PDPA and Sign-Up Forms: What Data Can You Ask For?

When a user fills out a sign-up or registration form, they’re doing more than just providing information—they’re trusting you with a part of their digital identity. Under Thailand’s Personal Data Protection Act (PDPA), that trust must be protected.

If your sign-up forms are collecting more data than necessary or lack proper consent and explanation, you could be violating PDPA rules. More importantly, you may be unintentionally turning users away.

In this article, we’ll explore how to design sign-up and feedback forms that are compliant, user-friendly, and trustworthy, and we’ll share a case where better form design improved sign-up rates and reduced user confusion.

 

What Does the PDPA Say About Form Data?

The PDPA requires that any collection of personal data be:

1. Necessary for the purpose it’s collected
   
   

2. Clearly explained to the user
   
   

3. Accompanied by informed, explicit consent
   
   

This means:

• You can’t ask for data “just in case.”
  
  

• You must say why you need each data point.
  
  

• You must allow the user to choose whether to provide optional data.
  
  

The law applies to all forms that collect personal data—registration forms, feedback surveys, booking pages, newsletter sign-ups, and even contest entries.

 

Common PDPA Risks in Online Forms

• Asking for unnecessary data (e.g., ID numbers for a basic newsletter)
  
  

• Not specifying why the data is needed
  
  

• Pre-checking consent boxes
  
  

• Bundling marketing consent with terms acceptance
  
  

• Offering no way to opt out of non-essential data fields
  
  

These practices not only risk legal consequences but also damage user trust.

 

Best Practices for Designing PDPA-Compliant Forms

1. Collect Only What You Truly Need

Stick to the essentials. If you're offering an e-book download, for example, name and email may be enough—you probably don’t need gender, age, or phone number.

Ask: “What data is necessary to fulfill this action?”

2. Explain Every Field

Use tooltips or short text below each field to tell users why you're collecting it.

Example:

• Phone Number (for order updates only, never shared or used for marketing)
  
  

3. Label Optional vs. Required Fields

Make it easy for users to see which fields they must fill out, and clearly mark optional ones.

This helps with transparency and avoids user frustration or abandonment.

4. Use Consent Checkboxes for Specific Purposes

Instead of one general checkbox, use multiple consents:

• □ I agree to the Terms and Privacy Policy
  
  

• □ I agree to receive promotional emails
  
  

• □ I allow my data to be used for service improvement
  
  

Each should be unchecked by default.

5. Link to Your Privacy Policy

Every form should include a link to your privacy policy near the consent section. Make sure the policy is written in clear, non-legal language.

6. Don’t Mix Consent with Action

Avoid using phrases like “By clicking Submit, you agree to receive our newsletter.” This is not considered valid consent under PDPA.

 

Real Case: Form UX Improves Sign-Ups at an Education Platform

An online education provider was seeing high drop-off rates on their registration form. The form asked for full name, email, phone number, age, location, and preferred study time—with no explanation for any of the fields.

What They Changed:

• Kept only full name and email as required
  
  

• Marked phone number and age as optional
  
  

• Added tooltips beside each field explaining its purpose
  
  

• Separated marketing consent from platform terms
  
  

• Provided a simple, one-click opt-out for newsletters
  
  

The Results:

• Sign-ups increased by 18% in one month
  
  

• Support tickets related to data privacy dropped
  
  

• More users voluntarily provided optional data due to improved transparency
  
  

This case shows that less is more—when users feel in control, they engage more.

 

Types of Data to Be Careful With

The PDPA classifies some information as sensitive personal data, including:

• Race, ethnicity
  
  

• Religion, political opinions
  
  

• Health information
  
  

• Biometric data
  
  

• Sexual orientation
  
  

If your form asks for any of these, you need explicit written consent and a clearly documented reason for collecting it.

 

Additional UX Tips for Compliant Forms

• Make forms mobile-friendly and touch-optimized
  
  

• Use smart defaults (e.g., autofill where appropriate) without forcing values
  
  

• Provide a summary or review screen before submission
  
  

• Allow users to access, edit, or delete their information after registration
  
  

 

Conclusion: Simpler, Smarter Forms Build Trust and Stay Legal

PDPA-compliant sign-up forms are not only about staying on the right side of the law—they’re about creating a frictionless, transparent experience that users feel good about. Clear explanations, minimal data collection, and proper consent flow go a long way in building user trust and increasing conversions.