PDPA and Cookies – what you need to know

What are the rules on cookies in the new Thailand PDPA? And how do you comply? Here we provide you with a quick overview you can act upon.

The Thailand PDPA and Cookies​

First of all, the PDPA is Thailand’s new Personal Data Protection Act 2019 (‘PDPA’). The legislation will come into force on June 1st, 2022 (post-posted from June, 2021).
The Thailand PDPA is very similar to the European General Data Protection Regulation (GDPR) as it concerns the rules and requirements for processing people’s personal data.
Although the PDPA, like the GDPR, does not specifically concern the use of cookies it does concern the processing of the data cookies collect and store on users’ devices i.e., their computers, tablets and smartphones.
The whole purpose of the PDPA is therefore to set rules for how websites and app owners may collect and process their users’ personal data e.g., through the use of cookies.

Why do cookies fall under the PDPA? ​

Because cookies may collect personal information such as IP-address, geo-location, device-ID, cookie-ID which ultimately directly or indirectly can identify users. Therefore, cookies fall under the domain of the PDPA.
Now, all websites use cookies or other tracking technologies for measuring how users get on to the site, what they view and most importantly what they buy.
These metrics are vital for any e-commerce site or other business website wanting to optimize their marketing efforts and improve their sales.
For that, cookies are used.
Cookies are typically set on your website by third parties whose service you use for analytics, share/like buttons or other features that brings values to your website.
That could well be your Customer Relationship Management System (e.g., HubSpot, Salesforce); your analytics services (Google Analytics, Adobe Analytics) or of course tracking pixels from Facebook, LinkedIn or other social media used for retargeted advertising.
Note: As the website owner, you are the data controller and therefore responsible for obtaining your users’ valid consent to the cookies set by third parties on your website.

How can you comply with the PDPA?

To comply with the PDPA when using cookies on your website, it’s essential that you obtain your users’ valid consent to cookies.
That does not mean only to inform users of cookies (with a simple cookie banner), it means to inform users of cookies, collect and store their consent, so you can document it to The National Data Protection Authority set to be established under the PDPA.

Checklist for collecting valid consent to cookies

This means, that whenever a person enters your website, you ask for their consent to use cookies (through the cookie pop-up), and if your user declines, you respect their choice by not using cookies. *
* Cookies can technically be held back/blocked by the cookie banner until a consent has been given.
Here we show you two banners. The brown one you typically see on websites. It informs visitors about cookies and then states: if you use the site, you agree to the use of cookie.
It does not give the user ability to disagree, nor decline cookies. And it does not provide any information about which cookies collect and process what information.
Non valid cookie banner
A PDPA compliant cookie banner on the other hand, ask for a freely given and explicit consent to the use of cookies. Consent is informed and specific (information about cookies and functions provided) and it stores every user consent for documentation to authorities in case of an audit.
Our consent management platform helps you ensure compliance with global privacy laws, including PDPA. Start with a free 30-day trial and become PDPA-compliant today!