Skip to main content

Most of the world is following in the footsteps of the European Union and implementing regulations like the GDPR – and Thailand is no exception. Their new Personal Data Protection Act, or PDPA, will become effective on June 1, 2022.

It covers the processing of cookies that are collected and stored on users’ devices and requires that explicit consent be obtained. Keep reading to learn everything you need to know about PDPA Thailand and cookie consent!

The History of the PDPA

Thailand’s PDPA, or the Personal Data Protection Act, was initially introduced in May 2019. It is very similar to the European GDPR, which introduced requirements for processing personal information and private data.

The purpose of the PDPA is to create a framework that manages how companies, websites, and applications can collect and process user data. Although it does not directly address cookies in the legislation, cookies are the most common tool used to gather and transmit data online.

In other words, even though it doesn’t regulate cookies directly, the PDPA addresses the processing of the data that they collect and store. If you would like to know more about the types of cookies, then read our article: What are cookies ?

It is important to note that the PDPA Thailand only applies to the commercial use of personal information. The jurisdiction does not extend to federal or state governments – or the public sector – to maintain state security.

When the PDPA was issued, the intent was to provide a one-year grace period so that regulated organizations could prepare, and the laws would be enforced starting May 2020.

As you may have guessed, the global COVID-19 pandemic caused some delays. The government of Thailand agreed to postpone the enforcement of the PDPA for an additional year to ease the financial consequences of the pandemic and give companies more time to prepare.

However, in May 2021 the cabinet approved yet another one-year postponement for the PDPA. The goal is to ensure that the legislation’s related processes can be settled appropriately considering the lingering effects of the pandemic.

So, as of right now, the PDPA will be fully effective on June 1, 2022.

What is the PDPD, Thailand's privacy and data protection law all about?
Data privacy acts like the PDPA require user consent before obtaining and processing personal data.

Try our consent management platform and create your custom cookie banner to manage your cookies and third-party scripts on your website compliant with the PDPA and other privacy laws. CookieFirst offers a comprehensive cookie policy generator and third-party script management.

Cookie Consent Manager | Take a 2 week free trial

Take a 2 week free trial for our paid plans or create a free account …

Create an accountView our plans

Eight Key Characteristics of the PDPA

Eight key characteristics form the foundation of the PDPA. Let’s dive into each one of these, so you can get a better understanding of what this new regulation means for your business.

1. National Data Protection Authority
The act’s first characteristic is to establish a Personal Data Protection Committee. They will serve as the enforcement agency to ensure that organizations comply with the PDPA.

2. Extraterritorial Effect
The PDPA has both a territorial and extraterritorial effect. This means that the legal applications of the PDPA apply if a state or organization has jurisdiction over Thai citizens while they are abroad.

In other words, any entity, business, website, or other organization that uses, collects, or discloses data about its citizens must comply with this regulation. Likewise, it prohibits personal data from being transferred outside of Thailand.

3. Operative Terms
The third characteristic of the PDPA is its operative terms, which define the core aspects of the law. Much of the terminology mirrors the GDPR, including the following:

  • Data Controller: a natural or juristic person that has the power to make decisions about the collection, use, or disclosure of personal data
  • Data Processor: an entity that collects, uses, or discloses personal data per the data controller
  • Personal Data: Information that relates to a person and is directly or indirectly identifiable

4. Consent
The PDPA requires that you ask for – and obtain – explicit consent from users in Thailand before collecting data, using cookies and trackers, or disclosing any personal information. This consent must be received in writing or submitted electronically.

5. Sensitive Personal Data
The PDPA has a distinct category for sensitive personal data, which includes things like health data, sexual orientation, disability information, ethnicity, political opinions, religious beliefs, and more.

The new legislation prohibits the collection of any sensitive data without explicit consent from the individual unless the information is required by law or in a medical emergency.

6. Right of Data Subjects
Under the PDPA, data subjects have the right to access and correct their personal information. Likewise, they can withdraw consent at any point in time. Doing so would require the organization that collected the data to stop processing their information for marketing or other business purposes.

7. Transfer of Personal Data
Data controllers are prohibited from transferring personal data to third parties. However, they can proceed if the data subject has given their explicit consent.

8. Civil and Criminal Liability
The last characteristic of the Personal Data Protection Act addresses civil and criminal liability. Regulated entities that fail to comply with the PDPA could face civil liabilities that range from fines and punitive damage up to 5 million Baht.

Depending on the offense, perpetrators can also face up to one year in prison.

Are your an agency, webdesigner or another reseller?

Earn 30% commission, take a look at our reseller model or contact us for numbers larger than 500 clients

Calculate your revenue

What are the PDPA Compliance Requirements?

So, what do you need to do to comply with PDPA Thailand?

The most important factor is obtaining explicit end-user consent before you process any personal information. Likewise, you need to tell your users what you will be doing with their data. That includes what information is being collected, for what purpose, and with whom the data will be shared.

In other words, implied consent is not acceptable under this new regulation! If you intend to continue using cookies or trackers as part of your website or application, you need to get explicit consent.

To ensure that you meet all website compliance requirements, you should implement a cookie consent process that allows you to obtain the necessary permissions. The request for consent must also be presented in plain language and a clear manner so there is no risk of misunderstandings.

For example, there should be a button on your banner that allows users to refuse data tracking as you ask for cookie consent. Failing to do this properly can leave you with a fine of up to 5 million Baht or up to one year in jail, so you must prepare before the law becomes fully effective!


Get consent before loading third party tracking scripts

CookieFirst aims to make ePrivacy and GDPR compliance easy and quick to implement. The CookieFirst platform offers third-party script and consent management, statistics, periodic cookie scans, automated cookie declaration, banner customization, multiple language options, and more. Avoid large fines and get consent before loading third-party tracking scripts — try CookieFirst!