PDPA – What is it and Why it Matters

As the online world rapidly grow and evolve, people’s access to information and media are more streamlined than ever. In the recent past, online platforms are not as widely used as today. There are many companies or organizations who are still not use the user information to improve their marketing strategies.

Why All Web Services Provider Should Have PDPA?

With those that do, you will have noticed after visiting a particular site, that there’s always ads from that website following you around, even if you didn’t even click a single thing. That’s because the site has stored some of your data via the visitor tracking system and set ads to appear when you go to an ad-based platform, also known as “Pixel.” It’s this very Pixel that Facebook uses tracks visitor behaviors on their site.

Personal Data Protection Act (PDPA) started around two decades ago. At that time, technology began to play a greater role, and increasingly used in the form of Information Technology. Computer systems were so integrated with people’s lives such that perhaps us humans were the ones to have adapted to technology.

Your computer acts as a personal data collector, whether it’s your name, date of birth, address or even financial information. Rightfully, that had fueled the impetus for movement around the right to protect those data. In order to prevent personal information being taken without the consent of the owner of such data, was the reason for an enactment of the Personal Data Protection Act in 2019, which we often call PDPA for short.

Why do we Need PDPA?

Many have questioned whether the Computer Crime Act B.E 2550 would have sufficed in terms of data protection. Why do I need PDPA? It must be re-iterated that the 2019 Privacy Protection Act was a law that helped improve coverage in adjunct to the Computer Crime Act B.E 2550. In other words, PDPA was created to further protect people’s information. Computer Crime Act B.E 2550  is a law that gives the government the power to control information access on a public level. With these laws, the citizens it can be more assured that their own personal information will not be leaked, for there are hefty penalties and fines if that were to happen.

Coming back to question – Why do we need PDPA? If you are an organization or company that provides products or services, and has any form of  customer data collection, whether through the form of filling or payment details. You are going to want to protect yourselves.

The most well know example of this century where a company or organization has collected user’s personal information but did not have PDPA in place – The Facebook case. Having to pay a total fine of $5 billion to the US Federal Trade Commission from mishandling of user data. The $5 billion penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy. Facebook is doing fine as they have financial reservations to do so.

However, if you’re not Facebook then you’re going to risk paying heavy fines. In most cases, not having PDPA is hardly worth it. We have found companies that have profited by selling user information, who subsequently had to paid millions of dollars in fines after the Personal Data Protection Act had been put in place.

On the other hand, from a user’s perspective,  PDPA does allow the users to feel safer in giving the information with consent. As a visitor to a website, we should also be aware of what kind of information will be collected. Read the terms in cookie popup that appears when opening up a page before consenting to give your information. By being aware of the terms and information will be collected before clicking that “Accept” button, you are actively taking part in your personal data protection. .

 Why do we need PDPA? For transparency, customer assurance, security and reliability


So what’s the difference between PDPA and GDPR?

Each country has different penalties applied to a party that violates the privacy law.

Today, we’ll compare PDPA with another commonly seen terms GDPR, for you to know how they’re difference.

Definition of PDPA:

“Information about individuals who can identify them directly or indirectly, but not included identification by name, location, workplace, or business address, and the information of the deceased.”

Definition of GDPR:

“Any information related to a person who can identify a person directly and indirectly, especially a reference to what can be identifiable to a person, such as physical properties, physiology that can identify individuals.”

What can be directly and indirectly identifiable?

  • IP Address
  • Online behavior
  • Check-in location
  • Health information
  • Fingerprint
  • Sexual orientation
  • Cookie ID
  • Others

Checklist – Is your website subjected to PDPA enforcement?

  • Your website or organization stores or use personal information. Legally called a Data Controller or Personal Data Controller. For example, an Ecommerce website that collects customer data.
  • You are an entity that control or process customer data through an employment by a company who holds customer data – this is called a Data processor or Personal Data Processor.
  • Your company or organization stores information abroad or have exchange of information between different countries


What are the Penalties for Violation?

  • Imprisonment of up to 1 year and/or maximum penalty of 1 million Baht
  • Civil penalties pay no more than twice the actual claims
  • Administrative penalty is not exceeding 5 million Baht

In conclusion, we see that PDPA is of great importance and necessary for organizations or website providers must to have. Not only is it essential for building trust and security for the user but it can objectively convey transparency for the website.

Follow us on: yeswebdesignstudio.com

Facebook: yeswebdesignstudio

Instagram: yeswebdesign_bkk

Twitter : yeswebdesignbkk