Privacy laws

Some help with legal information about GDPR and other privacy laws

Thailand’s Personal Data Protection Act (PDPA)

What is Thailand’s Personal Data Protection Act (PDPA)?

First passed in 2019, Thailand’s Personal Data Protection Act (PDPA) will finally come into full effect on June 1st, 2022. The PDPA is structured entirely around the idea of end-user consent, which means that websites must obtain express and explicit consent from their users before cookies or tracking tools can be activated. The same regulations have been put in place successfully in other parts of the world, such as the European Union’s GDPR and Malaysia’s PDPA.

Consent, as laid out in the PDPA, is seen as an exchange that must be communicated in a tangible way. That means website users must freely provide their written consent and be informed about why and how their data is being collected before interacting further with a particular website. The PDPA also requires websites to request consent in as clear and plain language as possible to eliminate potential misunderstandings. In other words, implied consent is not valid, and users must also have the option to outright refuse cookies.

Thailand’s PDPA oversees the commercial use of personal data specifically. This means that its guidelines will not apply to the public sector, nor will they concern federal or state governments. Contrary to how the EU’s GDPR works, which applies to public bodies, the PDPA will exclude any authority which maintains state security or public financial security. In truth, Thailand’s PDA is most similar to Malaysia’s PDPA – though Thailand’s guidelines have both territorial and extraterritorial applications.

How PDPA in Thailand Works

The PDPA first and foremost gives Thai residents the right to access and correct their personal data held by websites. It also gives them the ability to withdraw their consent at any time, as well as stop the processing of their data for marketing purposes. The PDPA applies to any website or business which processes personal data from residents of Thailand for commercial use.

The PDPA applies both territorially and extra-territorially, meaning that entities both inside and outside of Thailand which collect, use, or disclose personal information for commercial purposes about Thai residents must follow its guidelines. Any transfer of personal data regarding entities in Thailand is expressly prohibited.

Thailand’s PDPA requires websites and organizations to acquire explicit end-user consent before processing any personal data. This means that you must inform your users of your exact intentions regarding their data processing – including who you share it with and how it will be used. This invalidates prior guidelines which allowed implied consent.

The PDPA also differentiates between personal data and sensitive data. Personal data covers any information that can possibly identify a specific human being, while sensitive data includes information like sexual orientation, criminal records, racial origins, etc. The PDPA considers data processing to be the behavior of collecting, sharing, storing, using, or sharing personal data. Any failure to comply with Thailand’s PDPA can result in fines of up to 5 million Baht as well as imprisonment for up to one year.

Characteristics of Thailand’s PDPA

When Thailand created the PDPA, they set out to replicate the data protection solutions of the EU’s GDPR. Their goal was to demonstrate that Thailand is on equal footing with the EU and other states with similar legislation when it comes to protecting the data of their citizens. If you are already familiar with the GDPR and comply with its guidelines, you won’t be too confused by the regulations outlined in the PDPA.

However, there are certain key elements of the PDPA that should be noted. These include:

1. National Data Protection Authority

Thailand’s PDPA will establish the Personal Data Protection Committee to enforce compliance with the PDPA. This organization will have the ability to determine specific approaches related to personal data protection and promote the protection of personal data for Thai residents.

2. Extra-territorial Application

The PDPA extends its own legal power beyond the boundaries of Thai territory. This is exceptionally rare in Thai law and can be recognized as a significant change from previous legal frameworks in Thailand. Any business, website, or other organization which collects, uses, or discloses personal information about Thai residents must adhere to the PDPA.

Rather than allowing for implied consent, the PDPA strictly requires consent to come in the form of writing or electronic submission before a website ever enables cookies and trackers.

4. Different Types of Data

The PDPA outlines the differences between personal and sensitive data and has established separate categories for each. The PDPA prohibits collections of sensitive data without explicit consent from users except for in the case of medical emergencies.

5. Users’ Rights

Under the PDPA, website users will have the right to access and change their personal data at any time. They will also have the ability to withdraw their consent at any time and stop their data from being processed for marketing purposes.

6. Liability

Failing to comply with Thailand’s PDPA can lead to punitive damages, criminal penalties including imprisonment, administrative fines of up to 5 million Baht, and more depending on a website’s specific failure to comply.

Thailand’s PDPA Compliance with CookieScript

In order for your website to fully comply with Thailand’s PDPA, you must obtain explicit consent from any Thai users before you process any of their data. You’ll also be required to notify them about what details you collect, who you’ll share it with, and how it will be used. Users must also be able to access and correct their data as well as withdraw their consent at any time. All of this can prove quite complicated without an automated system in place on your website that helps you obtain this explicit consent from your users.

Fortunately, CookieScript is a compliance solution you can integrate within your website which helps you to automate compliance procedures for multiple international guidelines, including Thailand’s PDPA. CookieScript enables you to make your domain fully compliant without having to worry about the headache of overly complex technical implementations.

By using CookieScript on your website, you can ensure that you are fully compliant with Thailand’s PDPA. CookieScript can automate the process of obtaining explicit consent from Thai end-users before your website’s cookies and trackers become active.

In order to avoid hefty fines for non-compliance with data regulations outlined by Thailand’s PDPA, the EU’s GDPR, Malaysia’s PDPA, or any others, choose CookieScript. No matter if your website is hosted by WordPress, Wix, Shopify, Squarespace, or any other major platform, you can enable CookieScript to ensure total compliance with these regulations.

You can find out which level of service best suits your company, and sign up today!

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.