The Thailand Personal Data Protection Act 2019 (‘PDPA’) was published on May 27, 2019 in the Royal Thai Government Gazette. The PDPA is the first law governing data protection in Thailand.
The Thailand PDPA, not to be confused with the Singapore PDPA, describes the requirements for websites on how to collect consent before the processing of personal data.
The purpose of the PDPA is to protect website users from unlawful gathering and use of their personal data.
The law requires that website users must know what data is being collected on them, how it is used and by who.
If you manage a website in Thailand or you are a foreign organization or company doing business with users based in Thailand, the PDPA also applies to you.
Violations to the PDPA can result in fines of up to 5.000.000 Baht or imprisonment of up to one year.
Here we will outline how the PDPA may impact your business website and how Cookie Information can help you comply.
According to Section 6 in the PDPA, personal data is defined as any data that can identify a person either directly or indirectly.
This includes name, address, email address, phone number, ID number or other information that identifies a specific person.
Sensitive personal data is further protected in the PDPA and includes data related to:
If the data that a website collects about a user in any way can identify the user (the data subject), then the user is protected by the PDPA.
Personal data can be obtained about website users if there is a legal basis. This includes legal obligations, public interest, legitimate interest or consent.
Personal data processing means collecting, accessing, storing, processing, and / or transferring personal information abroad.
There are many ways in which you can process personal data under the PDPA, but looking specifically here on websites, you process personal data if you in any way, directly or indirectly, collect and process your users’ data.
Data about your users can be collected and processed through your website cookies and other trackers, by your Customer Relationship Management system (CRM) or by e.g., online forms on your site.
Cookies collect and process personal information about your users. This can be IP-address, geo-location, device-ID, cookie-ID, about the users’ online behavior and preferences. This data is primarily used for retargeting and personalized advertising.
Although the cookies are not your cookies, they can be set through your site by services you use on your site, e.g., Google Analytics, Facebook Pixel, Hotjar, LinkedIn Insight Tag etc.
Note: As the data controller, you are responsible for collecting consent to the cookies set by third parties on your site.
Here is how to comply with the PDPA:
* Cookies can technically be held back/blocked by the cookie banner until a consent has been given.
Yes, you have to obtain your user’s explicit consent to cookies before they can be stored and begin data collection and processing of personal data.
When you ask for consent, the request must be presented to your user in a way that is easy to understand, which is non-deceptive, and which differentiates from other content on your site. This can be achieved in a professional cookie banner.
According the PDPA, consent must be freely given, obtained in a written form (including electronic means), the user must be properly informed about the purpose of data collection and processing and the request must be presented in clear and plain language.
Implied consent is not valid in the PDPA, so make sure your cookie banner is asking for consent with a ‘yes’ or no affirmation. The banner must include a button where users can say no to cookies.
The Thailand PDPA applies to all persons, businesses and websites who collect personal data from users in Thailand.
But the law also applies to foreign companies doing business with or collecting personal data with the purpose of offering goods, services or monitoring the behavior of persons based in Thailand
If you fail to comply with the PDPA, you may face fines up to Bath 5 million (or up to 4% of global turnover) and criminal penalties which could include imprisonment for up to one year.
We offer a professional Consent Management Platform (CMP) for websites that want to collect their visitors’ data in a PDPA complaint way.
Our cookie consent solution includes everything you need to make your website comply with the PDPA.
We help businesses and websites collect more than 15 billion consents every year to ensure their compliance to data regulations like ePrivacy, GDPR, CCPA, LGPD and of course also the PDPA.
Book a meeting with our Thailand Country Manager Salee Yemram to learn more about how your website can profit from getting a consent solution from Cookie Information. Yes, she speaks Thai fluently 🙂