Data protection is a critical business priority today. The Personal Data Protection Act, usually known as PDPA, has officially transformed how companies handle customer data. Understanding the PDPA meaning is essential for any modern organization. If a business collects personal information, it must follow strict rules to protect user privacy. Many companies struggle to align their daily operations with the PDPA law.
At Moore GSiA, our experts help businesses navigate these complex regulations. Our guide explains what PDPA in Thailand looks like, and outlines the practical steps for achieving compliance.
What Is PDPA?
A Personal Data Protection Act (PDPA) is a comprehensive legal framework that regulates how organizations collect, use, and disclose personal data. This type of data protection legislation protects individual privacy rights by giving citizens control over their own personal information. The law, implemented across various global jurisdictions, requires businesses to establish a clear lawful basis before gathering any user data. It also grants individuals fundamental rights to access, correct, or request the deletion of their personal records. Organizations must establish strict security protocols to prevent data leaks and maintain overall data integrity.
What Is the Current Enforcement Landscape of PDPA in Thailand?

The grace period for PDPA in Thailand has completely ended. The Personal Data Protection Committee, operating as the main regulatory body, has shifted from offering guidance to active enforcement. In August 2025, regulators issued fines totaling over 21.5 million baht across multiple cases. Regulators penalized companies primarily for failing to report data breaches and maintaining poor security measures. A new Royal Gazette notification, published in October 2025, made the appointment of Data Protection Officers mandatory for all state agencies. The committee is also drafting new guidelines to tighten rules around direct marketing and security measures. Enforcement actions will likely increase, so compliance is no longer an optional task.
Are Businesses Operating in Thailand Truly Prepared for Compliance?
Despite widespread awareness, many organizations still fall short of full compliance. Early surveys showed that implementing new policies remains a top challenge for business owners. Many companies do not have a dedicated team for data privacy tasks. Organizations often lack the right technical tools to manage data securely. Some firms fail to update their vendor contracts to meet legal standards. Businesses, processing large volumes of personal information, must take proactive steps to close these gaps. Integrating privacy measures into daily workflows is the only way to demonstrate real accountability to regulators. Operations like accounting services in Thailand demand strict data handling protocols.
Who Is Legally Obligated to Comply with the Thai PDPA?
The scope of the law is broad and applies to many types of organizations. You must comply if your business meets specific criteria:
- Organizations that collect, use, or disclose personal data within Thailand must follow the law.
- Companies located outside Thailand must comply if they offer goods or services to individuals in Thailand.
- Businesses that monitor the behavior of users inside Thailand are subject to these rules.
- Firms managing sensitive financial records, such as those providing a payroll service, have an even higher obligation to secure personal data.
How Does the Thai PDPA Differ from Global Frameworks Like GDPR and CCPA?
Understanding these differences helps international companies adjust their local strategies.
| Feature | Thailand PDPA | EU GDPR | California CCPA |
| Consent Standard | Opt-in via affirmative action | Opt-in via affirmative action | Opt-out system |
| Cookie Consent | Required for non-essential cookies | Required for non-essential cookies | Not required but opt-out applies |
| Data Transfers | Regulated under Sections 28 and 29 | Requires adequacy or SCCs | No strict restrictions |
| Maximum Fines | Up to 5 million baht per offense | Up to 20 million euros | Up to 7,500 USD per violation |
| Breach Notice | Within 72 hours | Within 72 hours | Without unreasonable delay |
What Are the Strict New Criteria for Managing Website Cookies and User Consent?
The latest guidelines clarify exactly how websites must handle user consent. Implied consent is no longer acceptable.
- Websites must display “Accept all” and “Reject all” buttons with equal prominence.
- Companies must provide granular options for users to choose specific cookie categories.
- Systems must block all non-essential cookies until the user gives explicit consent.
- Organizations must maintain auditable consent logs to prove compliance during an inspection.
- Users must be able to withdraw their consent easily at any time.
How Can Marketers Leverage Anonymous Tracking to Maintain Visibility Safely?
Strict consent rules often cause a loss of marketing data. Anonymous tracking offers a safe solution for marketers.
- Companies can collect session-level behavioral data without capturing personal identifiers.
- This method operates entirely without cookies to respect user privacy.
- Marketers gain insights into complete conversion funnels and website traffic patterns.
- Businesses can optimize page performance based on aggregate data.
- You cannot use this data for personalized advertising or attribute it to identified users.
What Are the Legal Rules for Cross-Border Data Transfers Under Sections 28 and 29?
Under the Thai PDPA, Sections 28 and 29 establish strict rules for moving personal data outside the country to ensure user privacy remains fully protected.
- Section 28Â permits cross-border data transfers only if the destination country maintains adequate data protection standards as recognized by the regulatory committee. Since an official adequacy list has not yet been published, organizations must primarily rely on Section 29 to transfer data legally.Â
- Section 29Â requires businesses to implement appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules, to guarantee that overseas data handlers provide a comparable level of security. Additionally, organizations must clearly disclose any overseas data transfers in their privacy notices. Failing to comply with these cross-border transfer criteria can result in severe administrative fines of up to five million baht per offense
What Specific Violations Form the Basis of Heavy PDPC Fines?

Regulators focus on a few critical errors when they audit a business. Companies face massive fines for collecting data without a valid legal basis. A common violation involves tracking users before securing their explicit consent. Organizations also fail to sign proper vendor contracts with required privacy clauses. Processing sensitive personal data, like health or financial information, without explicit permission is a serious offense. The regulator, actively monitoring compliance, will penalize any firm that ignores mandatory security standards.
Conclusion
Achieving full compliance with the PDPA law requires continuous effort and strategic planning. Businesses must audit their data collection processes, update their privacy policies, and implement robust security tools. Companies risk severe financial penalties and reputational damage if they ignore these obligations.
Moore GSiA provides expert, partner-led guidance to help your organization meet these complex regulatory demands. We combine a powerful global network with deep local expertise to deliver customized, end-to-end solutions. Taking a proactive approach ensures your business remains competitive and trustworthy in the modern digital economy.
Frequently Asked Questions
1. Does the Thai PDPA require local data residency or local hosting for website cookie banners?
No. The law does not mandate local hosting. A company can host its systems abroad if it implements proper transfer safeguards and discloses the practice in its privacy policy.
2. What happens if a company fails to report a data breach within the mandatory time limit?
Failure to report a breach within 72 hours can lead to heavy administrative fines. The regulator recently penalized multiple organizations specifically for this violation.
3. Can I use bundled or implied consent if our privacy policy clearly explains our marketing data collection?
No. Consent must be explicitly given through an affirmative action. Bundled or implied consent is entirely invalid under the current guidelines.
{ “@context”: “https://schema.org”, “@type”: “FAQPage”, “mainEntity”: [ { “@type”: “Question”, “name”: “Does the Thai PDPA require local data residency or local hosting for website cookie banners?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “No. The law does not mandate local hosting. A company can host its systems abroad if it implements proper transfer safeguards and discloses the practice in its privacy policy.” } }, { “@type”: “Question”, “name”: “What happens if a company fails to report a data breach within the mandatory time limit?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “Failure to report a breach within 72 hours can lead to heavy administrative fines. The regulator recently penalized multiple organizations specifically for this violation.” } }, { “@type”: “Question”, “name”: “Can I use bundled or implied consent if our privacy policy clearly explains our marketing data collection?”, “acceptedAnswer”: { “@type”: “Answer”, “text”: “No. Consent must be explicitly given through an affirmative action. Bundled or implied consent is entirely invalid under the current guidelines.” } } ] }














