+

Download APPI checklist

Consentmo is dedicated to protecting and respecting your privacy. We will only use your personal information to respond to inquiries, provide requested materials, or share updates and services that we believe may interest you.

You can manage your privacy preferences or opt-out at any time. For more details on how to unsubscribe, our privacy practices, and our commitment to safeguarding your privacy, please refer to the Consentmo Privacy Policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What is PDPA?

The PDPA is considered the first Thai law designed to map data protection in the digital age and is comparable to the European General Data Protection Regulation (GDRP). Key aspects of the PDPA include data processing, data collection, data storage, and data consent protocols. The law requires all data controllers and processors who use personal data to receive consent from data owners and use it only for expressed purposes. Thailand’s first consolidated law to govern data protection became fully enforceable on June 1st 2022.

Where does the PDPA apply?

PDPA applies to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of: whether they are formed under Thai law; or whether they are residents in Thailand. This extraterritorial scope of the PDPA represents a significant expansion of Thailand’s data protection obligations to cover all processing activities relating to Thailand-based data subjects

graphic of a white magnifying glass against a blue background

What are possible reasons for a penalty under PDPA?

Some common reasons for a penalty include:
- Processing Personal Data Without Consent. Example: Collecting customer email addresses for marketing purposes without given consent.
- Inadequate Data Security Measures. Example: Data breaches caused by poor encryption, lack of firewalls, or weak password policies.
- Failure to Notify Data Breaches. Not informing the Office of the Personal Data Protection Committee (PDPC) and affected individuals promptly after discovering a data breach.
- Non-Compliance with Data Subject Rights. Example: A customer asks to delete their data, but the company fails to act within the legally required timeframe.
- Misusing or Over-Processing Data Example: Sharing customer data with third parties for analytics or advertising without informing the customer.

Who is liable for PDPA penalties?

All organizations and businesses that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognized under Thai law, and whether they are residents or have a business presence in Thailand.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What are the penalties?

The PDPA imposes punishment for non-compliance of up to THB 5 million in administrative fines and up to THB 1 million in criminal fines. Criminal Penalties: Imprisonment (up to 1 year) for severe violations.

Get the APPI checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

How do I obtain consent from individuals under the PDPA?

Obtaining consent under Thailand’s Personal Data Protection Act (PDPA) requires clear, informed, and voluntary agreement from individuals to collect, use, or disclose their personal data.

This includes but is not limited to:
- Make giving consent explicit, clear, and unambiguous.
- Inform users by providing clear and detailed information how their data is used, stored, handled.
- Specify separate purposes. If data is being collected for multiple purposes (e.g., marketing and analytics), ask for separate consent for each purpose.
- Keep records of consent.
- Allow for easy consent withdrawal.

What is the difference between GDPR and PDPA?

GDPR applies across the EU and to any company processing EU residents’ data, while PDPA applies in Thailand and to organizations dealing with Thai residents' data, particularly when offering services or monitoring behavior. Although PDPA is heavily inspired by GDPR, it is tailored to Thailand’s legal and cultural environment, with less focus on certain areas like data portability and breach notification timelines. Businesses operating in both regions should align with the nuances of each law for compliance.

How to make my business compliant with the PDPA?

To assure APPI compliance for your business, start by implementing clear data protection policies and procedures. One of the easiest ways to simplify compliance is by using a Consent Management Platform (CMP) like Consentmo, which is created specifically for Shopify stores. Our app helps you manage cookie consent, data requests, and user rights, verifying your store meets PDPA requirements without hassle.

I need more info on PDPA.

Make sure to check out our detailed blog post covering all important notes.

Subscribe to get our monthly newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get Started
FeaturesPricing
Regulations
GDPR (EU)CCPA (California)PIPEDA (Canada)LGPD (Brazil)APPI (Japan)PDPA (Thailand)POPIA (South Africa)APA (Australia)NZPA (New Zealand)
Resources
BlogeBooksKnowledge baseCookie ScannerAdaptive Mobile Experience
Comparison
Consentmo vs.
Shopify Consentmo vs. PandectesConsentmo vs.
Avada
Company
About us
FAQs
Contact
Legal
Privacy PolicySupport Policy
UET consent mode microsoft logo
Shopify app storeShopify app store
Facebook social iconTwitter social iconLinkedIn social iconInstagram social iconYouTube social iconTikTok social icon
© 2025 Consentmo. All Rights Reserved.

The information on the Consentmo website, platform, or services, as well as any part thereof, does not constitute actual legal or regulatory advice, opinion, or recommendation. Consentmo is committed to providing tools to aid in compliance but is not a law firm. For legal advice, users should consult with a qualified attorney.
Subscribe to get our monthly newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get Started
FeaturesPricingBlack Friday Offer⚡
Regulations
GDPR (EU)CCPA (California)LGPD (Brazil)PIPEDA (Canada)APPI (Japan)PDPA (Thailand)POPIA (South Africa)APA (Australia)NZPA (New Zealand)
Resources
BlogeBooksKnowledge baseCookie ScannerAdaptive Mobile Experience
Comparison
Consentmo vs. Shopify Consentmo vs. PandectesConsentmo vs. Avada
Company
About us
FAQs
Contact
Legal
Privacy PolicySupport Policy
Shopify app storeShopify app storeShopify partners
Shopify app storeShopify app store
Facebook social iconTwitter social iconLinkedIn social iconInstagram social iconYouTube social iconTikTok social icon
© 2025 Consentmo. All Rights Reserved.

The information on the Consentmo website, platform, or services, as well as any part thereof, does not constitute actual legal or regulatory advice, opinion, or recommendation. Consentmo is committed to providing tools to aid in compliance but is not a law firm. For legal advice, users should consult with a qualified attorney.