Thailand has a comprehensive data protection law that you need to be aware of if you work in the country or serve Thai residents.

It was signed into law in May 2019 but came into effect on June 1, 2022, after a few postponements. It brought several novelties, the most important of which was the requirement to obtain consent for the use of cookies. If you don't meet these requirements, you are under the threat of penalties.

In this article, we will show you:

• Whether the Thai PDPA applies to your website
• How to request and obtain cookie consent properly
• What the consent notification requirements are
• The penalties for non-compliance
• How to comply with the Thailand PDPA cookie consent and notification requirements

Does the Thailand Personal Data Protection Act (PDPA) apply to my website?

The Thailand Personal Data Protection Act (PDPA) is applicable to:

• Thai companies engaged in processing personal data within Thailand from individuals globally; or
• International businesses that process the personal data of Thai individuals for:
  - Offering products or services to individuals in Thailand, or
  - Tracking the activities of individuals where such activities occur in Thailand.

If these requirements describe your business, keep reading. Your website needs to meet cookie consent requirements.

What are the Thailand PDPA consent requirements?

The Thailand data protection law relies on the opt-in principle, meaning that you can process someone else's personal information only if they opt into the processing.

When it comes to the use of cookies and other tracking technologies, it means that you can process personal data only if you obtain explicit consent from the data subject. You will do it lawfully if you follow these guidelines:

• You have to collect consent before using the cookies. This is self-explanatory. Data controllers must refrain from collecting personal data without users' consent.
• The consent must be explicit. Implied consent is not valid consent. "You accept cookies by browsing the website" does not mean consent by users in Thailand.
• The consent must be freely given. This means no conditions for giving consent, like not allowing them to visit the website if they do not consent to the use of cookies.
• You must not condition the giving of consent with entering into a contract. For website operators, this means that the consent request must not be bundled with the acceptance of the Terms and Conditions. Accepting the terms never means accepting cookies.
• Data subjects must be informed of the data collection and processing purposes. You have to tell them why you process the data.
• The consent request must be separated from other documents. This also leads to banning the bundling of the consent request with the Terms and Conditions. It also means that the request must be clearly visible and easy to distinguish. That's where the cookie banners come in handy.
• The wording in the request must be in plain language and not misleading or deceptive. Again, self-explanatory. When requesting consent from data subjects, you have to clearly show your intentions and ensure that their consent is unambiguous.
• You have to make it easy to withdraw consent. Some users may give you consent, but you may choose to withdraw it after a while. You have to provide them with the tools to do so as easily as they have given their consent. If it was as easy as clicking on an accept button, it has to be as easy to withdraw it.

What are the penalties for non-compliance with the Thai PDPA consent requirements?

The Thailand PDPA enforces two categories of penalties for breaches: administrative and criminal.

Violations commonly result in administrative sanctions levied by the Personal Data Protection Committee. Fines for these breaches can escalate to 5 million baht, approximately USD 150,000, based on the infringement's severity.

Certain breaches under the PDPA lead to criminal penalties, including a maximum of one year imprisonment and fines up to 5 million baht. Such penalties are being imposed for severe infringements, such as:

• Disclosure of personal data acquired during the execution of duties under this Act to another individual
• Disclose sensitive personal data without the consent of the data subject,
• Disclose sensitive personal data to another person or entity for purposes beyond the scope of the given consent, either for personal gain or in a manner potentially harmful to them.
• Transfer sensitive personal data to a nation lacking robust personal data protection, for personal gain or in a way that could harm the data subjects.

In the case of damages, you'll be liable to compensate the person for the harm and losses.

How to comply with the PDPA Thailand consent and notification requirements

The easiest way to comply with Thailand's Personal Data Protection Act cookie consent requirements is to implement a reputable consent management solution such as Secure Privacy.

Our solution follows the guidelines for data controllers of the Personal Data Protection Committee of Thailand. It will help you obtain data subjects' consent lawfully, notify the data subjects of the processing, store consent to prove compliance, and allow them to withdraw consent easily.