in the Philippines or even if the processing is outside the Philippines

64 CONSTITUTION, 1987, Art. III. http://www.gov.ph/constitutions/1987-constitution/#article-iii 65 Republic Act No. 10173 (2012). http://www.gov.ph/2012/08/15/republic-act-no-10173/ 66 Id. at Sec. 4.67 Id. at Sec. 4, Par. 1.68 Id. at Sec. 6.

http://www.gov.ph/constitutions/1987-constitution/#article-iii



http://www.gov.ph/2012/08/15/republic-act-no-10173/







21

as long as it is about Philippine citizens or residents such as, but not limited to, thefollowing:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but hascentral management and control in the country; and

(3) An entity that has a branch, agency, office or subsidiary in thePhilippines and the parent or affiliate of the Philippine entity hasaccess to personal information; and

(c) The entity has other links in the Philippines such as, but not limited to:

(1) The entity carries on business in the Philippines; and

(2) The personal information was collected or held by an entity inthe Philippines.

As for the types of information covered, R.A. 10173 defines “personal

information” as any information whether recorded in a material form or not, from

which the identity of an individual is apparent or can be reasonably and directly

ascertained by the entity holding the information, or when put together with other

information would directly and certainly identify an individual.69 However, the

following types of data are excluded from the coverage:70

(a) Information about any individual who is or was an officer or employee of agovernment institution that relates to the position or functions of the individual,including:

(1) The fact that the individual is or was an officer or employee of thegovernment institution;

(2) The title, business address and office telephone number of theindividual;

(3) The classification, salary range and responsibilities of the position heldby the individual; and

(4) The name of the individual on a document prepared by the individualin the course of employment with the government;

(b) Information about an individual who is or was performing service under contractfor a government institution that relates to the services performed, including the

69 Supra, at Sec. 3 (g).70 Supra, at Sec. 4, Par. 2.



22

terms of the contract, and the name of the individual given in the course of theperformance of those services;

(c) Information relating to any discretionary benefit of a financial nature such asthe granting of a license or permit given by the government to an individual,including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or researchpurposes;

(e) Information necessary in order to carry out the functions of public authoritywhich includes the processing of personal data for the performance by theindependent, central monetary authority and law enforcement and regulatoryagencies of their constitutionally and statutorily mandated functions. Nothing in this

Act shall be construed as to have amended or repealed Republic Act No. 1405,otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426,otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the

jurisdiction of the independent, central monetary authority or Bangko Sentral ngPilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, asamended, otherwise known as the Anti-Money Laundering Act and otherapplicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictionsin accordance with the laws of those foreign jurisdictions, including any applicabledata privacy laws, which is being processed in the Philippines.

Aside from “personal information,” R.A. 10173 also provides for the

protection of “sensitive personal information” and “privileged information.”

Privileged information is defined as any and all forms of data which under the Rules

of Court and other pertinent laws constitute privileged communication.71 While

sensitive personal information is defined as any personal information:72

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious,philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or toany proceeding for any offense committed or alleged to have been committed bysuch person, the disposal of such proceedings, or the sentence of any court insuch proceedings;

71 Supra note 65, at Sec. 3 (k).72 Supra note 65, at Sec. 3 (l).



23

(3) Issued by government agencies peculiar to an individual which includes, butnot limited to, social security numbers, previous or cm-rent health records, licensesor its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be keptclassified.

In the chapter dedicated for tracking technologies, it was established that

the types of personal information which are collected online varies, ranging from

the seemingly benign, such as the availability of a font set, to the extremely

sensitive personal information, such as an individual’s health, sexual, and financial

standing. Fortunately, Filipinos anywhere in the world are protected by R.A. 10173

as it covers all personal information from which the identity of an individual is

apparent or can be reasonably and directly ascertained by the entity holding the

information, or when put together with other information would directly and

certainly identify an individual.73

73 Supra note 65, at Sec. 3 (g).



24

Right to Consent

As a general rule, R.A. 10173 allows the processing of personal information

provided that such act is not prohibited by law or when any one of the following

conditions are present:74

(a) The data subject has given his or her consent ;

(b) The processing of personal information is necessary and is related to thefulfillment of a contract with the data subject or in order to take steps at the requestof the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which thepersonal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the datasubject, including life and health;

(e) The processing is necessary in order to respond to national emergency, tocomply with the requirements of public order and safety, or to fulfill functions ofpublic authority which necessarily includes the processing of personal data for thefulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursuedby the personal information controller or by a third party or parties to whom thedata is disclosed, except where such interests are overridden by fundamentalrights and freedoms of the data subject which require protection under thePhilippine Constitution. (Emphasis supplied)

As for the processing of sensitive personal information and privileged

information, the general rule is prohibition, except in the following cases:75

(a) The data subject has given his or her consent, specific to the purpose prior tothe processing, or in the case of privileged information, all parties to the exchangehave given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations:Provided, That such regulatory enactments guarantee the protection of thesensitive personal information and the privileged information: Provided, further,That the consent of the data subjects are not required by law or regulation

permitting the processing of the sensitive personal information or the privilegedinformation;

(c) The processing is necessary to protect the life and health of the data subject oranother person, and the data subject is not legally or physically able to express hisor her consent prior to the processing;

74 Supra note 65, at Sec. 12.75 Supra note 65, at Sec. 13.



25

(d) The processing is necessary to achieve the lawful and noncommercialobjectives of public organizations and their associations: Provided, That suchprocessing is only confined and related to the bona fide members of theseorganizations or their associations: Provided, further, That the sensitive personalinformation are not transferred to third parties: Provided, finally, That consent ofthe data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried outby a medical practitioner or a medical treatment institution, and an adequate levelof protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for theprotection of lawful rights and interests of natural or legal persons in courtproceedings, or the establishment, exercise or defense of legal claims, or whenprovided to government or public authority. (Emphasis supplied)

From this juncture, it would be important to note that R.A. 10173 did not fail

to provide for the user’s right to consent in the processing of personal information,

sensitive personal information, and privileged information. However, in one of the

issues raised earlier in this paper, it was established that the existence of OBA and

its consequent tracking and profiling which website controllers/owners employ are

beyond the attention of ordinary people. The question now is, “How could Filipinos

exercise their right to consent, if they are largely unaware either that they are being

tracked or that personal information is being collected from and through their

computers?” Is it not impossible to assert a right which you do not know of being

violated? Can we not regulate, if not prohibit, the use of such invasive tracking

technologies instead? Spain proves it can be done.



26

On the 4th of April 2012, Spain’s Royal Decree-Law 13/2012 came into

force, regulating the use of cookies.76 It amended The E-Commerce Law in order

to implement the Directive 2009/136/EC (the “e-Privacy Directive”), specifically:

It allows the use of devices for data storage and recovery purposes in therecipient’s equipment terminal (e.g., cookies) if the recipient: (i) is provided withclear and comprehensive information about the use and purposes of thesedevices; and (ii) has provided his/her prior explicit consent.77

Website service providers are required to obtain the informed consent of data

subjects before the storage of cookies and similar devices on their terminal

equipment.78 Information about the use of cookies must (1) be clear and complete;

(2) specify the reasons why data is being collected by these devices; and (3)

comply with existing information requirements under Spanish data protection

law.79 In the guidelines issued by the Spanish Data Protection Agency, a.k.a.

Agencia Española de Protección de Datos, efforts are taken to make the users

aware of the existence of cookies by requiring the following:80

a) Duty to inform

The information about the cookies provided when asking for consent must becomprehensive enough to enable users to understand the purpose for which theyare installed and to know what they will be used for.

First, we have to warn the user that our website will install cookies whilst they arebrowsing our web, if the cookies are created by our site or come from a third party

76 Ignacio Gurpegui, “Consent by the addressee to authorize the use of cookies,” in SquireSanders, November 28, 2012,http://www.squirepattonboggs.com/~/media/files/insights/publications/2012/11/spanish-legal-

update/files/newsletterspanishlegalupdatenovember2012pdf/fileattachment/newsletterspanishlegalupdatenovember2012.pdf (October 14, 2015).77 Uría Menéndez, “Doing Business in Spain,” Lex Mundi ,www.lexmundi.com/Document.asp?DocID=7387 (October 14, 2015).78 Diego Ramos, “Data protection in Spain: overview,” Thomson Reuters Practical Law ,http://uk.practicallaw.com/1-520-8264# (October 14, 2015).79 Id.80 Luis M. Vicente Burgos, “Does your website comply with the Spanish Cookie Law? ,”http://www.volawyers.com/does-your-website-comply-with-the-spanish-cookie-law/ (October 14,2015).

http://www.squirepattonboggs.com/~/media/files/insights/publications/2012/11/spanish-legal-update/files/newsletterspanishlegalupdatenovember2012pdf/fileattachment/newsletterspanishlegalupdatenovember2012.pdf




http://www.lexmundi.com/Document.asp?DocID=7387


http://uk.practicallaw.com/1-520-8264


http://www.volawyers.com/does-your-website-comply-with-the-spanish-cookie-law/










27

and what their purposes are. A warning message is required if any further activityfrom the user involves acceptance. The data field must include a link to a pagewhich contains the following information: general definition and function of cookies,a list of all the cookies that our site installs and their use, information on how todisable or delete cookies using either our website or each of the main browsers,and finally identification of the data controller, whether the publisher or a third party.

b) Obtaining consent

Consent can be granted explicitly by clicking on the appropriate button or field toaccept the cookies, or implicitly, by any further activity in the web page after theinformation on the cookies has been displayed and the user has been warned. Butthe bottom line here, and this is what the Royal Decree 13/2012 changed, is thatthe user consent now must be obtained PRIOR to the installation of any cookies,and it is at this point is where a large number of web sites currently breach the law.

Except those previously mentioned exceptions, before installing a single cookie onthe user’s computer you have to inform them clearly and receive consent.

Other key elements of the law are as follows:81

(a) xxx

(b) The site should take into account the likely audience of the site whenexplaining the uses of cookies, avoiding terminology that would bedifficult for the average site visitor to understand.

(c) They advise also that sites should assume knowledge about the usesof cookies and how to manage them is limited.

(d) Information about cookies and how to manage them can be layered,

but must always be accessible, even after consent has beenobtained. A specific ‘Cookie Policy’ link is advised over a generic‘Privacy Policy’.

(e) There must be information on how to revoke consent after it has beenobtained.

(f) xxx

As for the penalties imposed for non-compliance, the Law provides:82

Infraction of the duties of information and cookie rejection procedure can reach

150,000 Euros fine for penalties in cases of significant noncompliance and up to30,000 Euros in case of lesser penalties.

81 Richard Beaumont, “Spanish Cookie Law Fines First in EU,” February 5, 2014, http://www.cookielaw.org/blog/2014/2/5/spanish-cookie-law-fines/ (October 14, 2015).82 Supra note 80.

http://www.cookielaw.org/blog/2014/2/5/spanish-cookie-law-fines/





28

The example given above shows how Spain’s Royal Decree-Law 13/2012

potentially solves ALL the issues raised in the earlier discussion on this paper.

First, Issue No. 6 (lack or absence of rules) and Issue No. 3 (responsibility

of website controllers/owners) are solved by the enactment of a law addressing

the unique case of cookies. Without which, general laws would have been

insufficient in providing guidance. With the existence of the law, website

controllers/owners can now ascertain the extent or limitations of what they can do,

with regards to the employment of cookies for collecting data, without violating the

website user’s right to privacy.

Second, Issue No. 1 (invisibility of cookies), Issue No. 2 (lack or absence of

information about cookies), and Issue No. 4 (lack or absence of transparency) are

solved by simply requiring website owners to inform the website users of the

presence, type, and purpose of the cookies used and to obtain the user’s consent

prior to the employment of the regulated cookies. Now, the users are made aware

of the “invisible” cookies. They are also made to choose whether to allow the

website controllers/owners to install cookies in their computers/devices or not.

Informed of what cookies are and of which ones they are dealing with, they can be

more vigilant and express violation of their right to privacy, if there is any.

Lastly, Issue No. 5 (lack or absence of accountability) is solved by imposing

penalties on those who would fail to comply with the Law. The law is given the



29

teeth to secure compliance. Otherwise, it would be too easy to disregard, both by

well-meaning and ill-meaning entities, as compliance would require considerable

effort on the part of website controllers/owners to depart from common practice.

V. CONCLUSION AND RECOMMENDATION

The enactment of R.A. 10173 is a good start in the development of laws

that provide privacy and data protection in the Philippines. As a general law, its

coverage is reasonably wide, ranging from personal information, to sensitive

personal information and privileged information as previously discussed, cutting

across territorial boundaries worldwide. It also imposes just penalties to violators,

as such is needed to ensure compliance with the law.

However, there are some unique issues that may not be addressed without

a specific law enacted for its sole purpose, as in the case of tracking technologies

used in profiling for online behavioral advertising which common website users are

usually exposed to. Fortunately, we can learn from other countries which have

been able to make significant progress in the regulation of such technologies, by

law, as in the case of Spain.

Progressive as it may be, it should be noted that Spain’s Royal Decree-Law

13/2012, presented as an example in the previous discussion, only solves the

problem with one type of tracking technology, particularly, the cookies. The privacy



30

infringement made possible by the rest of the tracking technologies discussed, and

those which are still in development or yet to be developed, may require specific

rules other than those which have already been enacted. Exploration and

discussion of such issues is beyond the scope of this study, due to limited time

and other resources, but could be an interesting subject matter for future research.

As we all know, technological development far outpaces the enactment of

appropriate laws, making it a lot more challenging for law-making bodies to cope.

It is therefore necessary that the National Privacy Commission, tasked to draft the

implementing rules and regulations of R.A. 10173, be constituted the sooner

possible time. The necessity of proposing legislation, amendments or

modifications to Philippine laws on privacy or data protection could only be

maximized with the existence of a Commission with the legal mandate to do so.

Having a Commission which monitors and studies technologies analogous to those

described in this paper would be invaluable in creating well-founded specific laws.

Otherwise, as more years pass without the Commission, we risk the possibility of

R.A. 10173 becoming obsolete in responding with recent technological

developments affecting privacy and data protection.



31

BIBLIOGRAPHY

Adelola, Tiwalade et al. "Privacy and data protection in e-commerce in developing nations:evaluation of different data protection approaches." Infonomics Society (2015).https://dspace.lboro.ac.uk/dspace-jspui/handle/2134/18623 Accessed October15, 2015.

AFP. "Google found guilty of privacy breach in Russia." Times of India, September 17,2015. http://timesofindia.indiatimes.com/tech/tech-news/Google-found-guilty-of-privacy-breach-in-Russia/articleshow/49001145.cms Accessed October 15,2015.

Andrei Popescu. "Geolocation API Specification." July 11, 201.http://dev.w3.org/geo/api/spec-source.html Accessed October 13, 2015.

Beal, Vangie, "Web Beacon." http://www.webopedia.com/TERM/W/Web_beacon.html Accessed October 13, 2015.

Beaumont, Richard. "Spanish Cookie Law Fines First in EU." February 5, 2014.http://www.cookielaw.org/blog/2014/2/5/spanish-cookie-law-fines/ AccessedOctober 14, 2015.

Bilogrevic, Igor. et al. "Predicting Users' Motivations behind Location Check-Ins and UtilityImplications of Privacy Protection Mechanisms." Infoscience (2015).http://infoscience.epfl.ch/record/202202/ Accessed October 15, 2015.

Boda, Karoly et al. “User Tracking on the Web via Cross-BrowserFingerprinting.” http://pet-portal.eu/files/articles/2011/fingerprinting/cross-browser_fingerprinting.pdf Accessed October 13, 2015.

Broder, Dr. Andrei and Josifovski, Dr. Vanja. Lecture Notes on "Introduction toComputational Advertising." Stanford University, Autumn 2011.https://web.stanford.edu/class/msande239/lectures-2011/Lecture%2007%20Targeting%202011.pdf Accessed October 12, 2015.

Broenik, Ralph. "Using Browser Properties for Fingerprinting Purposes."http://referaat.cs.utwente.nl/conference/16/paper/7306/using-browser-properties-for-fingerprinting-purposes.pdf Accessed October 13, 2015.

Cisco Systems, Inc. "Online Privacy-How to Protect Yourself and Your Family." Cisco.(2009). https://www.cisco.com/web/about/facts_info/docs/C11-519232-00_online_privacy_WP_v4b.pdf Accessed October 13, 2015.

Cofone, Ignacio N. "The Value of Privacy: Keeping the Money Where the Mouth is." RILEWorking Paper, 2014-15.http://www.econinfosec.org/archive/weis2015/papers/WEIS_2015_cofone.pdf

Accessed October 15, 2015.

CONSTITUTION, 1987, Art. III. http://www.gov.ph/constitutions/1987-constitution/#article-iii

















































32

Cunche, Mathieu. Lecture Notes on "Security and Privacy on Online Social Networks."November 29, 2013. http://mathieu.cunche.free.fr/Teaching/Master-RTS/Security_Privacy_OSN.pdf Accessed October 13, 2015.

Danezis, George. et al., "Privacy and Data Protection by Design - from policy toengineering," arXiv.org. April 10, 2015. http://arxiv.org/abs/1501.03726 Accessed

October 15, 2015.

Dwyer, Catherine Dwyer. "Behavioral Targeting: A Case Study of Consumer Tracking onLevis.com."http://citeseerx.ist.psu.edu/viewdoc/download?rep=rep1&type=pdf&doi=10.1.1.215.7616 Accessed October 13, 2015.

Electronic Privacy Information Center. "Online Tracking and Behavioral Profiling."https://epic.org/privacy/consumer/online_tracking_and_behavioral.html AccessedOctober 16, 2015.

Enserink, Martin and Chin, Gilbert. "The end of privacy." Science, 347, no. 6221 (2015).

http://www.sciencemag.org/content/347/6221/490.full Accessed October 15,2015.

European Union Agency for Network and Information Security (ENISA). "Privacyconsiderations of online behavioural tracking." November 14, 2012.https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-considerations-of-online-behavioural-tracking


Experian Marketing Services. "The Art of Customer Profiling: Why understandingaudience is important and how to do it."http://www.experian.co.uk/assets/marketing-services/white-papers/wp-the-art-of-

customer-profiling.pdf Accessed October 12, 2015.

Fingerprinting." http://pet-portal.eu/files/articles/2011/fingerprinting/cross-browser_fingerprinting.pdf Accessed October 13, 2015.

Flood, Erik and Karlsson, Joel. "Browser Fingerprinting." Chalmers University ofTechnology and University of Gothenburg, May 2012.http://publications.lib.chalmers.se/records/fulltext/163728.pdf Accessed October13, 2015.

Geary, Joanna. "Tracking the trackers: What are cookies? An introduction to webtracking." The Guardian, April 23, 2012.

http://www.theguardian.com/technology/2012/apr/23/cookies-and-web-tracking-intro Accessed October 13, 2015.

Gervais, Norman. "Governmental Internet Information Collection: Cookies PlacingPersonal Privacy at Risk." Bulletin of the Association for Information Science andTechnology 40, no. 2 (2014). https://www.asis.org/Bulletin/Dec-13/DecJan14_Gervais.pdf Accessed October 13, 2015.



















































33

Gibbs, Samuel. "Belgium takes Facebook to court over privacy breaches and usertracking." The Guardian, June 15, 2015.http://www.theguardian.com/technology/2015/jun/15/belgium-facebook-court-privacy-breaches-ads Accessed October 15, 2015.

Gudivada , Venkat N., et al. "Information Retrieval in the World Wide Web." IEEE Internet

Computing (1997). http://www.cacs.louisiana.edu/~raghavan/internet97.pdf Accessed October 16, 2015.

Gurpegui, Ignacio Gurpegui. "Consent by the addressee to authorize the use of cookies."Squire Sanders, November 28, 2012.http://www.squirepattonboggs.com/~/media/files/insights/publications/2012/11/spanish-legal-update/files/newsletterspanishlegalupdatenovember2012pdf/fileattachment/newsletterspanishlegalupdatenovember2012.pdf Accessed October 14, 2015.

Gustke, Constance. "Which countries are better at protecting privacy?." BBC. June 26,2013. http://www.bbc.com/capital/story/20130625-your-private-data-is-showing


Hoke, Candice et al. "Are They Worth Reading? An In-Depth Analysis of Online Trackers'Privacy Policies." I/S : a journal of law and policy for the information society, Spring2015. http://engagedscholarship.csuohio.edu/fac_articles/783/ Accessed October15, 2015.

Janalta Interactive Inc. "What does Zombie Cookie mean?." TechnoPedia.https://www.techopedia.com/definition/25736/zombie-cookie Accessed October13, 2015.

Jonasson, Daniel and Sigholm, Johan. "What is Spyware?."

https://www.ida.liu.se/~TDDD17/oldprojects/2005/final-projects/prj04.pdf Accessed October 13, 2015.

Kamara, Irene P., "Privacy and Online Behavioral Tracking: A hide-and-seek game or afeasible relationship?." http://arno.uvt.nl/show.cgi?fid=132828 Accessed October11, 2015.

Kende, Michael. "Internet Society Global Internet Report 2015: Mobile Evolution andDevelopment of the Internet."http://www.internetsociety.org/globalinternetreport/assets/download/IS_web.pdf


Kontaxis, Georgios et al. "Privacy-Preserving Social Plugins."https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final150.pdf Accessed October 13, 2015.

Kyrnin, Jennifer. "Web Storage in HTML5,"http://www.html5in24hours.com/chapters/0672334402_ch21.pdf AccessedOctober 13, 2015.
















































34

Leon, Pedro Giovanni et al. "Why People Are (Un)willing to Share Information with Online Advertisers." May 2015. http://reports-archive.adm.cs.cmu.edu/anon/anon/usr/ftp/isr2015/CMU-ISR-15-106.pdf


Marsden, Richard. "Barclays security scandal: Police find stolen USB stick holding

personal data of 13,000 customers, including National Insurance numbers andpassport details." Daily Mail, July 25, 2015.http://www.dailymail.co.uk/news/article-3173866/Security-breach-shambles-Barclays-Fraudsters-personal-financial-details-13-000-customers-seven-years.html Accessed October 15, 2015.

Mayer-Schönberger, Viktor. "The Black Box Society: The Secret Algorithms That ControlMoney and Information." Frank Pasquale Harvard University Press (2015), p. 319.http://www.sciencemag.org/content/347/6221/481.summary Accessed October15, 2015.

McGrath, Felim. "GlobalWebIndex informs WeAreSocial's New Digital, Social and Mobile

in 2015 Report." GlobalWebIndex. January 22, 2015.https://www.globalwebindex.net/blog/globalwebindex-informs-wearesocial-new-digital-

social-and-mobile-in-2015-report Accessed October 11, 2015.

Meeker, Mary. "Internet Trends 2015 - Code Conference." KCPB. May 27, 2015.https://drive.google.com/file/d/0B5hEaQKLH-xoUHJjYWpQNXJySFU/view


Meltzer, Joshua Paul. "The Internet, Cross-Border Data Flows and International Trade."Wiley Publishing Asia Pty Ltd and Crawford School of Public Policy (2014).http://onlinelibrary.wiley.com/doi/10.1002/app5.60/full Accessed October 15,2015.

Menéndez, Uría. "Doing Business in Spain." Lex Mundi.www.lexmundi.com/Document.asp?DocID=7387 Accessed October 14, 2015.

Microsoft. "Introduction to the Geolocation API." https://msdn.microsoft.com/en-us/library/gg589513(v=vs.85).aspx Accessed October 13, 2015.

Mozilla Developer Network and individual contributors. "Using Geolocation."https://developer.mozilla.org/en-US/docs/Web/API/Geolocation/Using_geolocation Accessed October 13, 2015.

Office of the Privacy Commissioner for Personal Data, HongKong. "Online Behavioural

Tracking."https://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf


Office of the Privacy Commissioner of Canada. "Policy Position on Online Behavioural Advertising." https://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp Accessed Accessed October 15, 2015.
















































35

Opinion 04/2012 on Cookie Consent Exemption. Data Protection Working Party EuropeanCommission, June 7, 2012. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf AccessedOctober 13, 2015.

Panigrahy, Nilachala. "Developing Offline Web Applications using HTML5."

http://www.tcs.com/SiteCollectionDocuments/White%20Papers/TEG_Whitepaper _Developing_Offline_Web_Application_Using_HTML5_0212-1.pdf AccessedOctober 13, 2015.

Pellegrini, Christina. "Bell faces $750 million lawsuit over targeted ad program." FinancialPost, April 17, 2015. http://business.financialpost.com/fp-tech-desk/bell-canada-faces-750-million-lawsuit-over-tracking-of-cellphone-customer-internet-usage


Plummer, Joseph et al. "The Online Advertising Playbook: Proven Strategies and TestedTactics from The Advertising Research Foundation." Sainsbury's eBooks (2007).http://samples.sainsburysebooks.co.uk/9780470140352_sample_382631.pdf


PwC. "Global entertainment and media outlook 2015-2019: Internet Advertising."http://www.pwc.com/gx/en/industries/entertainment-media/outlook/segment-insights/internet-advertising.html Accessed October 16, 2015.

Ramos, Diego. "Data protection in Spain: overview." Thomson Reuters Practical Law.http://uk.practicallaw.com/1-520-8264# Accessed October 14, 2015.

Republic Act No. 10173 (2012). http://www.gov.ph/2012/08/15/republic-act-no-10173/

Richards, Neil M. "Digital Laws Evolove." The Wired World UK Edition (2015), p. 83.

http://papers.ssrn.com/sol3/Papers.cfm?abstract_id=2523748 Accessed October15, 2015.

Richter, Felix. "Where Facebook's Revenue Growth Comes From." Statista, July 30, 2015.http://www.statista.com/chart/2496/facebook-revenue-by-segment/ AccessedOctober 15, 2015.

Schneier, Bruce. "Evercookies." Schneier on Security, September 23, 2010.https://www.schneier.com/blog/archives/2010/09/evercookies.html AccessedOctober 13, 2015.

The Broadmoor. "Cookies, Web Beacons and Tracking Technologies." September 19,

2014. http://www.broadmoor.com/pdf/Broadmoor%20Cookie%20Policy%2009-19-14%20(2).pdf Accessed October 13, 2015.

The Statistics Portal. "Internet penetration in Asia Pacific as of 1st quarter 2015, bycountry." http://www.statista.com/statistics/281668/internet-penetration-in-southeast-asian-countries/ Accessed October 16, 2015.




















































United States Computer Emergency Readiness Team. "Spyware." https://www.us-cert.gov/sites/default/files/publications/spywarehome_0905.pdf AccessedOctober 13, 2015.

Vicente Burgos, Luis M. "Does your website comply with the Spanish Cookie Law?."http://www.volawyers.com/does-your-website-comply-with-the-spanish-cookie-

law/ Accessed October 14, 2015.

Webwise Team, "What are plug-ins?," BBC, October 10, 2012,http://www.bbc.co.uk/webwise/guides/about-plugins Accessed October 13, 2015.

You, Jia. "Camouflaging searches in a sea of fake queries." Science, January 30 2015,Vol. 347, no. 6221, p. 502.http://www.sciencemag.org/content/347/6221/502.summary Accessed October15, 2015.















