Mongolia PDPL

Law on Personal Data Protection

Flag of MN
MongoliaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
May 1, 2022
Enacted
December 17, 2021
Enforcing Authority
National Human Rights Commission (oversight); Ministry of Digital Development and Communication (enforcement)
Consent Model
Opt-in
Applies To
Individuals, legal entities, and organizations collecting, processing, or securing personal data in Mongolia

Overview

Mongolia's PDPL replaced the 1995 Law on Personal Secrecy with a comprehensive data protection framework. Written or electronic consent is required before collecting personal data, and collection is limited to what is strictly necessary. Cross-border transfers require data subject consent.

What This Means for Your Website

  • Written or electronic consent is required before collecting personal data of Mongolian visitors
  • Data collection must be limited to what is strictly necessary
  • Cross-border data transfers require explicit data subject consent
  • Security measures must protect stored and processed data
  • Penalties are relatively modest by global standards

Key Requirements

The National Human Rights Commission provides oversight while the Ministry of Digital Development enforces the law. Fines range from MNT 500,000 to 20,000,000 (~USD 145-5,832). Processing records must be maintained for accountability.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Mongolian visitors with strict necessity limitations on data collection.

Penalties

Fines from MNT 500,000 (~USD 145) to MNT 20,000,000 (~USD 5,832).

Maximum Fine
MNT20,000,000 per violation

Key Requirements

  • Written or electronic consent before collecting or processing personal data
  • Data collection limited to what is strictly necessary
  • Security measures to protect stored and processed data
  • Transparency regarding data usage and processing
  • Cross-border transfer prohibited without data subject consent
  • Accountability through maintaining processing records

Notable Provisions

  • Replaced 1995 Law on Personal Secrecy
  • Relatively low penalties by global standards
  • Cross-border transfers require data subject consent
  • Considered strong among Central Asian laws

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does Mongolia require cookie consent?

Mongolia's PDPL requires written or electronic consent for all personal data collection, which extends to cookies collecting personal data.

What are Mongolia's data protection penalties?

MNT 500,000 to 20,000,000 (~USD 145-5,832) — relatively modest by global standards.

Can data be transferred out of Mongolia?

Cross-border transfers require explicit data subject consent unless permitted by law or treaty.

Stay compliant with Mongolia PDPL

ConsentStack helps you implement Opt-in consent for Mongolia automatically.

Get started