Last Updated: June 21, 2021
Thailand PDPA Overview
Thailand’s Personal Data Protection Act (PDPA) was created to govern data protection and allow the residents of Thailand the opportunity to exercise their privacy rights. Thailand’s adoption of this law was partly inspired by many GDPR principles and will drastically increase privacy requirements for organizations operating in Thailand.
What is the PDPA?
On May 27th, 2019, the PDPA was published in the Royal Thai Government Gazette. The PDPA is the first consolidated law governing data protection in Thailand.
Originally, there was a one-year grace period for the formation of the Personal Data Protection Committee and subordinate regulations, in addition to the requirement for organizations to become compliant with the PDPA. However, the government deferred the full enforcement of the PDPA to May 27, 2021.
Following a second deliberation, the Parliament has approved a further one-year postponement of the effective date of the PDPA to one year, June 1st, 2022. This gives organizations struggling to keep up with the new regulation, additional time to prepare.
Scope of PDPA
The PDPA applies to a person or legal person that collects, uses, or discloses the personal data of a natural (and alive) person, with certain exceptions.
The PDPA covers the collection, use, disclosure, and/or transfer of personal data, with certain exceptions.
The PDPA has both territorial and extraterritorial applications. From a territorial perspective, the PDPA applies to the collection, use, and/or disclosure of personal data by a personal data controller or a personal data processor that is in Thailand. Additionally, the PDPA has extra-territorial applicability over entities outside Thailand that collect, use, and/or disclose personal data of data subjects who are in Thailand in two situations:
- When the activities of collection, use, and disclosure are related to the offering of goods or services to the data subjects who are located in Thailand, irrespective of whether the payment is made by the data subject; or
- Where the activities of collection, use, and disclosure are related to the monitoring of the data subject’s behavior, where the behavior takes place in Thailand.
The PDPA applies to the collection, use, and disclosure of (including cross-border transfer) personal data. Personal data can be categorized into general personal data and sensitive personal data, for which different requirements and exemptions apply.
PDPA & Cookies
Personal data about your users can be obtained and processed through your website cookies and other tracking technology on your website. Personal data can include IP address, geo-location, device-ID, Cookie-ID, and anything else that describes a user’s online behavior and preferences. This data is mostly used for analytical and advertising purposes.
This can be complicated when you factor in cookies that are not yours. This can be set through your site by services you utilize, for example, Google Analytics, Facebook Pixel, LinkedIn Insight Tag, etc.
It’s important to note that as the data controller, you are responsible for collecting consent to cookies set by a third party on your site. The first step to cookie compliance is to become aware of all the cookies and tracking technologies on your site and begin to categorize them.
Do you Need Consent Before Dropping Cookies?
Yes, you must obtain explicit user consent to cookies before they can be dropped on their computer and process personal data. Additionally, when you ask for consent, it must be in a way that is easy for the user to understand, which is non-deceptive and differentiates from other content on your site.
Failure to comply with the Thailand PDPA may result in fines up to Bath 5 million (or up to 4% of global turnover) in addition to criminal penalties.
How to Comply with the PDPA
Customize a cookie consent banner and preference center to inform users about data collection and provide visitors with the ability to opt out of advertising and data collection cookies on your website.
- Create and add a form for individuals to practice their data subject rights, including the right of access, right to ensure, right to object, and the right to data portability to their personal data.
- Use an auto-block feature to stop cookies from automatically dropping on a user’s computer before they have consented.
- Store your users’ consent for 5 years, as required by law, with records of consent.
- Monitor incoming requests using a dashboard and automate the request process, from intake to fulfillment.
Get Started with CookiePro
Create a Cookie Banner with CookiePro
Create a customizable cookie banner and preference center for visitors to provide consent and opt-in or opt-out of certain categories of tracking on your website.Get Now