fbpx

Thailand’s PDPA: Why it’s coming, and what you need to do

Information is power. The shining promise of the internet has been the democratization of that power: Users from every country and social class would gain access to libraries of knowledge, and participate on equal footing in the conversations of the day.

To a great extent, this promise has been honored. Ordinary people can now educate themselves about any topic under the sun, make real names for themselves, and impact global conversation with their ideas.

But access to information goes in both directions. It feels great to learn whatever we want about the outside world … though it is far less comforting to consider that the world can also learn whatever it wants about us.

Sites like Google and Facebook give with one hand, and take with the other – mainly for the purpose of targeting internet users with tailored advertisements. The main difference is that, thanks to their highly advanced algorithms and processing power, these tech giants are far more efficient at learning than us carbon-based life forms. Other websites gather and analyze user data in similar ways, using web cookies designed for the purpose.

As a leading web agency in Bangkok, we work routinely with the kind of user data that gets collected around the internet. But we also know that marketing depends on trust and goodwill – two qualities that are hard to maintain when all kinds of organizations keep detailed records of your behavior every time you log on.

Many countries are beginning to see increased government regulation as the solution. In 2018, the EU began implementing its General Data Protection Regulation (GDPR) laws, effectively managing the collection, storage, distribution, and release of personal data by websites operating within their territory.

Other countries have since followed suit with their own regulations, including Thailand and its Personal Data Protection Act. In 2021, the PDPA will become law for all websites that collect data from Thai users. By requiring every site to obtain informed consent for the user data it intends to collect, and then ensuring that the data is not used in any other way, the Act aims to tip the scales back in favor of ordinary users – or at least level the playing field.

The PDPA in theory and practice

To understand the PDPA, you first need to know how cookies work.

A cookie is a little file that a website will save in the visitor’s browser storage space, letting the site keep track of information about its users. Many online features, like logging into a website for example, depend on the cookie system. Yet the power of cookies extends far beyond these simple origins.

If your website includes a 3rd party script such as Google Ads, then this script can also be used in other ways. Google’s software can identify a visitor between websites and pages, effectively collecting the browsing history for that user (without the user necessarily being aware of it), and then using that information to attach a behavioral profile to them. Of course, the principles here apply to all types of cookies – not just those running scripts from Google.

Above all else, the PDPA’s cookie policy is about clearly communicating to your visitors which cookies are used on your website, and asking for consent before activating them. The law also governs how websites are allowed to then use, store, and distribute the user information they collect with those cookies. An appointed data controller for each website must be put in place, to take responsibility for proper management of the system.

By protecting data owners in Thailand from illegal collection, use, or disclosure of their personal information, the PDPA will essentially regulate interactions between businesses and online customers. Corporate entities of all kinds will need to take strict precautions when setting up, activating, and managing their use of cookies. From the user’s perspective, the most visible change will come as a request for consent.

Establishing user consent involves clearly stating what kinds of personal data will be taken, what it will be used for, and the length of time their information will be held. The user then needs to give positive affirmation that they agree to the data collection process as presented. If the user wants to cancel the agreement or access the data that was collected, they must be able to do so freely.

The latter feature seems rational in theory, but may have security flaws in practice. From the user’s perspective, it seems sensible to have access to one’s own data upon request. Yet from the perspective of the web host, it can be hard to verify who is doing the asking. In other words, someone can pretend to be you, then ask for your user logs. Still, companies will likely hand over the data anyway because the alternative could see them fined for non-compliance.

Regardless, it is the responsibility of the government to patch up these issues where appropriate. For most websites, the immediate concern is to ensure that their systems are fully compatible with the PDPA before it takes the force of law. The upgrade process involves four key steps:

  • Data map the way your company stores personal information
  • Make software adjustments and upgrades as needed to ensure compliance
  • Create or adapt relevant legal documents, such as Terms and Conditions agreements and consent requests
  • Train all employees on the PDPA requirements to prevent breaches

If a website is found to be non-compliant after the PDPA goes into effect, penalties may include administrative fines of up to 5 million baht. Criminal penalties may also be applicable, including up to 1 million baht and/or imprisonment of up to one year. Even internationally based websites that operate in Thailand must appoint a special data controller to oversee compliance, or else the website owners will be held liable for any breaches of the PDPA.


That said, successfully adapting to the new law requires more than just a technical approach. By making consent optional, the PDPA indirectly rewards websites that earn the trust of their users. As ordinary people take control of their own data, companies will have to work extra hard to convince them to share it. Users are far more likely to offer their personal data voluntarily to websites that are professional and reliable, and that also inspire genuine interest.

Making your website 100% PDPA compliant

Thailand’s Personal Data Protection Act may be imperfect, but it is a step in the right direction. The law makes the online world a little less convenient for everyone – but it hits bad actors the hardest, because it hinders their ability to game the system. The result is a net gain for honest organizations that follow the rules.

The difficulty is in the implementation. The PDPA forces every website to abide by a complex set of technical requirements, and imposes heavy penalties for non-compliance. Under this setup, even well-intentioned organizations may run afoul of the law.

Fortunately, Lexicon’s Tech Lab provides a specialized service to ensure 100% compliance with Thailand’s PDPA. Programmers from our web agency in Bangkok are ready to give your website code a full update, adapting your cookies and data storage settings according to the precise specifications of the Act. As a side benefit, you’ll also show courtesy and transparency by empowering your web visitors to adjust their data settings as they see fit.

Complying with the new law means looking out for your audience’s own best interest, which in turn lets you both breathe easy. In these stressful times, who wouldn’t want that?

Latest Blogs