Malaysia PDPA 2024 Amendment Cookie Consent Compliance Guide for Publishers in 2026

Malaysia's Personal Data Protection Act 2010 was, when it took effect in 2013, one of the earlier comprehensive privacy statutes in Southeast Asia. For its first decade the operational standard was relatively light: the Personal Data Protection Department (JPDP, now PDP) ran an active registration regime for data users in seven covered classes of activity, but enforcement against general online operators was modest and the consent standard was widely interpreted as permissive. The 2024 Amendment Act, which received Royal Assent in October 2024 and entered into force in stages through 2025, changed that posture substantially. The amendment introduced mandatory Data Protection Officers for controllers above thresholds, mandatory breach notification within 72 hours, the right to data portability, a renamed regulator with sharper enforcement authority, and reaffirmed cross-border transfer requirements that had been ambiguously implemented under the original Act. For publishers and SaaS operators serving Malaysian traffic — a market that includes one of the most active fintech and digital economy ecosystems in ASEAN — the amended PDPA represents a meaningful operational shift. This guide walks through what changed in 2024, how the PDP has interpreted the amended consent standard for online tracking, and where the practical compliance work needs to focus.

The PDPA in 2026 — Post-Amendment Outline

The amended PDPA continues to be structured around seven principles in Section 5: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access. The Notice and Choice Principle in Section 7 is the most consequential for cookie consent, requiring data users to provide written notice in both English and Bahasa Malaysia and to obtain consent (or rely on an alternative ground in Section 6) before processing.

Three structural changes from the 2024 amendment matter operationally for online publishers. First, the renamed Personal Data Protection Department now has explicit authority to impose administrative penalties tied to a percentage of annual revenue, replacing the older flat-fine regime. Second, mandatory DPO designation under Section 12A applies to controllers above defined thresholds — most ad-supported publishers and SaaS operators cross those thresholds. Third, the new Section 12B requires breach notification to the PDP within 72 hours of awareness, with notification to affected data subjects required when significant harm is likely.

How the Amended PDPA Treats Cookies and Online Tracking

The PDPA does not contain a cookie-specific provision. The consent and information obligations flow from Sections 5, 6, and 7 of the Act and from the PDP's 2025 Public Consultation Paper on Online Tracking, which articulated the regulator's post-amendment expectations for cookie banners and behavioral advertising. Four points have the most operational impact.

Affirmative consent for non-essential tracking

The 2025 Consultation Paper rejected implied consent, continued use, and pre-ticked boxes as failing the Notice and Choice Principle when interpreted in the online context. An explicit affirmative action is required for non-essential cookies, aligning Malaysian practice with the EDPB Cookie Banner Taskforce position.

Bilingual notice requirement

Section 7(3) requires the privacy notice and consent mechanism to be available in both English and Bahasa Malaysia. This was a feature of the original Act that the amendment reaffirmed; the PDP has been increasingly explicit that single-language English banners do not satisfy the requirement for audiences serving Malaysian residents.

Granular category controls

The Consultation Paper expects banners to allow the user to accept and reject categories independently. Single-button accept-all without granularity is treated as a defect under the proportionality reading of Section 5(c) (collection should not be "excessive").

Cross-border transfer (Section 129)

The original PDPA's Section 129 required cross-border transfers to be to a recipient in a "whitelisted" country (a list the Minister was supposed to maintain but never effectively published). The 2024 amendment replaces this with a more workable framework: transfers may proceed to jurisdictions with comparable protection, or under appropriate contractual safeguards, or with explicit consent. The PDP has issued model contractual clauses similar to the EU SCCs.

The PDP's Enforcement Posture in 2026

The Personal Data Protection Department's post-amendment posture differs from its pre-amendment approach in three observable ways.

Active sectoral sweeps

The PDP has prioritized fintech, e-commerce, and digital lending sectors for proactive sweeps since the amendment took effect. These sweeps typically begin with a registration audit and escalate into a broader inspection if registration is non-current.

Higher-profile fines

The new administrative penalty regime has produced larger and more publicly visible fines than the older flat-fine model. Several telecom and fintech operators received eight-figure ringgit penalties in 2025, which the PDP has used to communicate that the amendment has real teeth.

ASEAN regulatory coordination

The PDP participates in the ASEAN Data Management Framework workstream and coordinates with Singapore's PDPC, Thailand's PDPC, and the Philippines NPC. Cross-border investigations involving Malaysian and other ASEAN traffic are increasingly handled through coordinated procedures.

A Practical Compliance Checklist

Six concrete questions to answer for any cookie banner serving Malaysian traffic.

Where Malaysia Fits in a Multi-Jurisdiction Stack

Malaysia is one of the four most operationally consequential ASEAN data protection regimes alongside Singapore, Thailand, and the Philippines. The 2024 amendment closed most of the gap between the original PDPA and the GDPR, which means that a CMP architecture built to European standards now handles the bulk of Malaysian compliance with three specific additions: bilingual (English + Bahasa Malaysia) banner and notice, PDP registration where covered-class thresholds apply, and the Section 12B breach notification workflow with its 72-hour clock. For publishers building toward pan-ASEAN operations, the post-amendment PDPA is a meaningful template — newer regional laws are likely to draw on its structure — and the operational additions are tractable on top of an already-deployed European-grade consent stack.

← Blog Read All →