What is PDPA, and when will it come into effect in Thailand?

PDPA refers to Personal Data Protection Act BE 2562 (2019). It is a law that was published in May 2019 regarding data protection and is expected to come into effect as from June 1, 2022. It has previously been postponed twice due to Covid-19 concerns. Its acronym is similar to similar laws enacted in Singapore.

It is the first law in Thailand that addresses this issue and is expected to create challenges for businesses that operate in online environments, both before and after the law goes into effect. This is due to the wide scope and many requirements that these businesses will need to comply with. The PDPA document is made up of seven chapters and 96 sections. However, with the enforcement of the law having been twice postponed, companies should have had enough time to work on what is needed for full compliance.

What is PDPA?

There has been much concern around how websites are able to collect personal data from online users and share this with others. PDPA seeks to regulate this activity and provide websites with guidelines on how they should collect consent from the said online users before processing their personal data.

As part of gaining this informed consent, the online users must be notified of what data is being collected, how it will be used, and by whom. The personal data must only be used for the expressed purposes alone. This law will apply not just to Thai websites but also to any foreign body that is doing business with online users accessing their websites from Thailand.

The penalties for violating the PDPA can include fines of up to THB 5,000,000 and imprisonment for a term of up to one year. These penalties have been regarded by some as too severe. The Federation of Thai Industries (FTI) chair, Supant Mongkolsuthree, pointed to the prison sentence as being harsher than similar laws in other countries and global practice. He has called on the government to consider amending the penalties to the law and only allow for fines as other countries do. 

When the law was passed in 2019, legislators chose to give affected businesses a one-year grace period to adjust to its requirements. The first and second postponements were granted to allow both private and public sector organisations time to prepare their internal processes and account for the disruption being caused by the pandemic. 

 

*Example of how a pop up may appear on websites

*visitors should have the option to opt out if they wish

To comply with the PDPA, websites are expected to:

  • Present online users with a cookie banner that informs them that data will be collected, what kind of data, who is doing the collecting and how long it will be stored.
  • Prevent cookies from activating until when online users have consented to their use.
  • Allow users the option to deny the use of the cookies.
  • Provide a means for users to change or withdraw consent for cookies.
  • Only store user consents for up to 5 years as per the law. 

This procedure ensures that right from when online users arrive on the site they are given the right to decide if cookies should be used. If they reject the cookies, their decision should be respected and the cookies not activated. 

What is Personal Data?

It is important to understand what constitutes personal data as per the PDPA. This refers to any information that can be used to identify a specific person, directly or indirectly. This data may include, but is not limited to, their name, address, ID number, phone number, and email address.

Additional data that the PDPA has also classified as protected includes:

  • Biometric data, genetic data and health records
  • Gender, sexual orientation and disability status
  • Racial, ethnic and religious membership
  • Trade union data and political affiliations

As long as the data collected by a website can be used to identify a particular person, then the online user is protected by the PDPA. Websites can collect personal data if there are legal grounds for this, including, due to legal obligations, legitimate interest, public interest or consent. 

What is Consent In PDPA?

Before websites can collect, store, and begin processing data from online users, they are required by PDPA to acquire consent from the user. This consent must be freely given and recorded in written or electronic format. 

Websites are expected to make their request for this consent in a simple and non-deceptive manner that is distinct from other content on the site. Professional cookie banners are commonly used to present such requests to online users. The standard is to provide online users with a choice of “Yes” or “No” when it comes to granting permission for cookies to be used in tracking their activity and collecting data. 

Cookies

Most online users will be familiar with the use of cookies when visiting websites. They are used by websites to collect personal data on online users and process this for use in digital marketing campaigns. Some of the most common data collected include geo-location, IP addresses, device ID, and online activity. 

When the data is processed, it is then used for such actions as remarketing campaigns. If an online user matches the profile of online audiences to be targeted by certain advertising campaigns, they will begin to see the ads running as they browse the webpage and website. The same information may again be used to target ads upon repeat visits to the same or affiliated sites. 

*You may be using tools like Google analytics to create audiences based on website visitors.

The data controller or processor bears the responsibility for collecting consent from online users before cookies are allowed from third parties to start collecting this data from the site. 

Cookies Challenges Business Face In Complying With PDPA 

In 2020, auditing firm PriceWaterhouseCoopers (PWC) Thailand conducted a survey to determine the readiness of businesses in complying with the PDPA by the earlier June 2021 deadline. Their study found that though many businesses were aware of the PDPA requirements, most were far from ready for its enforcement. Some ascertained that they would need a year or more to become compliant, particularly when it came to implementing new processes and policies. 

There is also still some concern over the harsh penalties attached to the PDPA, with many asserting that such business laws should not have criminal penalties attached. However, some note that the punishment is in keeping with the EU’s General Data Protection Regulation. 

If you’re not sure what you need to do in order to comply with the upcoming PDPA changes, get in touch with one of the team at Phoenix Media and we’ll be able to assist. 

Categories

We have been working with Phoenix Media for the past 12 months, we are very happy with the performance and service from Rob and the team. 24 hours support in everthing. Thank you so much for your help.

Sara – Marketing Manager
First Fertility

Transparency is key in digital marketing, and Phoenix is all about opening up and showing you exactly what they are doing and why they are doing it. They take ownership of your project as if it was theirs. Highly recommended.

Rob – Founder English Gang

I have been working with Rob and the team at Phoenix Media for my new E-Commerce business, their support and technical knowledge is excellent.

Tom – Director
Zelodo

I’ve worked with Phoenix media to promote Jamie’s Italian restaurant for over a year and always had really helpful and constructive service and results. Would highly recommend

Sarah – General Manager Jamie’s Italian

Seriously the best in bkk and more notably all of SE Asia….they are professional, timely, cost efficient and they get result….10 stars, i couldn’t be happier.

Kairon – Founder
Dynasty Goddess

Big thanks to the team ; Khun Fern and Khun Kae for your great support and responsiveness. We do appreciate your excellent service, and surely will spread the words through the network.

Soonie – Founder
Black Rice Travel

Brands We've Worked With
CONTACT

We’d love to hear from you

If you’re looking for some help with your digital marketing feel free to swing by our office or leave us a message below and one of our consultants will get back to you.

18/8 FICO Place building 3rd Floor, Room no. 306, Sukhumvit 21 (Asok) Road, Khlong Toei Nuea, Watthana, Bangkok 10110