Bangladesh PDPO

Personal Data Protection Ordinance, 2025

Flag of BD
BangladeshOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 6, 2025
Enacted
November 6, 2025
Enforcing Authority
National Data Governance Authority
Consent Model
Opt-in
Applies To
Organizations and individuals processing personal data of Bangladeshi citizens

Overview

Bangladesh's PDPO 2025 is the country's first comprehensive data protection framework. Every citizen is recognized as the rightful owner of their personal data. The ordinance explicitly prohibits profiling, behavioral tracking, and targeted advertising directed at minors — a progressive provision for the region.

What This Means for Your Website

  • Explicit consent is mandatory before collection, storage, transfer, or use of personal data
  • Citizens are recognized as the rightful owners of their personal data
  • Profiling, behavioral tracking, and targeted advertising directed at minors is prohibited
  • Sensitive data requires heightened safeguards
  • Some provisions are delayed by 18 months (~May 2027)

Key Requirements

The National Data Governance Authority enforces the ordinance. Administrative fines, compensation, and criminal penalties apply for violations. The citizen ownership framing creates strong individual rights. The ordinance was promulgated via executive power, which may affect long-term stability.

How ConsentStack Handles This

ConsentStack applies explicit consent for Bangladeshi visitors, blocks tracking for minors, and respects the citizen data ownership framework.

Penalties

Administrative fines, compensation, or criminal penalties for unauthorized access, misuse, or illegal processing.

Key Requirements

  • Explicit consent mandatory before collection, storage, transfer, or use
  • Citizens recognized as rightful owners of their personal data
  • Sensitive personal data subject to heightened safeguards
  • Rights: access, correct, delete, restrict automated decisions
  • Profiling and targeted advertising directed at minors prohibited
  • Data controllers must demonstrate lawful basis for processing

Notable Provisions

  • Promulgated as executive ordinance, not full parliamentary law
  • Explicit prohibition on behavioral tracking of minors
  • Citizens recognized as data owners — unique framing
  • Some sections delayed by 18 months (~May 2027)

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

What is unique about Bangladesh's data protection approach?

Bangladesh recognizes citizens as the rightful owners of their personal data and explicitly prohibits behavioral tracking and targeted advertising directed at minors.

Is Bangladesh's PDPO a permanent law?

It was promulgated as an ordinance under constitutional executive powers, not through full parliamentary legislation, which may affect its long-term stability.

When is Bangladesh's PDPO fully effective?

The ordinance was promulgated November 6, 2025. Some sections take effect 18 months later (~May 2027).

Stay compliant with Bangladesh PDPO

ConsentStack helps you implement Opt-in consent for Bangladesh automatically.

Get started