The National Privacy Commission (NPC) has issued new guidelines governing the scraping of publicly available personal data, warning organizations that such practices remain subject to strict data privacy rules under the country’s law.
In Advisory No. 2026-01 dated April 13, the commission said that while data scraping — defined as the automated or manual extraction of personal data from online sources — may be allowed, entities must comply with the Data Privacy Act of 2012 and related regulations.
The NPC emphasized that the public availability of personal data does not equate to blanket consent for its use. Organizations engaging in scraping activities must establish a lawful basis for processing and ensure that the data collected are used only for specific and legitimate purposes.
Under the advisory, personal information controllers (PICs) are required to inform data subjects when their data are being processed through scraping, either beforehand or at the next practical opportunity.
They must also ensure that data collection is proportionate and not excessive, and that adequate safeguards are in place to protect the information.
The commission also flagged heightened risks associated with large-scale scraping, noting that such activities could expose significant volumes of personal data to misuse, including fraud, unauthorized profiling, and cyberattacks.
Scraping of sensitive personal information is generally prohibited unless strict conditions are met, including the presence of a valid lawful basis and enhanced security measures.
Additional scrutiny is required when the data involve vulnerable individuals such as minors, the elderly, and persons with disabilities.
The advisory further outlined practices considered unauthorized, including bypassing website safeguards, using deceptive techniques to obtain data, or violating platform terms of service. Such actions may result in civil, criminal, or administrative liability under existing privacy laws.
For organizations hosting publicly available personal data, the NPC advised implementing safeguards such as rate limiting, bot detection, and clear notices informing users that their data may be subject to scraping.
Ultimately, the commission stressed that accountability remains with the organization collecting or processing the data, even if third parties are involved, and that scraped data must not be used in ways that could harm individuals, including doxxing, identity fraud, or unauthorized surveillance.
