What is Thailand's PDPA? A Guide for Publishers

Jane O'Hara

Our coverage of new privacy laws continues! With the EU’s GDPR and California’s CCPA in full effect, and Brazil’s LGPD scheduled for August 15, let’s explore Thailand’s PDPA.

This article will explain what the PDPA is and how it compares to the GDPR that inspired it, as well as outline compliance steps for publishers who want to continue serving Thai users.

Please note: This article is informational. We are not a law firm and therefore do not offer legal advice. Please speak to a lawyer before determining how the PDPA affects your business.

What is the PDPA?

Thailand’s new PDPA, or Personal Data Protection Act, is a comprehensive, opt-in data privacy law that guarantees individual rights to more than 48M Thai internet users (70% of its total population). It’s Thailand’s first consolidated privacy law and shares many of the same principles as the GDPR — and the same name as Singapore's 2014 privacy law.

Thailand's PDPA was approved by the Thai National Legislative Assembly on February 28, 2019 and made effective May 28, 2019. An official English translation of the PDPA is still pending.

The law initially granted a one-year grace period for companies to comply. Companies considered to be data controllers or processors now have until May 27, 2021 to comply. The law will be enforced by a new national authority, the Personal Data Protection Committee (PDPC), similar to the European Data Protection Board (EDPB).

Thai privacy image
Thai privacy image

The PDPA applies to all data collection, usage, and disclosure — and for all individuals living in Thailand — regardless of the data processor’s headquarters.

Like the GDPR, the PDPA protects any personal data that can be used to identify someone. PII (personally identifiable information) includes: name, IP address, lat/long coordinates, cookie IDs, RFID numbers, user agents, mobile IDs, and biometric/genetic/financial/behavioral/demographic data.

Without consent from a Thai user, you cannot:

  • Send full IP addresses downstream; they must be truncated
  • Pass GPS data
  • Store PII in internal logs
  • Send any other PII via downstream OpenRTB fields, as you’d need consent for all DSPs, ad networks, data providers, etc. involved

If a user has offered explicit consent, however, you may continue to do cookie matching, interest targeting, frequency capping, programmatic ads, and so on.

PDPA vs. GDPR: Key similarities

The PDPA was inspired by the GDPR, so the laws share a number of commonalities, including:

Personal data Any data that, by itself or combined with other data, could identify a person
Territorial scope Any data processing within the respective countries, irrespective of where the processor is headquartered
Data Protection Officers (DPOs) Required for “large-scale” data processing and monitoring (see below)
Data subjects Any individual whose data is processed or collected. Like the GDPR, the LGPD guarantees multiple rights to data subjects:
  • Information/confirmation
  • Access
  • Rectification
  • Restriction
  • Portability
  • Deletion
  • Objection
Opt-in consent Companies must request consent at point of collection and add clear, simple language to privacy policies on how data on how/why data will be collected/used/disclosed
When consent is not required for data processing Subject to six legal bases:
  • Explicit consent
  • Contract performance
  • Legal responsibility
  • Legitimate interest
  • Public task
  • Vital interest
Data breach notifications 72-hour timeline
NOTE: Neither law clearly defines “large-scale”; work with your legal counsel to evaluate the range and volume of PII you process, and the number of individuals and geographical areas it includes.

PDPA vs. GDPR: Key differences

Despite their similarities, the PDPA does differ from the GDPR in a few areas:
Age of consent Parental consent required for data owners aged 10 and under Parental consent required for data owners aged 16 and under
Anonymity Does not explicitly exclude anonymized data Excludes anonymized data
Penalties Administrative fines capped at 5M Thai Baht and criminal fines capped at 1M Thai Baht Capped at 20M Euros or 4% of global annual revenue, whichever is higher

PDPA compliance

Who needs to comply

Regardless of your company size, you’ll need to comply if your ad platform:

  • Includes activity in Thailand
  • Collects personal data of people in Thailand
  • Offers or supplies goods or services in Thailand
  • Monitors behavior of Thai users

Effectively, unless your site/app is unavailable in Thailand, you will need to take some steps to ensure PDPA-compliance.

How to comply

If you’re fully GDPR-compliant, you’re well on your way to PDPA compliance too.

Like the GDPR, the PDPA qualifies consent as a freely-given indication of a users’ agreement for data processing — and requires that information on personal data collection and use be clear, adequate, and easily accessible.

Consent must be provided by the data subject in writing or by other means, such as a consent banner on your website. The right to revoke consent must also be clearly disclosed.

As you prepare for the PDPA (by May 27, 2021), we suggest the following:

  1. Review the PII you collect from Thailand

    Conduct a detailed audit and risk assessment of your Thai user data, how it’s used, and with whom you share it. For programmatic advertising or data sales, this will include ad servers, DMPs, DSPs, etc.

  2. Avoid storing any PII in your logs for Thai users
  3. Ensure your CMP tool prompts consent for anyone in Thailand
  4. Enact a risk assessment plan

    Breach notifications for the PDPA are the same 72 hours mandated by the GDPR, so you’ll want to be prepared to act quickly.

What’s next?

With the passage of the PDPA, Thailand joins more than 100 countries with personal data protection laws.

We’ll continue to monitor this and other privacy laws (including any enforcement delays) so you can continue to boost your revenue with user-first ad experiences.

As you prepare your ad platform for the PDPA, here are a few more articles you may find useful:

Overall Industry Privacy

Share your quests for compliance

How easy has it been for you and your team to comply with the GDPR, CCPA, LGPD, and other privacy laws?

Click the link below to share your insights and advice with your colleagues in the Ad.Product community!

Join the Ad.Product community

Sign up for our monthly newsletter and to be notified of member-exclusive events and opportunities.

Ad.Product is the first community for product managers, engineers, and others to discover and discuss how to build innovative, user-first ad platforms.

Jane O'Hara

Recommended Articles