What is the PDPA? Perhaps the Most Important Law Governing Digital Marketing

There has been much public discussion about the importance of data privacy and protection since news broke that Facebook, a massive social media platform, was fined heavily for failing to protect its users’ data. Similarly, several other major companies have been sued for infringements after using and selling insights gathered from user data without their users’ permission. 

As data is priceless in this ‘big data’ era, countries worldwide have started to release laws or statutes to protect their citizens’ personal data and information, and prevent violations of privacy rights. In addition, remedial measures for those whose information has been used without their consent have also been implemented. 

In Thailand, the ‘Personal Data Protection Act’ or ‘PDPA’ was announced in May 2019 and was expected to be fully enforced by May 2020. However, a one-year extension was given to 22 institutions, meaning that this much-needed law will now be fully enforced by the end of May 2021. 

This article will explain Thailand’s PDPA, what it is, and the details that digital marketing agencies need to know and understand thoroughly.

What is the PDPA?

The Personal Data Protection Act 2019, published in the Royal Thai Government Gazette on May 27, 2019 (in part), began being enforced on May 27, 2020, save for the 22 institutions that will be included by the end of May 2021. Most countries, including regional neighbours Malaysia and Singapore, have similar laws.

Violation of the PDPA carries an array of penalties, many of which are more severe than those for comparable violations in other countries. Here are some of the penalties that are enforced in other countries:

  • Penalties under the EU’s GDPR law can be as high as 20 million euros (approximately THB 6.9 hundred million*) or 4% of a business’s total yearly income, depending on which amount is higher. 
  • Penalties under Singapore’s PDPA can be up to S$ 1 million (approximately THB 22.5 million*)
  • Penalties under Malaysia’s PDPA are a maximum of 500,000 Ringgit (approximately THB 3.6 million*)

*FX rate as of 20th May, 2020

Comparatively, the penalties under Thailand’s PDPA laws are more severe and are divided into three liability tiers:

  • Criminal liability – imprisonment for up to 1 year and/or fines of up to THB 1 million
  • Civil liability – fines up to 2-times that of the actual compensation
  • Administrative liability – fines ranging from THB 500,000 – THB 5 million

Who Does the PDPA Apply to?

All citizens and residents of Thailand should know, at least the foundations of the PDPA, as it is their data that the law protects. That said, there are three types of company that need to know and understand the law thoroughly. They are:

  • Organisations that collect, process, or control personal data, such as stores with customer lists in Excel files or large organisations, like shipping companies or telephone networks, with massive databases of customer data. These are known as “Data Controllers” under the PDPA.
  • Organisations that, in the course of acting on behalf of a public agency, control personal data through collection, use, or disclosure. These are known as “Data Processors” under the PDPA.
  • Organisations that offer goods or services to data subjects within the territory of Thailand, including organisations that transfer information such as consumer behaviour, online targeting for advertising, or online reservations through a website.

What Should a Marketer Know about PDPA?

There are various legal details of the PDPA that marketers should know. Here is a breakdown of what constitutes as “personal data” and what the rights are of each personal data subject:

Basic Information

ID card number, name, surname

Phone number, email address

Work history, photos 

Age (If the data owner is a child, parents must give consent on their behalf)

Sensitive information (More stringent controls)

Ethnicity, Race

Political opinions (such as the use of social listening around political issues) 

Religious or philosophical beliefs (such as employee ordination records)

Sexual behaviour

Criminal record

Disability, health information 

Union information 

Genetic information, biometrics, health information (e.g. medical certificates)

Any other information that affects the personal data subject

The rights of the personal data subject

  • Right to be informed
  • Right to access to personal information
  • Right to data portability
  • Right to object
  • Right to erasure
  • Right to rectify

How to Collect and Process Users’ Data Legally

Companies must first obtain explicit consent from the individual to legally use personal data in various marketing activities, such as collection or disclosure. Companies need to inform each personal data subject about the purpose of collection and must delete that data after a period of time or after the individual has requested for it to be erased. 

Getting consent 

  1. Collect data information on paper or through an online system
  2. Convey details that can be easily read and understood
  3. Do not mislead
  4. Separate from other conditions

Withdrawal of consent

  1. Data subjects may request for cancellation at any time
  2. Companies must ensure withdrawing consent is as easy as giving consent
  3. Data subjects must be informed of the impact

What’s Next After you Understand the PDPA?

If you are a marketer or a business owner involved in information and data collection, it is prudent to make sure you thoroughly understand the PDPA; else you could face severe jail time or a heavy fine. Understanding the PDPA law will help you to work more succinctly and avoid the risk of mistakenly violating the law. 

However, no matter what your business’s purposes are for data collection, you still need to be fully transparent with your personal data subjects. 

Information from: techsauce.co; www.scb.co.th; brandinside.asia; techtalkthai.com