What Is the Thailand PDPA?
Thailand's Personal Data Protection Act (PDPA), published in the Royal Thai Government Gazette on 27 May 2019, became fully effective on 1 June 2022 after several pandemic-related postponements. The law governs how organisations collect, use, and disclose personal data of individuals in Thailand.
The PDPA applies to any organisation that processes personal data of individuals located in Thailand, regardless of where the organisation itself is based. This extraterritorial reach means that if your website attracts Thai visitors and sets cookies on their devices, the PDPA applies to you. The structure mirrors many principles found in the GDPR, though with some distinct Thai characteristics in enforcement and consent requirements.
The Personal Data Protection Committee (PDPC) oversees enforcement. After an initial period focused on awareness-building, the PDPC shifted to active enforcement in 2024 and 2025.
How the PDPA Defines Personal Data and Cookies
Under Section 6 of the PDPA, personal data means any information that can identify a person, directly or indirectly. This definition covers online identifiers such as cookie IDs, device fingerprints, and IP addresses.
Cookies that process personal data fall squarely under the PDPA's scope. Analytics cookies like _ga or _gid, advertising cookies such as _fbp, and any marketing cookies that build visitor profiles all qualify as personal data processing. The same applies to tracking pixels and local storage mechanisms used for identification.
Strictly necessary cookies - those required for basic website functionality, such as PHPSESSID for session management - may fall under the legitimate interest exemption in Section 24(5). But the threshold for claiming legitimate interest is high, and the PDPC has not yet issued detailed guidance on which cookies qualify.
PDPA Consent Requirements for Cookies
Section 19 of the PDPA sets out the consent standard. Consent must be explicit, freely given, and informed. Implied consent - such as continuing to browse a website after seeing a banner - is not valid under Thai law.
Your cookie banner must present a clear, plain-language explanation of what data you collect and why. Visitors must have the ability to accept or refuse non-essential cookies before those cookies are set. Pre-ticked checkboxes do not constitute valid consent.
The PDPA also requires granular consent. Bundling cookie consent with other terms and conditions is not acceptable. Each purpose of processing should be presented separately, allowing visitors to choose which categories they agree to. This aligns closely with how the GDPR treats valid consent under Article 7.
Section 19 further states that consent must be given in writing or through an electronic system. For websites, this means a properly configured cookie consent mechanism that records the visitor's choice.
Withdrawal of Consent
Under Section 19, paragraph 5, withdrawing consent must be as straightforward as giving it. Your website needs a persistent method for visitors to change their cookie preferences at any time. If revoking consent is harder than granting it, your consent mechanism does not meet the PDPA standard.
Enforcement: The PDPC Gets Serious
The PDPC spent 2022 and 2023 focused on education and awareness. That changed in 2024, when the committee issued its first administrative fine - THB 7 million against an online retail company that had collected data from over 100,000 customers without appointing a Data Protection Officer or implementing adequate security measures.
By August 2025, the PDPC had issued fines totalling approximately THB 21.5 million (around USD 654,000) across five cases and eight administrative orders. The violations included insufficient technical safeguards, failure to report data breaches promptly, poor password management, and absence of data processing agreements.
One case involved a government agency and its software developer, each fined over THB 150,000 after a cyberattack exposed personal data of roughly 200,000 individuals.
On 9 October 2025, a Royal Gazette notification made Data Protection Officers mandatory for all state agencies, with broader private-sector requirements expected to follow. The enforcement trajectory is clear: the grace period is over.
PDPA Penalties at a Glance
| Penalty Type | Maximum Amount | Applies To |
|---|---|---|
| Administrative fine | THB 5 million (approx. USD 150,000) | Violations of data processing rules, consent failures, breach notification failures |
| Criminal penalty | Up to 1 year imprisonment and/or THB 1 million fine | Misuse of sensitive data, unauthorised disclosure causing harm |
| Civil damages | Up to twice actual damages (punitive) | Damage caused to data subjects through non-compliance |
| Corrective orders | N/A | PDPC can order organisations to rectify practices |
Criminal penalties under the PDPA can apply to individuals within an organisation, not just the entity itself. Directors or managers who order or allow violations may face personal liability.
How the PDPA Compares to the GDPR and Other Asian Privacy Laws
The PDPA shares several features with the GDPR, but there are meaningful differences. Understanding where the PDPA sits relative to other frameworks helps if your website serves visitors across multiple jurisdictions.
| Feature | Thailand PDPA | EU GDPR | Singapore PDPA | Japan APPI |
|---|---|---|---|---|
| Consent model | Opt-in (explicit) | Opt-in (explicit) | Opt-out (with exceptions) | Opt-out (general), opt-in (sensitive) |
| Extraterritorial scope | Yes | Yes | Yes | Yes |
| Maximum fine | THB 5 million | EUR 20 million or 4% of turnover | SGD 1 million | JPY 100 million |
| Breach notification | 72 hours to PDPC | 72 hours to DPA | 3 days to PDPC | Promptly to PPC |
| DPO requirement | Mandatory for state agencies; expanding | Mandatory in specified cases | Mandatory | Not mandatory but encouraged |
| Criminal penalties | Yes | No (at EU level) | Yes | Yes |
The Singapore PDPA takes a different approach with its opt-out model for most processing, while Japan's APPI reserves opt-in consent primarily for sensitive data. Thailand's approach is closer to the GDPR's strict opt-in requirement.
Practical Steps for Cookie Compliance Under the PDPA
Scan and Categorise Your Cookies
Start by identifying every cookie your website sets. Use a cookie scanner to detect first-party and third-party cookies, then categorise them as strictly necessary, functional, analytics, or marketing. Document the purpose, duration, and data controller for each cookie.
Implement an Opt-In Cookie Banner
Your banner must block non-essential cookies until the visitor gives explicit consent. The banner should display in Thai for Thai visitors and offer clear accept and reject options with equal prominence. Avoid dark patterns such as hiding the reject button or using confusing language.
Record and Store Consent
The PDPA requires you to maintain proof of consent. Store consent records with timestamps, the specific choices made, and the version of your privacy notice presented at the time. Thai law requires keeping these records for the duration of processing, though best practice is to retain them for at least five years in line with the statute of limitations.
Provide a Cookie Policy in Thai
Your cookie policy should be available in Thai. It must explain what cookies you use, their purposes, how long they persist, and whether any data is shared with third parties. Include clear instructions on how visitors can withdraw consent.
Handle Cross-Border Data Transfers
If your analytics or advertising cookies send data to servers outside Thailand, Section 28 of the PDPA applies. The destination country must have adequate data protection standards, or you must obtain explicit consent for the transfer. This is relevant for cookies like _ga that send data to Google's servers or _fbp that transmits data to Meta.
Common Mistakes to Avoid
Using a cookie wall that forces visitors to accept all cookies before accessing your site is not compliant. Consent must be freely given, which means access cannot be conditional on accepting non-essential cookies.
Relying on a generic "by continuing to browse" notice does not satisfy the PDPA's explicit consent requirement. This approach was common before 2022 but is now a clear violation.
Failing to block cookies before consent is another frequent error. If your site sets _ga, _fbp, or similar tracking cookies the moment a page loads, you are processing personal data without a lawful basis. Use script blocking techniques to hold back non-essential cookies until consent is granted.
Frequently Asked Questions
Does the Thailand PDPA apply to websites outside Thailand?
Yes. The PDPA has extraterritorial scope. If your website collects personal data from individuals in Thailand, including through cookies, the law applies regardless of where your business is located.
Are analytics cookies considered personal data under the PDPA?
Analytics cookies such as _ga and _gid generate unique identifiers that can be linked to individual visitors. Under the PDPA's broad definition of personal data, these qualify as personal data processing and require explicit consent.
Can I use a cookie wall on my Thai website?
No. Cookie walls that block access unless visitors accept all cookies violate the PDPA's requirement that consent be freely given. Visitors must be able to access your site without consenting to non-essential cookies.
How long must I keep consent records under the PDPA?
The PDPA does not specify an exact retention period for consent records, but you must maintain proof of consent for as long as processing continues. Best practice is to retain records for at least five years, aligning with Thailand's general statute of limitations.
What language must my cookie banner be in for Thai visitors?
While the PDPA does not mandate a specific language, consent must be informed and clearly understood. For Thai visitors, providing your cookie banner and privacy notice in Thai is strongly recommended to meet the informed consent standard.
Does the PDPA require a Data Protection Officer?
As of October 2025, DPOs are mandatory for all state agencies. Private-sector organisations that process large volumes of personal data or handle sensitive data should appoint one as a precaution, as expanded requirements are anticipated.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
