What Is the PDPA?

Thailand's data protection legislation, known as the Personal Data Protection Act B.E. 2562 (2019) (PDPA), took effect on June 1, 2022 after multiple enforcement delays during the COVID-19 pandemic. As Thailand's first comprehensive data protection law, the PDPA establishes a consent-centric framework for how organizations collect, use, disclose, and transfer personal data, enforced by the Personal Data Protection Committee (PDPC).

The PDPA altered the rules for organizations that use clickwrap agreements with users in Thailand. Distinctive to the law are criminal penalties of up to one year imprisonment for unauthorized processing of sensitive personal data, punitive damages of up to twice the actual damages under Section 77, and a Section 19 requirement that withdrawing consent be as easy as giving it.

Who Does PDPA Apply To?

The PDPA applies to any data controller or data processor that collects, uses, or discloses personal data of individuals in Thailand, regardless of whether the processing takes place inside or outside the country. The law has explicit extraterritorial reach.

PDPA is applicable when an organization:

  • Processes personal data of individuals located in Thailand.
  • Offers goods or services to data subjects in Thailand, whether or not payment is required.
  • Monitors the behavior of data subjects taking place in Thailand.

Limited exemptions exist for personal or household activities, public authorities acting under specific laws, media activities under professional ethics, parliamentary and judicial proceedings, and credit bureaus operating under dedicated legislation. The law covers all natural persons' personal data and does not apply to legal entities. There is no small-business exemption.

PDPA and Clickwrap Agreements

PDPA imposes specific requirements on how consent is collected through clickwrap agreements. Sections 19 through 26 establish the conditions under which consent is valid, the heightened requirements for sensitive data, and the disclosures that must accompany every clickwrap consent action. Each carries direct implications for clickwrap design, disclosure, and recordkeeping.

How PDPA Affects Clickwrap Design

Section 19 defines consent as a freely given, specific, informed, and unambiguous indication of the data subject's wishes. This four-part test governs the design of every clickwrap interface targeting Thai users, from how options are presented to what information accompanies the consent action.

Granular consent is a statutory requirement. Section 19 requires that consent be freely given and that, where consent is requested in connection with a contract, the necessity of the consent for performance of the contract be taken into account. A clickwrap that bundles terms-of-service acceptance with marketing consent, analytics consent, and third-party sharing consent under a single "I agree" action undermines this requirement. Each purpose must have its own distinct consent mechanism.

Sensitive data demands explicit consent. Section 26 prohibits collecting personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, and biometric data without explicit consent, which under the PDPC's interpretive guidance means an elevated standard beyond a general checkbox. Separate consent screens, affirmative text acknowledgments, or multi-step confirmation flows are typical for sensitive data collection.

Withdrawal must be as easy as giving consent. Section 19 requires that the withdrawal of consent be as easy as giving it, and provides that withdrawal does not affect the lawfulness of processing carried out before the withdrawal. If a single click captured consent, a single click must be sufficient to revoke it. Clickwrap platforms that require users to send emails, call support lines, or navigate buried settings pages to withdraw consent are non-compliant. Where withdrawal will affect the data subject, the data controller must inform the data subject of those consequences.

Silence, pre-ticked checkboxes, and continued use of a service without affirmative action do not satisfy the PDPA's unambiguous consent standard. Every consent element in a clickwrap flow must begin in a neutral, unchecked state.

What Must Be Shown Under PDPA

Section 23 requires data controllers to inform data subjects of specified matters before or at the time of data collection. For clickwrap interfaces, the following disclosure must be presented before any consent action:

  • The personal data being collected and the specific purpose for each category of data.
  • The identity and contact details of the data controller, including the Data Protection Officer where one is appointed.
  • The retention period, or the criteria used to determine how long data will be kept.
  • The categories of persons or entities to whom data may be disclosed.
  • Whether data will be transferred to a foreign country, the destination country, and the adequacy of its data protection standards.
  • The data subject's rights under Sections 30 to 37 (access, copy, source disclosure, objection, erasure, and restriction of processing).
  • The consequences of refusing to provide personal data, where collection is a contractual or legal requirement.

The PDPC has indicated that transparency and accessibility are paramount. Best practice for clickwrap implementation is a layered disclosure model: a clear, plain-language summary of each processing purpose presented alongside the consent mechanism, with a link to the complete privacy notice for full detail.

What Records You Must Keep Under PDPA

Section 39 requires data controllers to maintain records of processing activities and make them available to the PDPC on request. The consent dimension is central: if processing is based on consent, the controller must prove that valid consent was obtained.

A compliant clickwrap consent record under the PDPA must capture:

  • Subject identity - Name, email, user ID, or another verifiable identifier.
  • Action timestamp - The exact date and time of each consent or withdrawal event.
  • Specific purposes - Each processing purpose the data subject consented to, captured individually.
  • Disclosure presented - The Section 23 disclosure shown at the time of consent.
  • Terms version - The version of the privacy notice or terms in effect at the moment of consent.
  • Consent mechanism - A record of the specific interface element (checkbox, button, confirmation screen) and the state of each element at submission.
  • Withdrawal log - The date, scope, and any communication about consequences of withdrawal under Section 19.

Section 19 provides that withdrawal does not affect the lawfulness of processing carried out before the withdrawal, but continued processing after withdrawal constitutes a violation. The PDPA does not specify a minimum retention period for consent records, but enforcement may be initiated within the applicable limitation period. Records should be retained for the duration of the data subject relationship plus a buffer sufficient to respond to regulatory inquiries or civil claims under Section 77's punitive damages provisions.

PDPA Thailand and Clickwrap Agreements

Key Provisions of PDPA Thailand

Consent Requirement
Data controllers must obtain consent from data subjects before or at the time of collecting personal data. Consent must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes.
Explicit Consent for Sensitive Data
Section 26 prohibits collecting personal data pertaining to racial or ethnic origin, political opinions, cult, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, trade union information, genetic data, and biometric data without the explicit consent of the data subject.
Equal Ease of Withdrawal
Data subjects must be able to withdraw consent as easily as they gave it. The data controller must inform the data subject of the consequences of withdrawal before it takes effect.
Purpose Specification
Personal data must be collected for specified, explicit, and legitimate purposes. Data controllers cannot use personal data for purposes other than those stated at the time of collection without obtaining new consent.
Data Subject Rights
Data subjects have the right to access, rectify, erase, restrict processing, and port their personal data. They also have the right to object to processing based on legitimate interest or direct marketing.
Cross-Border Transfer Restrictions
Personal data may only be transferred to a foreign country if the destination country has adequate data protection standards, unless an exception applies such as the data subject's explicit consent or contractual necessity.
Data Protection Officer
Data controllers and processors whose core activities involve regular and systematic monitoring of data subjects on a large scale, or large-scale processing of sensitive data, must appoint a Data Protection Officer.
Data Breach Notification
Data controllers must notify the Office of the Personal Data Protection Committee within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in high risk to data subjects, they must be notified without delay.

Penalties for PDPA Thailand Non-Compliance

Administrative Penalties Up to THB 5 million (approximately USD 140,000)
The Expert Committee may order administrative fines of up to THB 5 million for violations of the PDPA, including failure to obtain proper consent, inadequate data breach notification, or non-compliance with data subject rights requests.
Criminal Penalties Up to THB 1 million fine and/or up to 1 year imprisonment
Certain violations carry criminal liability, including unauthorized use or disclosure of sensitive personal data by data controllers or processors. Officers of a company may be personally liable if the violation occurred with their consent or negligence.
Civil Liability with Punitive Damages Actual damages plus punitive damages up to twice the actual damages
Data subjects may file civil lawsuits for compensation. Courts may award punitive damages of up to two times the actual damages where the violation was intentional or resulted from gross negligence, creating significant financial exposure for organizations with inadequate consent mechanisms.

Frequently Asked Questions

While heavily inspired by the GDPR, the Thai PDPA has notable differences. It includes criminal penalties for certain violations (the GDPR does not), has a broader definition of sensitive data that includes trade union membership data treated as sensitive by default, and its enforcement framework involves multiple bodies: the Personal Data Protection Committee, an Expert Committee for penalties, and a dedicated Office. For clickwrap purposes, the key practical difference is the explicit statutory requirement that consent withdrawal must be as easy as giving consent.
Yes. The PDPA requires that consent be specific to each purpose. A single clickwrap checkbox that bundles terms of service acceptance with consent for data processing, marketing, and analytics would not meet the specificity requirement. Best practice is to implement granular consent options: one for core service operation, another for marketing communications, and separate consent for any analytics or profiling activities.
Yes. The PDPA applies to personal data collected before June 1, 2022, meaning organizations must either obtain fresh consent or identify another lawful basis for continued processing of pre-existing data. For clickwrap platforms, this means retroactive consent campaigns may be necessary, requiring users to review and accept updated data processing terms that comply with PDPA requirements.

Related Regulations

GDPR
General Data Protection Regulation
EU-wide · Active 2018
PDPA
Personal Data Protection Act (PDPA) - Singapore
Singapore · Active 2021
PIPL
Personal Information Protection Law (PIPL) - China
China · Active 2021
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.