The National Privacy Commission (NPC) has found no evidence of personal data processing or unlawful access to user messages in connection with the “Holiday Gems Christmas Campaign 2025” of Jollibee Foods Corporation and Rakuten Viber.
In a press statement on Tuesday, April 28, the NPC’s Complaints and Investigation Division (CID) said its probe — triggered by multiple complaints — showed the campaign did not process personal information and did not access private communications.
“The National Privacy Commission’s Complaints and Investigation Division (NPC-CID) has determined that the Jollibee Foods Corporation and Rakuten Viber ‘Holiday Gems Christmas Campaign 2025’ did not involve the processing of personal information. The NPC-CID also did not find evidence of unlawful access to user communications,” the agency said.
The inquiry, conducted through the CID’s Quick Response and Special Cases Unit, included evaluation and independent testing of the feature.
Investigators found the campaign used contextual, on-device matching based on predefined keywords stored locally on users’ devices. Animated elements were triggered at the device level, without sending message content to external servers for keyword detection.
The NPC also said campaign delivery relied on country codes, not precise geolocation or user location data. As a result, it found “insufficient indicators” of personal data processing under Section 3 of the Data Privacy Act of 2012.
The investigation stemmed from complaints earlier in January 2026 over what some users described as an “intrusive” Christmas campaign on Viber, where branded greetings and stickers from Jollibee appeared within private chats when certain keywords — such as “Christmas” — were typed.
At the time, the NPC said it had sought explanations from both companies amid concerns that the campaign might involve unsolicited processing of personal data and blur the boundaries of digital marketing in private messaging platforms.
The agency also emphasized that if personal data were involved, companies would need to comply with the principles of transparency, legitimate purpose, and proportionality, and obtain user consent for direct marketing activities.
The commission urged the public to remain vigilant and report any suspected data privacy violations to authorities.
