Thailand PDPA

Personal Data Protection Act B.E. 2562 (2019)

Flag of TH
ThailandOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
June 1, 2022
Enacted
May 27, 2019
Enforcing Authority
Personal Data Protection Committee (PDPC), under Ministry of Digital Economy and Society
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
Data controllers and processors in Thailand, and foreign entities offering goods/services to or monitoring Thai individuals (extraterritorial)

Overview

Thailand's PDPA is a comprehensive GDPR-modeled law requiring explicit consent before processing personal data through cookies and tracking. Enforcement has intensified dramatically in 2025, with THB 21.5 million in fines issued in August alone, making Thailand's PDPC one of the most active DPAs in Southeast Asia.

What This Means for Your Website

  • Explicit, affirmative consent is required for non-essential cookies — clicking an unchecked checkbox qualifies
  • Consent must be clear, unambiguous, and freely given
  • Withdrawal must be as easy as giving consent
  • Breach notification to PDPC is required within 72 hours; serious breaches require immediate notification
  • Extraterritorial scope applies to foreign entities serving Thai individuals
  • Punitive damages up to 2x actual damages in civil proceedings

Key Requirements

The PDPC enforces the PDPA with administrative fines up to THB 5 million, criminal penalties up to THB 5 million and 1 year imprisonment, and repeat offender penalties up to THB 10 million and 2 years. Consumer requests must be fulfilled within 30 days. The rapid escalation of enforcement in 2025 signals that Thailand is serious about compliance.

How ConsentStack Handles This

ConsentStack detects Thai visitors and presents an explicit opt-in consent banner meeting PDPA requirements, with consent withdrawal equally accessible.

Penalties

Administrative: up to THB 5M. Criminal: up to 1 year and/or THB 5M. Repeat: up to THB 10M and/or 2 years. Punitive damages: up to 2x actual.

Maximum Fine
THB10,000,000 per violation

Key Requirements

  • Explicit affirmative consent for non-essential cookies and tracking
  • Consent must be clear, unambiguous, and freely given
  • Withdrawal of consent must be as easy as giving consent
  • Heightened protections for sensitive personal data
  • Mandatory breach notification to PDPC within 72 hours
  • DPO appointment mandatory in certain circumstances

Notable Provisions

  • Enforcement intensified in 2025 — THB 21.5M in fines in August alone
  • GDPR-modeled with extraterritorial scope
  • Punitive damages up to 2x actual damages
  • Among most actively enforcing DPAs in Southeast Asia

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Indonesia PDP LawIndonesia
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Frequently Asked Questions

Does Thailand require cookie consent?

Yes. Explicit consent via affirmative action is required before placing non-essential cookies on Thai visitors. ConsentStack handles this automatically.

Is Thailand actively enforcing its privacy law?

Yes. Enforcement intensified in 2025 with THB 21.5 million in fines in August alone, making the PDPC one of Southeast Asia's most active DPAs.

Does Thailand's PDPA apply extraterritorially?

Yes. Foreign entities offering goods/services to or monitoring behavior of individuals in Thailand are subject to the PDPA.

What are Thailand's privacy penalties?

Administrative: up to THB 5M. Criminal: up to THB 5M and 1 year. Repeat: up to THB 10M and 2 years. Punitive damages: up to 2x actual.

Stay compliant with Thailand PDPA

ConsentStack helps you implement Opt-in consent for Thailand automatically.

Get started