Using Analytics and Retargeting Without Violating the PDPA

In the data-driven world of digital marketing, tools like Google Analytics, Facebook Pixel, and other tracking scripts are vital for measuring user behavior, running ad campaigns, and optimizing content. But with Thailand’s Personal Data Protection Act (PDPA) now fully enforced, businesses must rethink how they usethese tools—because silent tracking and automatic cookies are no longer compliant.

Good news: You can still leverage these platforms, but only if you handle consent properly and document how you collect, store, and share user data. In this article, we’ll explore how to use analytics and retargeting tools under PDPA—and share a case where a travel portal maintained marketing capabilities without breaching privacy laws.

What PDPA Says About Tracking Technologies

Under the PDPA, collecting any personally identifiable data (or using cookies that can track or profile users) must be done with:

1. Explicit, informed consent
   
   

2. A clear explanation of the data’s purpose
   
   

3. An opt-in mechanism (not opt-out)
   
   

4. The ability for users to change or revoke consent at any time
   
   

Tracking cookies, session analytics, and advertising scripts often fall under the category of non-essential data processing—which means you cannot activate them until a user has given permission.

What Happens If You Don’t Comply?

• Your site may be flagged or penalized
  
  

• Users may file privacy complaints
  
  

• You could face fines up to 5 million THB
  
  

• You risk losing customer trust and transparency credibility
  
  

Common Non-Compliant Practices

• Running analytics or Facebook Pixel scripts before consent
  
  

• Not offering users a choice to opt out of tracking
  
  

• Providing vague cookie banners with “By using this site, you agree…”
  
  

• Not documenting when and how users gave consent
  
  

• Failing to explain how third parties use the data
  
  

Compliant Use of Analytics and Retargeting: A Framework

1. Pre-Consent Blocking

Do not load tracking scripts until the user explicitly consents. This includes:

• Google Analytics (unless fully anonymized)
  
  

• Facebook Pixel
  
  

• Heatmaps (Hotjar, Crazy Egg, etc.)
  
  

• Remarketing tags (LinkedIn, TikTok, etc.)
  
  

Use tools that support deferred script execution or consent conditionals.

2. Categorize and Explain

Break cookies into categories and clearly explain:

• Essential (e.g., cart functionality)
  
  

• Analytics (e.g., behavior tracking)
  
  

• Advertising (e.g., retargeting and profiling)
  
  

Tell users what each does and who has access to their data.

3. Offer True Choice

Your cookie banner must allow users to:

• Accept all
  
  

• Reject all
  
  

• Customize preferences by category
  
  

All options should be visible and not hidden behind design tricks or hard-to-read buttons.

4. Allow Withdrawal

Users should be able to change their tracking preferences anytime. Offer a “Cookie Settings” link in the footer or account panel.

5. Log Consent

Record when and how users gave consent, including:

• Timestamp
  
  

• IP address (where possible)
  
  

• Consent categories selected
  
  

This is essential for proving compliance if audited.

Real Case: A Travel Portal's Consent-Centric Strategy

A travel booking platform relied heavily on Google Analytics and Facebook Ads for user insights and remarketing. With PDPA enforcement looming, their setup raised red flags:

• Tracking scripts loaded by default
  
  

• No real opt-out for cookies
  
  

• Users had no visibility on data-sharing with Facebook
  
  

What They Did:

• Replaced their cookie banner with a pre-consent screen
  
  

• Deferred analytics and advertising scripts until consent was granted
  
  

• Updated the Privacy Policy to include third-party data processors and purposes
  
  

• Provided a real-time toggle in the footer to manage cookie settings
  
  

The Results:

• User opt-in rate for analytics stabilized at 68%
  
  

• Advertising ROAS remained steady, thanks to quality opt-ins
  
  

• Trust scores improved in customer feedback surveys
  
  

• Legal team confirmed PDPA compliance
  
  

This balance between privacy and performance allowed them to continue scaling their digital marketing—without legal risk.

Tools to Help You Stay Compliant

• Cookiebot or OneTrust: Consent management platforms
  
  

• Google Consent Mode: Enables conditional script loading based on consent
  
  

• Tag Manager Custom Triggers: Load analytics only after opt-in
  
  

• Custom scripts: For minimal, flexible cookie implementation
  
  

UX Tips for Consent Banners

• Use high-contrast buttons (don’t make “Reject” a hidden link)
  
  

• Ensure it’s mobile-friendly and non-intrusive
  
  

• Provide a clear, one-sentence explanation for each cookie type
  
  

• Allow easy customization without forcing a full rejection
  
  

Conclusion: 

PDPA doesn’t block analytics or retargeting—it just demands that you ask first. With the right technical setup and honest, user-centric messaging, you can continue to gain insights, run effective campaigns, and stay fully compliant.

Privacy and performance are not mutually exclusive. Done right, respecting your users’ choices can lead to better data, stronger trust, and more sustainable marketing