Thailand's Personal Data Protection Act (PDPA) was passed in 2019 but only became fully enforceable on 1 June 2022 after two pandemic-driven delays. The Personal Data Protection Committee (PDPC) spent the first stretch on awareness, then switched to active enforcement. In August 2025 it issued fines totalling THB 21.5 million across five cases, mostly for security failures and unreported breaches. Cookie consent is squarely inside the regime it now enforces.
This guide covers how the PDPA treats cookies, the consent standard the PDPC expects, what you have to record, and what it costs to get wrong.
The law and the regulator
The PDPA is Thailand's first general data protection law, modelled closely on the GDPR. It's overseen by the PDPC, the committee that issues subordinate regulations and guidance and handles enforcement through its office. The Act applies to data controllers and processors in Thailand, and to those outside the country who offer goods or services to people in Thailand or monitor their behaviour, which pulls in foreign websites that track Thai visitors.
Cookies need explicit, granular consent
Under the PDPA, cookies that collect personal data are lawful only with a proper legal basis, and for analytics, advertising and other non-essential cookies that basis is consent. The consent standard is strict:
- Explicit and affirmative. The person has to take a clear action. Implied consent, such as continuing to browse after seeing a banner, is not valid.
- Freely given. You can't block access to the site if someone declines non-essential cookies, and you can't make consent a condition of service where it isn't necessary.
- Granular. Consent has to be specific to a purpose. Bundling cookie consent into general terms and conditions doesn't work, and one "accept everything" button isn't enough on its own.
- Informed. You have to tell people what you're collecting and why before they decide.
Strictly Necessary Cookies Still Need a Notice
Cookies that are genuinely essential to deliver a service the user asked for don't need prior consent, but the PDPA still expects transparency. Tell visitors these cookies exist and what they do in your cookie or privacy notice. The exemption is narrow: session, security and load-balancing cookies qualify, analytics and advertising do not.
Proof of Consent You Have to Keep
A timestamp for each consent
The PDPA expects you to show when consent was given, alongside a record of what the visitor actually chose.
The specific choices the visitor made
Which categories they accepted and which they declined.
The version of the notice shown
The privacy or cookie notice text that was on screen at the moment of consent.
A record of withdrawal
Withdrawing consent has to be as easy as giving it, and you should log when it happens.
Consent isn't the only legal basis, but it's the safe one for cookies
The PDPA lists several lawful bases besides consent, including contractual necessity, legal obligation and legitimate interest. Some sites try to lean on legitimate interest for analytics. The trouble is that the PDPC hasn't given the kind of detailed legitimate-interest guidance that would make that safe for tracking, and the balancing test cuts against you when the processing builds behavioural profiles. For advertising and cross-site measurement cookies, consent remains the defensible route. Reserve legitimate interest and contractual necessity for genuinely operational data, such as fraud prevention or fulfilling an order.
The Act also gives Thai data subjects rights that reach your cookie data: the right to access what you hold, to have it corrected or erased, to object to processing, and to withdraw consent at any time. A preferences panel that lets people change their cookie choices after the fact is how you meet the withdrawal and objection rights in practice.
Cross-border transfers
The PDPA restricts sending personal data outside Thailand unless the destination has adequate protection or you rely on a listed safeguard, such as appropriate contractual measures or the data subject's informed consent. Most cookie-based advertising and analytics tools send data to servers abroad, so if you gather consent for those cookies, be clear in your notice that data may be transferred internationally.
Penalties
The PDPA carries administrative fines of up to THB 5 million per violation, and the most serious offences can also attract criminal liability, including imprisonment and additional fines, plus civil compensation to affected individuals. Certain controllers also have to appoint a Data Protection Officer, and companies with a large Thai user base often designate one to handle requests and breach reporting. The August 2025 round of fines shows the PDPC is willing to act, and its early cases have centred on missing legal bases and poor security rather than technical paperwork.
Where CookieBeam Fits
CookieBeam's regional rules let you apply an explicit opt-in flow to visitors from Thailand while other regions keep their own behaviour. Non-essential tags stay blocked until the visitor agrees, and per-purpose consent logging captures which categories were accepted, when, so you have the timestamped record the PDPA expects. You set the categories and the region rule; the banner enforces the block.
Related guides
Thailand's PDPA is one of several GDPR-style opt-in laws across Asia. Compare it with Singapore's PDPA, South Korea's PIPA, and Japan's APPI. For the full picture, see cookie consent laws around the world and running one banner across a global audience.
Primary sources: Personal Data Protection Committee (Thailand), pdpc.or.th; Personal Data Protection Act B.E. 2562 (2019); PDPC enforcement announcements, 2025.