DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

🇹🇭 Asia-Pacific

Cookie consent in ประเทศไทย

Consent and privacy law in ประเทศไทย

In short
Thailand's PDPA, fully in force since June 2022, is heavily modelled on the GDPR and enforced by Thailand's Personal Data Protection Committee. It requires a lawful basis for processing and treats consent as one of several bases, but consent requests must be clearly separated from other terms and easy to withdraw. A notable feature is that the law carries not only administrative fines up to 5 million baht but also potential criminal penalties and civil damages, including punitive damages, which raises the stakes. Privacy notices in Thai are expected. Sensitive data requires explicit consent. Cookies that identify users are personal data and generally need consent for non-essential purposes.
Authority
Personal Data Protection Committee (PDPC Thailand)
Status

Personal Data Protection Act fully in force since June 2022

Primary law
PDPA TH
Languages

th

Who must comply

Data controllers and processors that collect, use or disclose personal data of individuals in Thailand, including those based abroad offering goods or services to people in Thailand.

Penalties

Administrative fines up to 5 million baht, plus possible criminal and civil liability

Key obligations

  • Obtain explicit prior consent for non-essential processing
  • Provide a clear privacy notice before collection
  • Honor access, rectification, erasure and objection rights
  • Appoint a data protection officer where required
  • Report data breaches to the office within the required timeframe

Local guidance

  • Separate consent requests from other terms
  • Obtain explicit consent for sensitive data
  • Provide notices in Thai
  • Account for criminal and civil exposure, not just fines

How ConsentX helps

  • Prior-script blocking for true opt-in
  • Geo-aware banner for Thai visitors
  • Separate consent capture for sensitive data
  • Rights request workflow with evidence
  • Region rule engine tuned for Thailand
Get started free
yoursite.com
🇹🇭 Thailand

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Thailand using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Thailand.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Thailand requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Thailand audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Can Thailand's PDPA lead to criminal penalties?+

Yes. Beyond administrative fines up to 5 million baht, the Thai PDPA carries potential criminal penalties and civil damages, including punitive damages, which makes compliance especially important.

Is Thailand's PDPA like the GDPR?+

Yes. The Thai PDPA is heavily modelled on the GDPR, with similar lawful bases, data subject rights, and a requirement for clear and withdrawable consent.

Governing law

🇹🇭 PDPA TH

Other countries in Asia-Pacific

🇮🇳 भारत🇸🇬 Singapore🇨🇳 中国🇯🇵 日本🇰🇷 대한민국🇦🇺 Australia🇳🇿 New Zealand / Aotearoa🇮🇩 Indonesia🇻🇳 Việt Nam🇲🇾 Malaysia🇵🇭 Pilipinas