What Is the PDPA and What Does It Mean for Your Website?

In today’s digital economy, collecting and managing personal data is unavoidable. Whether it's a customer signing up for a newsletter, booking an appointment, or purchasing a product online, websites routinely handle names, email addresses, phone numbers, and even sensitive health or financial data. In Thailand, the Personal Data Protection Act (PDPA) was introduced to regulate how this data is collected, stored, and used—offering users more control and privacy.

Since its enforcement in mid-2022, the PDPA has created new responsibilities for website owners, developers, marketers, and business operators. Failure to comply can lead not only to hefty fines but also to loss of customer trust. This article breaks down the fundamentals of the PDPA and what every website must do to stay compliant.

 

Understanding the PDPA: A Brief Overview

The PDPA (Personal Data Protection Act) is Thailand’s data protection law modeled after Europe’s General Data Protection Regulation (GDPR). It aims to protect individuals' personal data and ensure that businesses handle it responsibly.

Key Concepts:

• Personal Data: Any information that can directly or indirectly identify a person (e.g., name, email, phone number, IP address).
  
  

• Data Subject: The individual whose data is being collected.
  
  

• Data Controller: The person or organization that determines how personal data is processed.
  
  

• Consent: Clear, informed permission from the data subject for their data to be collected and used.
  
  

Under the PDPA, businesses must collect only necessary data, explain how it will be used, obtain explicit consent, and protect it from unauthorized access or disclosure.

 

What the PDPA Requires from Website Owners

Whether you’re running a small local blog or a nationwide e-commerce platform, the PDPA applies if you collect user data from Thai residents. Here are the main things you need to do:

1. Ask for Consent Clearly

Consent must be explicit, freely given, and informed. This means:

• No pre-checked boxes
  
  

• No bundling consent with other actions (e.g., agreeing to terms)
  
  

• Explaining exactly what data will be used for
  
  

2. Tell Users What You're Collecting and Why

Before collecting any data, websites must provide a Privacy Notice that includes:

• What types of data are collected
  
  

• The purpose of data collection
  
  

• Who the data will be shared with
  
  

• How long the data will be stored
  
  

• Contact information for data inquiries or complaints
  
  

3. Limit Data Collection

You should only collect data that is necessary for the stated purpose. Asking for more than you need—just in case—is not compliant.

4. Enable Rights Management

Users have the right to:

• Access their data
  
  

• Correct inaccuracies
  
  

• Withdraw consent
  
  

• Request deletion of their data
  
  

Websites must offer a clear, user-friendly way for users to exercise these rights.

5. Secure the Data

Data security isn’t optional. Website owners must implement appropriate technical measures, such as:

• HTTPS encryption
  
  

• Secure servers and access controls
  
  

• Regular security audits
  
  

• Log management and breach detection
  
  

 

Common Website Areas That Must Be Reviewed

- Contact Forms

Every form that collects data should include a checkbox for user consent, with a link to the Privacy Policy. Consent should not be auto-selected.

- Newsletter Sign-Ups

Users should explicitly agree to receive marketing communications, and be able to unsubscribe easily.

- Account Registration

Only collect information needed for account creation. Avoid asking for unnecessary personal details.

- Cookie Consent

Sites that use tracking cookies or third-party analytics tools must request consent before setting cookies, except those that are strictly necessary.

- Live Chat Tools

If chats are recorded or stored, users must be informed before starting a session.

 

Real-World Example: Updating a Hospital Website for PDPA

A mid-sized healthcare provider realized their contact form was not PDPA-compliant. It collected patient names, phone numbers, symptoms, and optional insurance details—without any notice or consent process.

The Risks:

• Potential fines for unauthorized data collection
  
  

• Lack of transparency undermining patient trust
  
  

• No mechanism for patients to request deletion or withdrawal of consent
  
  

The Solution:

• Added a clear checkbox for data collection consent with an explanation
  
  

• Included a link to a detailed, readable Privacy Policy
  
  

• Separated consent for general inquiries from consent to receive marketing updates
  
  

• Set up a data request form allowing patients to access or delete their submitted information
  
  

The Outcome:

• Reduced legal risk
  
  

• Increased form submissions (trust improved)
  
  

• Better internal control over how data is stored and accessed
  
  

This simple redesign helped align the hospital’s digital presence with PDPA requirements—demonstrating both compliance and customer care.

 

What Happens If You Ignore the PDPA?

Non-compliance can lead to:

• Fines up to THB 5 million per violation
  
  

• Civil claims by data subjects
  
  

• Criminal charges in cases of gross negligence or malicious intent
  
  

• Public backlash and damaged reputation
  
  

More importantly, ignoring data protection undermines customer trust—an intangible asset that takes years to build and minutes to lose.

 

Conclusion: PDPA Is a Compliance Obligation and a Competitive Advantage

The PDPA is not just a legal requirement—it’s an opportunity to build better, more respectful relationships with your users. By treating personal data with care, transparency, and integrity, your website will not only avoid penalties but also create stronger engagement and trust.

If you're not sure whether your website meets PDPA standards, now is the time to review your forms, cookies, policies, and user flows. Better yet, incorporate AI tools and automated audits to keep your compliance in check.