The Structure of Vietnamese Data Protection Law in 2026

Vietnam's regime is now a two-layer stack: the PDPD from 2023 and the PDPL from 2026. Both are in force, and publishers need to understand which layer governs which obligation.

The PDPD — Decree 13/2023/ND-CP

The Decree introduced Vietnam's first comprehensive personal data definition, a catalogue of data subject rights, requirements for consent, rules on cross-border data transfers, and the foundational Personal Data Processing Impact Assessment (DPIA) obligation. It remains in force and continues to govern operational detail.

The PDPL — In Force from 2026

The PDPL raises the framework into primary legislation with higher penalties and broader scope. It reinforces the consent-centric model, strengthens rights for data subjects, and expands enforcement powers for the Ministry of Public Security (MPS), which remains the primary regulator. The PDPL also introduces clearer rules for sensitive personal data, automated decision-making, and the processing of minors' data.

Who Is Regulated

The law applies to any processing of Vietnamese personal data, regardless of where the processor is located. A US-based publisher serving Vietnamese users through a localized site or a programmatic buyer bidding on Vietnamese inventory is in scope. This extraterritorial reach mirrors the GDPR pattern and is one of the more aggressive elements of the Vietnamese framework.

What Counts as Personal Data

The Vietnamese definition of personal data is broad and closely tracks the international standard. Personal data is any information that identifies or can identify a specific natural person, and it divides into two categories that matter heavily for cookie consent.

Basic Personal Data

Basic personal data includes name, date of birth, identification numbers, contact details, device identifiers, IP addresses, and online activity data. Most cookie-collected data falls here, including advertising identifiers, session IDs, and behavioral profiles built from browsing history.

Sensitive Personal Data

Sensitive personal data includes political and religious views, health information, genetic data, biometric data, sexual orientation, criminal records, financial data, and — critically — location data that can be used to identify a specific individual. Sensitive data triggers the strictest consent requirements, including specific, separate, and in some cases written or electronically verifiable consent.

Why This Matters for Cookies

A cookie that collects only a basic session identifier is basic personal data. A cookie that feeds a location-based advertising audience — common in retargeting and geo-targeted campaigns — is likely touching sensitive personal data the moment location becomes identifying. The CMP configuration must separate these purposes.

Cookie Consent Under Vietnamese Law

Vietnam follows the opt-in consent model. There is no notice-and-choice fallback for cookies that collect personal data, and the bar for valid consent is similar to the GDPR standard.

The Four Consent Requirements

Consent under Vietnamese law must be:

• Specific — tied to a clearly identified processing purpose, not a general umbrella consent
• Informed — the data subject understands what data is processed, why, who receives it, and for how long
• Voluntary — no pre-ticked boxes, no consent-or-leave walls for non-essential processing
• Expressible and withdrawable — the user can provide and withdraw consent through a clear mechanism

What a Compliant CMP Looks Like

A CMP configured for Vietnamese traffic in 2026 should present:

• A visible banner before any non-essential cookie or tracker fires, in Vietnamese (Tiếng Việt) by default for Vietnamese users
• Separate Accept, Reject, and Customize actions, with equal visual prominence — no dark patterns
• Granular controls for at least the following purposes: analytics, advertising, personalization, cross-border transfer, and any sensitive-category processing such as precise location
• A persistent, easy-to-find mechanism to change or withdraw consent after the initial choice
• Vietnamese-language privacy policy with clear disclosures of processors, data categories, retention, and the user's rights

Consent Records

Processors must maintain records of consent — who consented, when, to what, through what interface. Vietnamese enforcement actions have already cited missing or unverifiable consent logs, and the PDPL formalizes this obligation. A CMP that does not produce exportable, timestamped consent logs is not compliant.

Cross-Border Data Transfer — The Hardest Part

Vietnam's cross-border transfer regime is one of the most demanding in the region and is the element most foreign publishers struggle with.

The Transfer Impact Assessment

Before transferring Vietnamese personal data abroad — which includes sending cookie-derived identifiers to an overseas ad exchange or analytics vendor — the controller must prepare a Transfer Impact Assessment. The assessment must document the purpose, categories of data, recipient country and recipient, technical and organizational safeguards, and the legal basis for the transfer.

Filing with the MPS

The assessment must be filed with the Ministry of Public Security within 60 days of the start of processing. The MPS has the power to suspend cross-border transfers if the assessment is inadequate or if the destination jurisdiction is considered insufficient.

Practical Implication for Publishers

A typical programmatic ad stack routes user data through dozens of overseas vendors in milliseconds. Each of those flows is, strictly, a cross-border transfer of Vietnamese personal data. The 2026 reality is that most foreign publishers are either filing consolidated assessments for their entire vendor list or are pruning their vendor set to reduce the assessment burden. Neither is trivial, and the MPS has signalled it will begin more active enforcement on cross-border flows during 2026.

Data Subject Rights

The PDPL consolidates and strengthens the rights granted under the Decree. Vietnamese data subjects have the right to:

• Be informed about the processing of their data
• Access the data being processed
• Correct inaccurate data
• Delete data where processing is no longer justified
• Restrict processing in specified circumstances
• Withdraw consent as easily as it was given
• Object to automated decision-making that produces significant effects
• Complain to the Ministry of Public Security

Response Timelines

Controllers must respond to data subject requests within 72 hours in most cases — a significantly tighter window than the GDPR's 30-day standard. Operational readiness for this timeline is one of the more common compliance gaps for foreign publishers and requires tooling and runbooks that are faster than what is typical in other regions.

Special Rules for Minors

The PDPL introduces dedicated protections for processing of minors' personal data. Consent for processing of data belonging to a person under 15 must be given by a parent or legal guardian. Processing of data for those aged 15 to 18 requires the minor's own consent, but with heightened duties of transparency and care. Cookie consent UIs on sites that attract significant under-18 audiences need age-aware flows, which few foreign publishers have built by default.

Penalties and Enforcement

The PDPL raises the ceiling on administrative fines significantly. Sanctions include:

• Fines of up to 5 percent of global annual revenue for serious breaches involving sensitive personal data or systematic failures
• Suspension of processing activities
• Mandatory cross-border transfer halts
• Public disclosure of the violation
• Criminal liability for egregious cases, including unlawful sale of personal data

Enforcement Trend

The MPS was relatively quiet through 2023 and early 2024 as the Decree bedded in, but enforcement has accelerated through 2025 and into 2026. Foreign publishers have been cited in several publicized actions, almost always centered on one of three issues: missing or inadequate consent, unfiled cross-border transfer assessments, or failure to respond to data subject requests within the 72-hour window.

Audit Checklist for Vietnamese Traffic in 2026

• CMP banner is served in Vietnamese for Vietnamese users, with Accept, Reject, and Customize at equal prominence
• Consent purposes are granular and separate sensitive processing such as precise location
• Consent logs are timestamped, exportable, and retained for the duration of processing plus an auditable margin
• Privacy policy is available in Vietnamese with full disclosure of processors, retention, and rights
• Transfer Impact Assessment is filed with the MPS for every ongoing cross-border flow
• Data subject request workflow can respond within 72 hours end-to-end
• Age-aware consent flow is in place for audiences that include minors
• Vendor list has been reviewed for necessity, with unused or redundant vendors removed to shrink the cross-border surface area

The 2026 Outlook

Vietnam's regulatory trajectory is clear. The PDPD established the framework. The PDPL hardens it. Enforcement is expanding. For publishers and advertisers who have treated Vietnam as a lighter-touch market, 2026 is the year that approach becomes costly. The good news is that a modern GDPR-grade consent stack is most of what is needed — the gaps are typically the 72-hour response window, the Transfer Impact Assessment filings, and the Vietnamese-language localization of the CMP and privacy policy. Those gaps are operational, not architectural, and they can be closed in weeks rather than quarters. The publishers that close them before the MPS arrives on their doorstep will not notice the transition. The ones who wait will.