How the PDPA 2010 Applies to Cookies
Malaysia's Personal Data Protection Act 2010 (PDPA) came into force on 15 November 2013. Unlike the EU's ePrivacy Directive, the PDPA contains no specific provisions on cookies, local storage, or other online tracking technologies.
That does not mean cookies fall outside the law. Section 6 of the PDPA requires consent before processing personal data in a commercial transaction. If a cookie collects, stores, or transmits personal data - think _ga tying a session to a user profile, or _fbp linking browsing behaviour to an advertising identity - the general data protection principles of the PDPA apply. The practical result: any cookie that processes personal data requires user consent and a clear privacy notice.
The PDPA originally applied only to data processed within Malaysia, and only to commercial transactions. Public sector bodies were excluded. This narrower scope set it apart from broader frameworks such as the GDPR.
The 2024 Amendments: What Changed
The Personal Data Protection (Amendment) Act 2024 represents the first major overhaul since the law was enacted. Parliament passed the amendments in late 2024, with provisions rolling out in three phases through June 2025.
Key changes that affect cookie compliance:
Terminology shift - "Data user" is now "data controller", aligning Malaysian law with international norms.
Higher penalties - Maximum fines for breaching data protection principles rose from RM 300,000 to RM 1,000,000, with up to three years' imprisonment.
Mandatory data breach notification - Data controllers must notify the Commissioner and affected data subjects when a breach is likely to cause significant harm.
Data Protection Officer (DPO) - Organisations must now appoint a DPO, similar to the requirement under GDPR Article 37.
Data portability - From June 2025, individuals can request their data in a structured, commonly used format.
Direct liability for data processors - Processors can now be fined directly for security failures.
The amendments also removed the white-list regime for cross-border data transfers. Data controllers may now transfer personal data outside Malaysia if the receiving jurisdiction offers a level of protection substantially similar to the PDPA.
Seven Data Protection Principles Under the PDPA
The PDPA is built on seven principles. Each one has implications for how you handle cookies on a website aimed at Malaysian visitors.
| Principle | PDPA Section | Cookie Relevance |
|---|---|---|
| General Principle | Section 6 | Consent required before processing personal data via cookies |
| Notice and Choice | Section 7 | Cookie banner must explain what data is collected and why |
| Disclosure | Section 8 | Third-party cookies (analytics, advertising) must be disclosed |
| Security | Section 9 | Cookie data must be protected against unauthorised access |
| Retention | Section 10 | Cookies should not store personal data longer than necessary |
| Data Integrity | Section 11 | Data collected through cookies must be accurate and up to date |
| Access | Section 12 | Users can request access to personal data held about them |
The Notice and Choice Principle is the most directly relevant to cookie consent. It requires data controllers to inform individuals about the purpose of data collection and give them a genuine choice before processing begins.
JPDP Enforcement and Penalties
The Jabatan Perlindungan Data Peribadi (JPDP), or Personal Data Protection Department, oversees enforcement. Under the 2024 amendments, the JPDP has been elevated to an independent statutory commission with stronger investigative and enforcement powers.
The updated penalty structure:
Unauthorised processing of personal data - fine up to RM 1,000,000
Failure to appoint a DPO - fine up to RM 500,000
Failure to report a data breach - fine up to RM 250,000 or two years' imprisonment
Enforcement activity is expected to increase through 2026 as the commission exercises its expanded powers. While the JPDP has not yet issued cookie-specific fines, the general processing rules apply. A website dropping marketing cookies without consent is processing personal data without a lawful basis under Section 6.
PDPA vs GDPR: Key Differences for Cookie Compliance
If your website serves both EU and Malaysian visitors, you are likely already meeting a higher standard under the GDPR. The differences worth noting:
| Aspect | Malaysia PDPA | EU GDPR |
|---|---|---|
| Cookie-specific rules | None - general consent principles apply | ePrivacy Directive requires consent for non-essential cookies |
| Scope | Commercial transactions only (post-amendment: broader) | All personal data processing |
| Maximum fine | RM 1,000,000 (approx. EUR 200,000) | EUR 20,000,000 or 4% of global turnover |
| Breach notification | Mandatory (from 2025 amendments) | 72-hour notification to DPA |
| DPO requirement | Mandatory for all data controllers (from 2025) | Required in specific circumstances |
| Cross-border transfers | Adequacy-based (white-list removed) | Adequacy decisions, SCCs, BCRs |
| Extraterritorial reach | Limited | Applies to non-EU entities targeting EU residents |
The PDPA's fines are significantly lower than the GDPR's, but the 2024 amendments closed several gaps. The mandatory DPO requirement under the PDPA is actually broader than the GDPR's, which only mandates a DPO in certain situations.
Cookie Compliance Checklist for Malaysian Websites
Audit your site against these requirements:
Run a cookie scan to identify every cookie and tracking script on your site, including third-party tags like
_ga,_fbp, and_gcl_au.Classify cookies by purpose - separate strictly necessary cookies (like
PHPSESSID) from analytics and advertising cookies.Display a cookie banner that explains what data you collect, the purpose, and which third parties receive it. The Notice and Choice Principle requires this before processing begins.
Obtain consent before setting non-essential cookies - do not rely on implied consent or pre-ticked boxes.
Publish a cookie policy detailing each cookie's name, provider, purpose, and duration. Link it from your banner.
Appoint a DPO as required by the 2024 amendments.
Enable data subject access requests - Section 12 gives individuals the right to access their personal data.
Set retention limits - configure cookie durations to match your stated retention periods.
If your site also targets visitors in Indonesia, Singapore, or Thailand, consider a region-aware approach where your cookie banner adapts its behaviour based on visitor location.
Consent Requirements: What Counts as Valid Consent
Section 6 of the PDPA states that consent may take any form, provided it can be recorded and maintained by the data controller. This is less prescriptive than the GDPR's requirements under Article 7, but the 2024 amendments tightened the standard.
Consent must now be granular and specific. A single checkbox covering all cookies and all data processing purposes is unlikely to satisfy the updated requirements. Best practice is to offer category-level choices: strictly necessary, functional, analytics, and marketing.
Withdrawal of consent must also be straightforward. The amendments give individuals an explicit right to withdraw consent at any time, and the process must be as easy as the original opt-in.
Frequently Asked Questions
Does the Malaysia PDPA require a cookie banner?
The PDPA does not mention cookies specifically, but its Notice and Choice Principle (Section 7) requires you to inform users and obtain consent before processing personal data. If your cookies collect personal data, a cookie banner is the most practical way to meet this obligation.
What is the maximum fine for non-compliance with the PDPA?
Following the 2024 amendments, the maximum fine for breaching data protection principles is RM 1,000,000 (approximately EUR 200,000), with up to three years' imprisonment.
Do strictly necessary cookies need consent under the PDPA?
Strictly necessary cookies like PHPSESSID that do not process personal data beyond basic session management do not trigger the PDPA's consent requirement. If a cookie processes personal data for purposes beyond what is strictly necessary, consent is required.
Does the PDPA apply to websites outside Malaysia?
The PDPA's extraterritorial reach is limited compared to the GDPR. It primarily applies to data processed within Malaysia in commercial transactions. If your business has no presence in Malaysia, the risk of direct enforcement is low, but best practice is to comply if you actively target Malaysian users.
How does the Malaysia PDPA compare to Indonesia's PDP Law?
Both laws require consent for personal data processing. Indonesia's PDP Law (2022) has a broader scope and higher maximum fines (up to 2% of annual revenue for corporations). Malaysia's PDPA is more established but was narrower until the 2024 amendments brought it closer to international standards.
Is a Data Protection Officer required under the amended PDPA?
Yes. The 2024 amendments require all data controllers and data processors to appoint a DPO. This is broader than the GDPR, which only mandates a DPO in specific circumstances such as large-scale processing of sensitive data.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
