Thailand PDPA Cookie Consent Requirements
Delve into Thailand's PDPA and its critical impact on cookie consent. Learn the requirements, penalties for non-compliance, and how to ensure compliance using solutions like Secure Privacy's CMP.
Thailand has a comprehensive data protection law that you need to be aware of if you work in the country or serve Thai residents.
In this article, we will show you:
- Whether the Thai PDPA applies to your website
- How to request and obtain cookie consent properly
- What the consent notification requirements are
- The penalties for non-compliance
- How to comply with the Thailand PDPA cookie consent and notification requirements
Does the Thailand Personal Data Protection Act (PDPA) apply to my website?
The Thailand Personal Data Protection Act (PDPA) is applicable to:
- Thai companies engaged in processing personal data within Thailand from individuals globally; or
- International businesses that process the personal data of Thai individuals for:
- Offering products or services to individuals in Thailand, or
- Tracking the activities of individuals where such activities occur in Thailand.
If these requirements describe your business, keep reading. Your website needs to meet cookie consent requirements.
What are the Thailand PDPA consent requirements?
The Thailand data protection law relies on the opt-in principle, meaning that you can process someone else's personal information only if they opt into the processing.
- You have to collect consent before using the cookies. This is self-explanatory. Data controllers must refrain from collecting personal data without users' consent.
- The consent must be explicit. Implied consent is not valid consent. "You accept cookies by browsing the website" does not mean consent by users in Thailand.
- You must not condition the giving of consent with entering into a contract. For website operators, this means that the consent request must not be bundled with the acceptance of the Terms and Conditions. Accepting the terms never means accepting cookies.
- Data subjects must be informed of the data collection and processing purposes. You have to tell them why you process the data.
- The consent request must be separated from other documents. This also leads to banning the bundling of the consent request with the Terms and Conditions. It also means that the request must be clearly visible and easy to distinguish. That's where the cookie banners come in handy.
- The wording in the request must be in plain language and not misleading or deceptive. Again, self-explanatory. When requesting consent from data subjects, you have to clearly show your intentions and ensure that their consent is unambiguous.
- You have to make it easy to withdraw consent. Some users may give you consent, but you may choose to withdraw it after a while. You have to provide them with the tools to do so as easily as they have given their consent. If it was as easy as clicking on an accept button, it has to be as easy to withdraw it.
What are the penalties for non-compliance with the Thai PDPA consent requirements?
The Thailand PDPA enforces two categories of penalties for breaches: administrative and criminal.
Violations commonly result in administrative sanctions levied by the Personal Data Protection Committee. Fines for these breaches can escalate to 5 million baht, approximately USD 150,000, based on the infringement's severity.
Certain breaches under the PDPA lead to criminal penalties, including a maximum of one year imprisonment and fines up to 5 million baht. Such penalties are being imposed for severe infringements, such as:
- Disclosure of personal data acquired during the execution of duties under this Act to another individual
- Disclose sensitive personal data without the consent of the data subject,
- Disclose sensitive personal data to another person or entity for purposes beyond the scope of the given consent, either for personal gain or in a manner potentially harmful to them.
- Transfer sensitive personal data to a nation lacking robust personal data protection, for personal gain or in a way that could harm the data subjects.
In the case of damages, you'll be liable to compensate the person for the harm and losses.
How to comply with the PDPA Thailand consent and notification requirements
The easiest way to comply with Thailand's Personal Data Protection Act cookie consent requirements is to implement a reputable consent management solution such as Secure Privacy.
Our solution follows the guidelines for data controllers of the Personal Data Protection Committee of Thailand. It will help you obtain data subjects' consent lawfully, notify the data subjects of the processing, store consent to prove compliance, and allow them to withdraw consent easily.
EU Digital Markets Act (DMA): What Businesses Must Know
Explore the European Union's Digital Markets Act (DMA) and its impact on tech giants, gatekeepers, and SMEs. Uncover key provisions, designated companies, and the relevance of compliance for small to medium-sized enterprises.
- Europe GDPR
- Data Protection
The Complete Guide to WordPress GDPR Compliance: Make Your Wordpress Site is Compliant
Learn about the General Data Protection Regulation (GDPR) and its significance for WordPress websites. Discover essential steps, potential consequences of non-compliance, and effective cookie management strategies to ensure GDPR compliance.
- Europe GDPR
Understanding the Utah Consumer Privacy Act (UCPA): A Comprehensive Overview of the New Consumer Privacy Law
Learn about the Utah Consumer Privacy Act (UCPA), its impact on businesses operating in Utah or targeting Utah customers, compliance requirements, consumer rights, data security measures, and penalties for non-compliance.