Thailand Personal Data Protection Act (PDPA)

What is the Thailand PDPA?

All you need to know about the Thailand PDPA and how it affects your website's compliance

PDPA will come into force on June 1, 2022
*postponed from June 2021 due to Covid19
**postponed from May 2020 due to Covid19

What is PDPA?

The Thailand Personal Data Protection Act 2019 (‘PDPA’) was published on May 27, 2019 in the Royal Thai Government Gazette. The PDPA is the first law governing data protection in Thailand.

The Thailand PDPA, not to be confused with the Singapore PDPA, describes the requirements for websites on how to collect consent before the processing of personal data.

The purpose of the PDPA is to protect website users from unlawful gathering and use of their personal data.

The law requires that website users must know what data is being collected on them, how it is used and by who.

If you manage a website in Thailand or you are a foreign organization or company doing business with users based in Thailand, the PDPA also applies to you.

Violations to the PDPA can result in fines of up to 5.000.000 Baht or imprisonment of up to one year.

Here we will outline how the PDPA may impact your business website and how Cookie Information can help you comply.

Table of Contents

What is personal data under the PDPA?

According to Section 6 in the PDPA, personal data is defined as any data that can identify a person either directly or indirectly.

This includes name, address, email address, phone number, ID number or other information that identifies a specific person.

Sensitive personal data is further protected in the PDPA and includes data related to:

  • Health data, biometric data & genetic data
  • Gender, sexual orientation & disability
  • Racial, ethnic origin & religion
  • Trade union information & political opinions

If the data that a website collects about a user in any way can identify the user (the data subject), then the user is protected by the PDPA.

Personal data can be obtained about website users if there is a legal basis. This includes legal obligations, public interest, legitimate interest or consent.

Cookies collect personal data
do you need consent for setting cookies?

What is processing of personal data in the PDPA?

Personal data processing means collecting, accessing, storing, processing, and / or transferring personal information abroad.

When do I process personal data?

There are many ways in which you can process personal data under the PDPA, but looking specifically here on websites, you process personal data if you in any way, directly or indirectly, collect and process your users’ data.

PDPA & cookies

Data about your users can be collected and processed through your website cookies and other trackers, by your Customer Relationship Management system (CRM) or by e.g., online forms on your site.

Cookies collect and process personal information about your users. This can be IP-address, geo-location, device-ID, cookie-ID, about the users’ online behavior and preferences. This data is primarily used for retargeting and personalized advertising.

Although the cookies are not your cookies, they can be set through your site by services you use on your site, e.g., Google Analytics, Facebook Pixel, Hotjar, LinkedIn Insight Tag etc.

Note: As the data controller, you are responsible for collecting consent to the cookies set by third parties on your site.

Cookie Consent Best practices
overlay-v2-mockup_branded

How can you comply with the PDPA?

Here is how to comply with the PDPA:  

  • Get a cookie banner that informs your website’s visitors of cookies, what data they collect, who collects the data and for how long.
  • Holds back cookies until your visitor has consented to your use of cookies.
  • Offer your users an easy way to change or withdraw consent to cookies.
  • Store all your users’ consents for 5 years as required by law.

This means, that whenever a person enters your website, you ask for their consent to use cookies (through the cookie pop-up), and if your user declines, you respect their choice by not using cookies. *

* Cookies can technically be held back/blocked by the cookie banner until a consent has been given.

Do you need to obtain consent before setting cookies?

Yes, you have to obtain your user’s explicit consent to cookies before they can be stored and begin data collection and processing of personal data.

When you ask for consent, the request must be presented to your user in a way that is easy to understand, which is non-deceptive, and which differentiates from other content on your site. This can be achieved in a professional cookie banner.

What is consent in the PDPA?

According the PDPA, consent must be freely given, obtained in a written form (including electronic means), the user must be properly informed about the purpose of data collection and processing and the request must be presented in clear and plain language.

Implied consent is not valid in the PDPA, so make sure your cookie banner is asking for consent with a ‘yes’ or no affirmation. The banner must include a button where users can say no to cookies.

What is the ePrivacy directive

Who does the PDPA apply to?

The Thailand PDPA applies to all persons, businesses and websites who collect personal data from users in Thailand.

But the law also applies to foreign companies doing business with or collecting personal data with the purpose of offering goods, services or monitoring the behavior of persons based in Thailand

Penalties

If you fail to comply with the PDPA, you may face fines up to Bath 5 million (or up to 4% of global turnover) and criminal penalties which could include imprisonment for up to one year.

Cookie Information can help you comply with PDPA

We offer a professional Consent Management Platform (CMP) for websites that want to collect their visitors’ data in a PDPA complaint way.

Our cookie consent solution includes everything you need to make your website comply with the PDPA.

We help businesses and websites collect more than 15 billion consents every year to ensure their compliance to data regulations like ePrivacy, GDPR, CCPA, LGPD and of course also the PDPA.

Book a meeting with our Thailand Country Manager Salee Yemram to learn more about how your website can profit from getting a consent solution from Cookie Information. Yes, she speaks Thai fluently 🙂

Cookie information's Cookie Consent Solution includes:

Free Webinar

How to perform GDPR compliant analytics and digital marketing

The guide to cookie consent in Sweden, Norway & Finland