Thailand’s Personal Data Protection Act (PDPA)

What is the Thailand PDPA? 2025 guide to consent, cross-border transfers and compliance

Thailand’s PDPA enforcement just got serious – THB 21.5M (approximately €576,000 / USD 666,000) in fines issued in August 2025. If you’re running digital campaigns targeting Thai users, outdated consent banners and unapproved data transfers now carry real financial risk. Here’s what changed and how to stay compliant.

Key takeaways:

  • PDPA consent must be explicit, granular, and logged.
  • Cross-border transfer rules under Sections 28–29 are now enforceable.
  • CMPs can be hosted abroad if appropriate safeguards are in place.
  • PDPC enforcement is active (Aug 2025 fines, Oct 2025 DPO rule).
  • Transparent, compliant data practices build user trust and marketing credibility.
  • Anonymous tracking allows complete traffic visibility while respecting user choices.
  • Integrated martech stack (CMP + analytics + activation) simplifies compliance and improves performance.

Table of contents

Thailand’s privacy law landscape: what changed in 2024-2025

If you’re running digital marketing campaigns in Thailand or collecting data from Thai users, the compliance landscape changed dramatically in 2024-2025. What began as guidance has become active enforcement, complete with multimillion-baht fines and mandatory technical requirements for every marketing tool you use.

This guide cuts through the legal complexity to give you exactly what you need: clear requirements for cookie banners, analytics platforms, and cross-border data transfers, plus practical steps to ensure your marketing tech stack meets Thailand’s Personal Data Protection Act (PDPA) standards.

What is the Thailand PDPA?

Thailand has established comprehensive data protection standards that mirror – and in some cases exceed – European GDPR requirements. Understanding these rules is essential for any marketer operating in or targeting the Thai market.

The Personal Data Protection Act B.E. 2562 (PDPA) is Thailand’s comprehensive data-protection law, similar in scope and spirit to the EU’s GDPR. It governs how organizations collect, use, and disclose personal data belonging to individuals in Thailand.

The Act was published in the Royal Thai Government Gazette on 27 May 2019 and became fully effective on 1 June 2022, after pandemic-related postponements. Since then, the regulator – the Personal Data Protection Committee (PDPC) – has issued several clarifications and begun enforcing compliance.

Why the 2025 PDPA update matters

Since the PDPA’s full enforcement in June 2022, Thailand’s regulatory landscape has shifted from guidance to active enforcement. Three major developments in 2024-2025 fundamentally changed compliance obligations for digital marketers:

1. Active PDPA enforcement

In August 2025, the PDPC issued its first major administrative fines (over THB 21.5 million – approximately €576,000 / USD 666,000), signaling the end of the “grace period” approach.

2. New DPO rule

On 9 October 2025, a Royal Gazette notification made Data Protection Officers mandatory for all state agencies, with broader private sector implications expected.

3. Clarified obligations

PDPC Guidelines on Consent and Notification (September 2022) and Cross-Border Transfer Regulations (March 2024) now shape how websites, apps, and marketing tools must operate.

These changes signal Thailand’s move from a ‘grace period’ approach to strict enforcement, making compliance a business-critical priority rather than a future consideration.

What counts as personal data under the PDPA?

“Personal data” means any information that identifies an individual directly or indirectly – such as names, emails, phone numbers, IP addresses, or cookie identifiers.

“Sensitive personal data” (for example, religion, health, biometrics) requires explicit consent unless another lawful basis applies.

The PDPC has clarified that tracking and behavioral data (e.g., analytics IDs, device fingerprints) can qualify as personal data if they can reasonably identify a user.

Who must comply with Thailand’s PDPA?

The PDPA applies to any organization that:

  • collects, uses, or discloses personal data within Thailand; or
  • operates outside Thailand but offers goods or services to, or monitors the behavior of, individuals in Thailand.

In other words, even non-Thai companies must comply if they collect data from Thai users through websites, apps, or marketing platforms.

Thailand PDPA vs. GDPR vs. CCPA: quick comparison

If you’re already managing compliance for European or US markets, this comparison helps you quickly identify where Thailand’s requirements align with or diverge from frameworks you know. 

Pay particular attention to cross-border transfer mechanisms and consent standards – these create the most operational complexity when you’re running campaigns across multiple jurisdictions. 

Use this table to spot where you can leverage existing compliance infrastructure versus where Thailand requires unique implementation:

RequirementThailand PDPAEU GDPRCalifornia CCPA/CPRA
Consent standardOpt-in, affirmative actionOpt-in, affirmative actionOpt-out (right to say no)
Cookie consent requiredYes, for non-essentialYes, for non-essentialNo (but “Do Not Sell” applies)
Cross-border transfersAdequacy or safeguards (Sections 28-29)Adequacy or safeguards (SCCs, BCRs)No restrictions (disclosure required)
Maximum finesTHB 5 million per offense€20M or 4% global revenue$7,500 per intentional violation
DPO requirementState agencies (Oct 2025) + case-by-caseRequired for certain processingNot required
Data subject rightsAccess, correction, deletion, portabilityAccess, correction, deletion, portability, objectionAccess, deletion, opt-out of sale
Breach notificationWithin 72 hoursWithin 72 hoursWithout unreasonable delay

PDPA, cookies and consent management

For digital marketers, cookies and tracking technologies sit at the intersection of Thailand’s PDPA requirements and practical campaign execution. The 2022 Consent & Notification Guidelines clarified that consent-based tracking isn’t optional – it’s the legal foundation for most marketing analytics and personalization activities.

Cookies and similar technologies collect personal data about users. Under the PDPA, you must obtain valid, informed consent before setting any non-essential cookies.

The 2022–2025 consent and notification guidelines

In September 2022, the PDPC issued two important documents:

These clarify that consent must be:

  • Freely given and obtained through an affirmative action (opt-in)
  • Granular, with separate options for analytics, marketing, or functional cookies
  • Transparent, using plain, concise language
  • Withdrawable at any time through the same ease as giving it
  • Recorded – controllers must keep proof of when and how consent was given

Healthcare, finance, and insurance organizations: Due to the sensitive personal data you process, PDPA compliance carries higher stakes and scrutiny. The PDPC explicitly lists health data, financial information, and biometric data as “sensitive personal data” requiring explicit consent. Consider conducting a formal Data Protection Impact Assessment (DPIA) before implementing new marketing tools or data activation workflows.

Read our guide:

How to design a user-friendly and GDPR-compliant cookie banner in 2025 (principles apply to PDPA)

Your PDPA cookie banner needs to:

  • Display “Accept all” and “Reject all” buttons of equal prominence
  • Block non-essential cookies until consent
  • Provide a clear list of vendors and purposes
  • Maintain auditable consent logs

Cookie Information’s consent management platform addresses these requirements with WCAG accessible banners customizable to Thailand’s specific PDPA rules, including the mandatory ‘Accept all’ and ‘Reject all’ equal prominence, granular consent categories, and auditable consent logs that satisfy PDPC inspection requirements.

These rules closely mirror the GDPR and are now actively enforced in Thailand.

Building a PDPA-compliant analytics setup

Moving from non-compliant to compliant analytics doesn’t require replacing your entire stack – but it does require strategic choices about core platforms. Here’s how to build a foundation that supports both marketing performance and legal requirements:

Foundation layer: consent management

Required for compliance:

  • Deploy a compliant cookie banner before any tracking loads
  • Implement granular consent categories (necessary, analytics, marketing)
  • Block all non-essential cookies until consent is received

Recommended for audit readiness:

  • Maintain detailed consent records with timestamps and user preferences to demonstrate compliance if inspected by the PDPC

Data collection layer: analytics platform

Required for compliance:

  • If transferring Thai user data abroad, verify your vendor provides Section 29 transfer safeguards (SCCs or BCRs)

Recommended for complete visibility:

  • Choose analytics that supports anonymous tracking for non-consenting users—this allows you to understand full traffic patterns while respecting user choices
  • Select a platform that can differentiate consented vs. anonymous data, giving you flexibility in how you use insights

Recommended for marketing performance:

  • Prioritize platforms offering real-time or near-real-time data processing (30-minute data freshness or better) to enable faster campaign optimization

Activation layer: marketing tools

Required for compliance:

  • Audit all pixels, tags, and tracking codes for PDPA compliance
  • Use tag management to control when marketing tools fire based on consent

Recommended for enhanced privacy:

  • Consider implementing server-side tracking to reduce client-side data exposure and improve data quality
  • Document data flows to each vendor with legal basis – this documentation proves invaluable during regulatory inquiries or audits

Our Cookie banner + Analytics plan offers a complete PDPA-compliant stack: Cookie Information’s consent platform captures and enforces user preferences, while Piwik PRO’s analytics continues gathering behavioral insights even from non-consenting visitors through privacy-safe anonymous tracking. 

This integration addresses the core PDPA challenge – collecting enough data to optimize marketing while respecting user choices and PDPA regulatory requirements.

Explore Cookie Banner + Analytics plan

Anonymous tracking under Thailand PDPA

One of the most valuable – yet underutilized – PDPA privacy compliance strategies is privacy-preserving anonymous tracking. When implemented correctly, it allows you to understand full traffic patterns, optimize user experience, and measure campaign effectiveness even for visitors who decline consent.

How it works legally

  • Collect session-level behavioral data without personal identifiers
  • No cookies required (uses cookieless tracking methods)
  • Compliant under legitimate interest basis for website improvement
  • Provides aggregate insights without individual tracking

Marketing benefits

  • Recover up to 40% of data typically lost to consent declines
  • Understand complete conversion funnels, not just consenting visitors
  • Optimize page performance and UX based on full traffic
  • Measure true campaign reach vs. consented-only subset

What you cannot do

  • Attribute anonymous sessions to identified users
  • Use for personalized advertising
  • Share anonymous data with third-party ad networks
  • Combine with other datasets to re-identify users

PARTNER SPOTLIGHT

“With Piwik PRO anonymous tracking, we got more traffic and more accurate data on where people are coming from. For example, before implementing anonymous tracking, Piwik PRO reported a similar number of sessions to GA4. After the change, Piwik PRO reports almost three times as many!”

Mikko Piippo

Consultant at Hopkins

Read the full success story

Piwik PRO’s anonymous tracking captures behavioral signals like page views, referral sources, and conversion paths without cookies or personal data collection. When visitors later consent, the platform seamlessly upgrades to identified tracking with full attribution – giving you visibility into the entire journey while maintaining PDPA compliance throughout.

Read also:

Anonymous tracking: How to do useful analytics without personal data

Technical guide: collect data in a privacy-friendly way

Cross-border data transfers and hosting (sections 28–29)

One of the most significant changes affecting international marketers came in March 2024, when Thailand’s cross-border transfer regulations took full effect. These rules directly impact where you can host analytics tools, how you process data through cloud services, and which vendors you can work with legally.

Thailand’s cross-border data-transfer regime took effect on 24 March 2024 through two PDPC Notifications. It regulates how Thai personal data can be sent abroad.

Section 28 – Transfers to “adequate” destinations

Under Section 28, data may be transferred to a country or international organization that has adequate data-protection standards, as determined by the PDPC.

As of late 2025, no official “adequacy list” has been published. Until then, adequacy must be assessed individually or justified using Section 29 mechanisms.

Countries and regions such as the EU/EEA, UK, Japan, and Singapore are widely considered likely candidates for adequacy, though this is not yet confirmed.

Section 29 – Appropriate safeguards when no adequacy decision exists

When transferring data to destinations not yet approved, you must implement appropriate safeguards, such as:

  • Binding Corporate Rules (BCRs): internal policies that apply across a corporate group, subject to PDPC approval.
  • Standard Contractual Clauses (SCCs): contractual terms ensuring data protection, enforceable rights, and remedies for Thai data subjects.
  • Certified frameworks: participation in recognized certification or code-of-conduct schemes, once approved by the PDPC.

Each safeguard must guarantee:

  • enforceable rights for individuals;
  • effective legal processes in the event of a breach; and
  • adequate technical and organizational security measures.

What this means for your analytics stack

Many marketing teams unknowingly violate Thailand’s transfer rules because popular digital marketing tools process data outside Thailand and may not have proper safeguards in place. Here’s what requires your immediate attention:

  • Google Analytics 4: Sends data to US servers (requires Section 29 safeguards)
  • Meta Pixel: Processes through multiple global data centers (compliance unclear without SCCs)
  • Most CDP platforms: Store data in US/EU clouds (need documented transfer mechanisms)
  • Email marketing platforms: Often replicate data across regions (requires vendor assessment)

Hosting digital marketing platforms outside Thailand

The PDPA does not require marketing tools like CMPs or analytics systems to be hosted in Thailand.

However, if your platform stores or processes Thai users’ data abroad, you must ensure:

  • The destination country qualifies as (or is expected to be) adequate under Section 28; or
  • You have valid safeguards under Section 29 (BCRs, SCCs, or certification); and
  • Your privacy or cookie notice clearly discloses the transfer and the protections applied.

Best practice:

  • Retain consent logs under your organization’s control (cloud hosting abroad is fine if compliant)
  • Include PDPA-aligned clauses in vendor contracts – including 72-hour breach notification and restrictions on onward transfers
  • Disclose your CMP’s hosting region (e.g., “Our consent system is hosted in the EU under PDPA-compliant safeguards.”)

Piwik PRO’s analytics platform offers EU-based hosting with documented PDPA-compliant transfer safeguards, giving marketers the complete behavioral data they need while maintaining clear legal standing under Sections 28-29. Unlike cloud-agnostic alternatives, data location and transfer mechanisms are explicit, documented, and audit-ready.

Data-transfer rules in Thailand: practical implications for marketers and developers

  • Map your data flows: identify all servers and vendors that receive Thai-user data.
  • Use documented safeguards: keep signed SCCs or BCR approvals on file.
  • Update privacy notices: inform users of overseas transfers and the legal basis.
  • Avoid assumptions: until the PDPC issues its adequacy list, Section 29 is your safest route.

Enforcement and DPO responsibilities (2025)

Thailand’s regulatory approach has evolved from educational to punitive. The August 2025 fines – totaling THB 21.5 million – represent the PDPC’s shift toward active enforcement, particularly targeting organizations with inadequate security measures and those failing to report breaches within mandated timeframes.

Enforcement is intensifying. In August 2025, the PDPC imposed fines totalling THB 21.5 million across five cases, citing failure to report data breaches and poor security measures.

On 9 October 2025, a Royal Gazette notification expanded the DPO appointment obligation to all state agencies, signaling stricter oversight in both public and private sectors.

The regulator now frequently inspects how organizations manage consent records, vendor contracts, and international data transfers.

Common violations triggering enforcement by the PDPC

Understanding what triggers PDPC scrutiny can help you prioritize compliance efforts:

  • Collecting data without valid legal basis – Most common in marketing contexts where consent is assumed rather than obtained
  • Failing to block cookies before consent – Non-essential tracking that loads before user choice
  • Inadequate vendor contracts lacking PDPA clauses – Third-party processors without proper data protection terms
  • Processing sensitive data without explicit consent – Particularly problematic in health, finance, and behavioral targeting
  • Cross-border transfers without safeguards – Using tools that send data abroad without Section 29 documentation
  • Missing or inadequate privacy notices – Failing to inform users about data collection purposes and legal basis

Penalties for non-compliance

  • Administrative fines: up to THB 5 million per offence
  • Civil damages: including punitive damages up to double the actual loss
  • Criminal penalties: up to one year’s imprisonment or THB 1 million fine for certain offences

While these penalties are lower than the GDPR’s global-turnover model, Thailand’s enforcement momentum means poor consent or data transfer practices carry serious financial and reputational risks.

Capture complete visitor data while meeting Thailand’s PDPA compliance requirements

Start your 30-day free trial of our Cookie banner
+ Analytics plan today – no credit card required, cancel anytime.

Start free trial
Check prices

Frequently asked questions

What are Sections 28 and 29 of the PDPA?

Section 28 allows transfers to countries with adequate data-protection standards, as recognized by the PDPC.

Section 29 governs transfers to non-adequate destinations and requires “appropriate safeguards” such as BCRs, SCCs, or certification schemes ensuring enforceable data-subject rights and security measures.

Has Thailand published an official adequacy list yet?

No. As of late 2025, the PDPC has not published any formal adequacy list. Transfers should therefore rely on Section 29 safeguards.

Do websites need to host their consent management platform in Thailand?

No. The PDPA does not mandate local hosting. A CMP can be located abroad (EU, UK, Singapore, US, etc.) if proper transfer safeguards (BCRs, SCCs, certification) are in place and disclosed in your privacy or cookie policy.

What are Binding Corporate Rules (BCRs)?

BCRs are internal policies approved by the PDPC that legally bind all entities in a corporate group to protect personal data consistently, even when transferred abroad.

What are Standard Contractual Clauses (SCCs)?

SCCs are pre-approved contractual clauses between a data exporter and importer ensuring PDPA-level protection, data-subject rights, and legal remedies in the destination country.

Are there any PDPA-specific rules for cookie banners?

Yes – the 2022 PDPC Consent Guideline requires opt-in consent, a clear “Reject all” option, purpose-based choices, and logging of each consent. Implied or bundled consent is invalid.

What penalties apply for PDPA breaches?

Violations may lead to fines up to THB 5 million, civil damages, and even imprisonment for serious offences. The PDPC has already begun imposing fines in 2025.

How does anonymous tracking work under the PDPA?

Anonymous tracking collects behavioral data (page views, referral sources, session duration) without cookies or personal identifiers. It’s compliant under legitimate interest for website improvement and provides aggregate insights without individual identification. When users later consent, platforms can upgrade to identified tracking with full attribution.

What should I look for in a PDPA-compliant analytics vendor?

Key requirements include: documented Section 29 transfer safeguards (SCCs or BCRs), anonymous tracking capabilities for non-consenting users, Thailand or EU data residency options, integrated consent management or seamless CMP integration, auditable consent logs, and explicit data ownership terms with no third-party sharing.