Our coverage of new privacy laws continues! With the EU’s GDPR and California’s CCPA in full effect, and Brazil’s LGPD scheduled for August 15, let’s explore Thailand’s PDPA.
This article will explain what the PDPA is and how it compares to the GDPR that inspired it, as well as outline compliance steps for publishers who want to continue serving Thai users.
Please note, we are not a law firm. Please view this as informational, not legal advice, and speak to a lawyer before coming to a conclusion.
Thailand’s new PDPA, or Personal Data Protection Act, is a comprehensive, opt-in data privacy law that guarantees individual rights to more than 48M Thai internet users (70% of its total population). It’s Thailand’s first consolidated privacy law and shares many of the same principles as the GDPR — and the same name as Singapore's 2014 privacy law.
Thailand's PDPA was approved by the Thai National Legislative Assembly on February 28, 2019 and made effective May 28, 2019. An official English translation of the PDPA is still pending.
The law initially granted a one-year grace period for companies to comply. Companies considered to be data controllers or processors now have until May 27, 2021 to comply. The law will be enforced by a new national authority, the Personal Data Protection Committee (PDPC), similar to the European Data Protection Board (EDPB).
Like the GDPR, the PDPA protects any personal data that can be used to identify someone. PII (personally identifiable information) includes: name, IP address, lat/long coordinates, cookie IDs, RFID numbers, user agents, mobile IDs, and biometric/genetic/financial/behavioral/demographic data.
Without consent from a Thai user, you cannot:
If a user has offered explicit consent, however, you may continue to do cookie matching, interest targeting, frequency capping, programmatic ads, and so on.
The PDPA was inspired by the GDPR, so the laws share a number of commonalities and definitions, including:
NOTE: Neither law clearly defines “large-scale”; work with your legal counsel to evaluate the range and volume of PII you process, and the number of individuals and geographical areas it includes.
Despite their similarities, the PDPA does differ from the GDPR in a few areas:
Regardless of your company size, you’ll need to comply if your ad platform:
Effectively, unless your site/app is unavailable in Thailand, you will need to take some steps to ensure PDPA-compliance.
If you’re fully GDPR-compliant, you’re well on your way to PDPA compliance too.
Like the GDPR, the PDPA qualifies consent as a freely-given indication of a users’ agreement for data processing — and requires that information on personal data collection and use be clear, adequate, and easily accessible.
Consent must be provided by the data subject in writing or by other means, such as a consent banner on your website. The right to revoke consent must also be clearly disclosed.
As you prepare for the PDPA (by May 27, 2021), we suggest the following:
With the passage of the PDPA, Thailand joins more than 100 countries with personal data protection laws.
As you prepare your ad platform for the PDPA, here are a few more articles you may find useful: