Home / Knowledge base / Web Design & Development
Knowledge Base

What is PDPA and what does it mean for businesses in Thailand?

What Thailand's PDPA is and what it means for businesses, what it requires, who it applies to, the penalties for non-compliance, and practical steps to comply.

Web Design & Development What is / explanation 5 min read

The Personal Data Protection Act (PDPA) is Thailand's primary data privacy law, which came into full effect in June 2022. It sets out the obligations businesses must meet when collecting, storing, using, or transferring the personal data of individuals in Thailand. The law is modelled on frameworks such as Europe's GDPR and applies to any organisation that processes the personal data of people located in Thailand, regardless of where the organisation itself is based.

What does PDPA require businesses to do?

Under PDPA, businesses that collect personal data must:

  • Obtain clear and informed consent before collecting personal data, or establish another lawful basis for processing such as legitimate interest or contractual necessity
  • Inform individuals of what data is being collected, how it will be used, and how long it will be retained
  • Allow individuals to access, correct, or request deletion of their personal data
  • Implement appropriate security measures to protect data from unauthorised access or breach
  • Not transfer personal data outside Thailand unless the destination country meets equivalent data protection standards
Screenshot of Google Consent Mode V2 being configured in Google Tag Manager.
Google Consent Mode V2, configured in Tag Manager, adapts GA4 and Google Ads tracking based on the user's cookie-consent choice — relevant for PDPA compliance.

Who does PDPA apply to?

PDPA applies to any business, organisation, or individual that collects or processes the personal data of people located in Thailand, including foreign companies operating in the Thai market. Exemptions exist for personal or household use, media organisations acting in the public interest, and certain government functions. For businesses running digital marketing campaigns, PDPA directly affects how website data is collected via analytics and advertising platforms, how contact forms gather user information, and how customer data is stored in CRM systems and shared with third-party tools such as email platforms or marketing automation software.

What are the penalties for PDPA non-compliance?

PDPA provides for three categories of penalty. Administrative penalties of up to 3 million THB apply to organisations that breach data protection obligations. Criminal penalties of up to 1 million THB and one year of imprisonment apply to the intentional disclosure of personal data for profit.

Civil liability allows affected individuals to claim compensation for actual damages caused by a breach. Regulators may also issue orders to cease processing and require remediation. The severity of penalties depends on whether the breach was intentional, the volume of data affected, and the steps the organisation had already taken to comply.

What should businesses do to comply with PDPA?

Practical compliance steps for businesses operating in Thailand include:

  • Auditing all data collection points including forms, cookies, analytics tools, and CRM systems to understand what personal data is being collected and on what basis
  • Publishing a clear, up-to-date privacy policy that meets PDPA requirements and is accessible from every page of the website
  • Implementing a cookie consent mechanism that gives users a genuine choice, including the option to decline non-essential cookies
  • Configuring Google Consent Mode V2 if running Google Ads or GA4, so that tracking behaviour adapts based on the user's consent decision
  • Reviewing data processing agreements with any third-party vendors who handle personal data on behalf of the business