The Structure of the PDPA in 2026

The PDPA is the primary data protection statute in Thailand, and its structure closely resembles the GDPR. The 2024 and 2025 subordinate regulations added operational detail that was previously missing from the base law.

What the Subordinate Regulations Added

Through 2024 and 2025, the PDPC issued subordinate regulations covering: cross-border data transfer mechanisms, appointment and duties of Data Protection Officers, data breach notification procedures, record-of-processing requirements, data subject rights workflow timelines, and specific consent standards for sensitive personal data. These regulations collectively moved the PDPA from a general framework into an operational regime comparable to the GDPR in specificity.

Who Is Regulated

The PDPA applies to most data controllers and processors, with extraterritorial reach for foreign organizations that process personal data of individuals in Thailand in connection with offering goods or services or monitoring behavior. Foreign publishers serving Thai users through localized sites or programmatic inventory bought against Thai IPs are typically in scope, and the PDPC has invoked the extraterritorial provision in early enforcement letters.

Administrative and Criminal Sanctions

The PDPA provides for administrative fines up to THB 5 million per violation, alongside criminal penalties for the most serious breaches including imprisonment for directors in specific circumstances. The administrative fine ceiling is lower than the GDPR in absolute terms, but the PDPC's escalating enforcement posture and the availability of criminal liability make the effective risk significant.

What Counts as Personal Data Under the PDPA

The PDPA's personal data definition closely tracks the GDPR. Personal data is information relating to an identified or identifiable person, and the PDPC has consistently treated cookies, advertising identifiers, IP addresses, device fingerprints, and behavioral profiles as personal data when they can be tied to an individual directly or by combination with other information.

Sensitive Personal Data

The PDPA designates a broad sensitive category including: racial or ethnic origin, political opinion, religious or philosophical belief, sexual behavior, criminal record, health data, disability, trade union membership, genetic data, and biometric data. Processing sensitive personal data requires explicit consent and triggers additional controller obligations.

Why This Matters for Cookies

A cookie that stores a routine identifier is ordinary personal data. A cookie that feeds an audience segment touching the PDPA sensitive list — health interests, religious affiliation, political leanings — is sensitive personal data processing and requires explicit consent rather than the general advertising consent. Thai-language audience targeting that overlaps the sensitive list should be audited specifically against this boundary.

Cookie Consent Under the PDPA in 2026

The PDPA permits multiple lawful bases for processing, but for cookies and similar technologies that are not strictly necessary for service delivery, the PDPC's guidance and early enforcement have converged on consent as the practical baseline.

The Elements of Valid Consent

Consent under the PDPA must be:

• Freely given — without coercion or bundling with essential service provision
• Informed — the data subject understands what data is processed, by whom, and for what purpose
• Specific — tied to clearly identified purposes rather than umbrella consent
• Unambiguous — expressed through a clear affirmative act, not inferred from inactivity
• Explicit in cases involving sensitive personal data, with separate and specific consent for the sensitive processing

What a Compliant CMP Looks Like

A CMP configured for Thai traffic in 2026 should present:

• A visible banner before any non-essential cookie or tracker fires, in Thai (ภาษาไทย) by default for Thai users
• Equal visual prominence for ยอมรับ (Accept), ปฏิเสธ (Reject), and ตั้งค่า (Settings) — the PDPC has criticized banner designs where the Reject action is visually de-emphasized
• Granular toggles per purpose: analytics, advertising, personalization, cross-border transfer, and any sensitive-category processing
• A separate, clearly-labelled flow for sensitive personal data processing, gated behind its own action
• A persistent, easily-found mechanism to withdraw consent after the initial choice
• A Thai-language privacy notice with full disclosures of controller, processors, purposes, recipients, retention, and rights

Consent Records

Controllers must maintain evidence of consent — who consented, when, to what purpose, and through which interface. Inadequate consent records have been cited in several PDPC enforcement letters in 2025, and exportable timestamped logs are the baseline expectation.

Cross-Border Transfers After the 2025 Regulations

The 2025 transfer regulations were the most consequential recent development for foreign publishers, clarifying the mechanisms available for cross-border data flows.

The Recognized Transfer Mechanisms

The 2025 regulations provide four primary pathways:

• Adequate-protection designation where the PDPC has assessed the destination country as providing adequate protection
• Appropriate safeguards through contractual mechanisms including PDPC-approved standard contractual clauses and binding corporate rules
• Specific exemptions including explicit consent from the data subject with adequate disclosure, contract necessity, vital interest, and substantial public interest
• Certification schemes recognized by the PDPC for specific sectors or activities

The Adequacy List

The PDPC has issued adequacy decisions for a handful of jurisdictions through early 2026. The United States is not on the list, which means transfers to US-based ad-tech and analytics vendors require contractual clauses, certification, or a consent-based exemption.

The Practical 2026 Approach

For most foreign publishers, the working approach is to execute PDPC-approved standard contractual clauses with international processors, document the transfer mechanism in the Thai-language privacy notice, and supplement with consent-based authorization only where the standard mechanism does not cleanly fit.

Data Subject Rights Under the PDPA

The PDPA grants a set of rights closely tracking the GDPR:

• Right of access to personal data held by the controller
• Right of rectification of inaccurate or incomplete data
• Right of erasure
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right not to be subject to automated decision-making producing significant effects
• Right to lodge a complaint with the PDPC

Response Timelines

Controllers must respond to data subject requests within 30 days under the general framework, with shorter windows for specific request types. Operational readiness for this window — with Thai-language tooling and runbooks — is a common gap for foreign publishers tuned to a European cadence.

The DPO Requirement

The 2024 subordinate regulation clarified when a DPO is required. Controllers processing large volumes of personal data, conducting systematic monitoring of data subjects, or processing sensitive personal data at scale must appoint a DPO. Foreign controllers reaching the volume threshold through Thai users are in scope. The DPO's contact information must be accessible in the Thai-language privacy notice.

Penalties and Enforcement Posture in 2026

The PDPC's enforcement activity has escalated meaningfully through 2024 and 2025, and 2026 is on a similar trajectory.

The Administrative Fine Structure

Administrative fines scale by violation type, with maximums of THB 5 million per violation for the most serious breaches. Routine violations — inadequate consent banners, missing privacy notices, failure to respond to data subject requests — typically attract fines in the lower hundreds-of-thousands-THB range but can escalate quickly for repeated or aggravated violations.

The Criminal Liability Backstop

Unlike the GDPR, the PDPA provides for criminal liability for the most serious violations, including imprisonment of directors in specific circumstances. The 2024 subordinate regulation clarified the scope of criminal liability, and while it has not been applied against foreign publishers in 2026 to date, the possibility shapes the risk analysis for any organization processing Thai data at scale.

Enforcement Themes

The PDPC's 2025 and early-2026 actions cluster around: ambiguous or absent consent banners, lack of Thai-language privacy notices, cross-border transfers without a valid mechanism under the 2025 regulations, failure to respond to data subject requests within the 30-day window, and missing DPO designations for in-scope controllers. Foreign publishers have been cited in all five categories.

Audit Checklist for Thai Traffic in 2026

• CMP banner is served in Thai with ยอมรับ, ปฏิเสธ, and ตั้งค่า at equal visual prominence
• Consent purposes are granular and separate sensitive-category processing behind its own consent flow
• Privacy notice is available in Thai with full disclosures of controller, processors, purposes, retention, rights, and DPO contact
• Cross-border transfers rely on PDPC-approved standard contractual clauses, an adequacy designation, BCRs, certification, or a documented exemption
• Consent logs are timestamped, exportable, and retained for the applicable period
• Data subject request workflow can respond within 30 days end-to-end, in Thai
• DPO is designated where required and contact information is published in the privacy notice
• Vendor list has been reviewed for necessity, with unused or redundant vendors removed to reduce the cross-border transfer surface
• Sensitive-category audience segments are gated behind explicit, separately-captured consent
• Breach notification runbook is tuned to the PDPA's breach notification timelines

The 2026 Outlook

Thailand's privacy regime has matured from a base statute with limited operational specificity into a regime with the subordinate regulations, the enforcement capacity, and the political will to be meaningfully enforced. The 2025 cross-border transfer regulations closed the most consequential structural gap, and the PDPC's early enforcement posture is consistent with a serious regulator in the middle of scaling up rather than one that will remain quiet. For publishers already running a GDPR-grade consent stack, the gap to PDPA compliance is operational rather than architectural: Thai-language CMP and privacy notice, PDPC-approved transfer mechanisms, the 30-day response cadence, DPO designation where required, and care with the PDPA's broader sensitive-data list. The gap can be closed in weeks if prioritized — and Thailand is a meaningful Southeast Asian market, so the prioritization typically pays back quickly. The publishers who treated Thailand as a lighter-touch market through 2024 are finding 2026 meaningfully more demanding, and the trend is clear.