Macau PDPA

Personal Data Protection Act (Act 8/2005)

Flag of MO
MacauOpt-inSpecial Administrative Region
Back to Regulations Guide

Key Facts

Effective Date
February 1, 2006
Enacted
August 22, 2005
Enforcing Authority
Personal Data Protection Bureau (GPDP)
Consent Model
Opt-in
Applies To
Data controllers and processors in Macau, and those outside Macau using equipment located in Macau

Overview

Macau's PDPA is modeled on the Portuguese Data Protection Act, giving it one of Asia's most explicitly EU-style data protection frameworks. Article 6 specifically exempts strictly necessary cookies from consent requirements while requiring consent for all other cookies — a framework more common in Europe than Asia.

What This Means for Your Website

  • Strictly necessary cookies are exempt under Article 6
  • All non-essential cookies require freely given, specific, and informed consent
  • Data subjects must be informed about purposes, recipients, and consequences of refusal
  • Controllers must register with the GPDP before processing personal data
  • Cross-border transfers are restricted to jurisdictions with adequate protection

Key Requirements

The GPDP enforces the PDPA with fines from MOP 12,000 to MOP 2,400,000, plus imprisonment up to 2 years. Registration before processing is mandatory. The Portuguese legal heritage provides a uniquely EU-aligned framework in Asia.

How ConsentStack Handles This

ConsentStack applies Macau's EU-style cookie consent framework: strictly necessary cookies load freely while all others require explicit opt-in consent.

Penalties

Monetary fines from MOP 12,000 to MOP 2,400,000. Imprisonment up to 2 years. Temporary prohibition of processing. Erasure orders.

Maximum Fine
MOP2,400,000 per violation

Key Requirements

  • Consent required for non-essential cookies — strictly necessary exempt under Article 6
  • Data subjects informed of: purposes, recipients, consent obligations, refusal consequences
  • Consent must be freely given, specific, and informed
  • Register with GPDP before processing
  • Cross-border transfers restricted to adequate jurisdictions
  • Data subject rights: access, rectification, erasure

Notable Provisions

  • EU-style cookie consent — one of the most explicit in Asia
  • Portuguese legal heritage influences data protection approach
  • Registration with GPDP required before processing
  • Article 6 specifically exempts necessary cookies

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Why is Macau's cookie law EU-style?

Macau's PDPA is modeled on the Portuguese Data Protection Act, which was based on the EU Data Protection Directive. This gives Macau one of Asia's most explicitly EU-aligned cookie frameworks.

Does Macau exempt necessary cookies?

Yes. Article 6 specifically exempts strictly necessary cookies from consent requirements. All other cookies require consent.

Must organizations register in Macau?

Yes. Data controllers must register with the GPDP (Personal Data Protection Bureau) before processing personal data.

Stay compliant with Macau PDPA

ConsentStack helps you implement Opt-in consent for Macau automatically.

Get started