DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

🇲🇾 Asia-Pacific

Cookie consent in Malaysia

Consent and privacy law in Malaysia

In short
Malaysia's PDPA 2010 is enforced by the Personal Data Protection Department under the relevant ministry. A distinctive limitation historically was that it applied only to commercial transactions and did not cover the federal or state governments. Significant 2024 amendments modernised the law, introducing mandatory breach notification, a requirement to appoint a data protection officer, the right to data portability, and stronger transfer rules, with provisions phasing in from 2025. Consent is a key basis and must be recorded, and notices should be in the national language and English. The amendments also increased penalties. Cookies that identify users are personal data subject to the Act.
Authority
Personal Data Protection Department (JPDP)
Status

Personal Data Protection Act 2010, with significant 2024 amendments phasing in

Primary law
PDPA MY
Languages

ms, en

Who must comply

Persons who process or control personal data in respect of commercial transactions in Malaysia.

Penalties

Fines and imprisonment under the Act, increased by the 2024 amendments

Key obligations

  • Obtain consent for processing in commercial transactions
  • Get explicit consent for sensitive personal data
  • Provide a written notice of purpose in English and Malay
  • Honor access and correction requests
  • Notify breaches and appoint a data protection officer under the amendments

Local guidance

  • Note the PDPA covers commercial transactions, not government
  • Prepare for breach notification and DPO duties from the 2024 amendments
  • Provide notices in Malay and English
  • Record consent and honour withdrawal

How ConsentX helps

  • Consent capture for commercial processing
  • Explicit opt-in for sensitive categories
  • Bilingual notice support in the banner
  • Access and correction request workflow
  • Region rule engine tuned for Malaysia
Get started free
yoursite.com
🇲🇾 Malaysia

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Malaysia using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Malaysia.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Malaysia requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Malaysia audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Does Malaysia's PDPA cover the government?+

No. The PDPA applies to personal data processed in commercial transactions and historically does not cover the federal or state governments, which is a notable scope limitation.

What did Malaysia's 2024 amendments add?+

The 2024 amendments added mandatory breach notification, a duty to appoint a data protection officer, data portability rights, stronger transfer rules, and higher penalties, phasing in from 2025.

Governing law

🇲🇾 PDPA MY

Other countries in Asia-Pacific

🇮🇳 भारत🇸🇬 Singapore🇹🇭 ประเทศไทย🇨🇳 中国🇯🇵 日本🇰🇷 대한민국🇦🇺 Australia🇳🇿 New Zealand / Aotearoa🇮🇩 Indonesia🇻🇳 Việt Nam🇵🇭 Pilipinas