Does my small business need a Data Protection Officer (DPO) under Thailand's PDPA?

Under PDPA Section 41, DPO appointment is not mandatory for all organisations. However, it becomes strongly advisable — and practically essential — if your organisation processes health data such as medical records, processes data relating to children under 18, or maintains personal data records on more than 100,000 individuals. For smaller operations, a DPO-as-a-Service model provides qualified Data Protection Officer coverage on a retained basis without the overhead of a full-time internal appointment.

Does using Google Analytics violate PDPA in Thailand?

Google Analytics does not inherently violate PDPA, but many standard implementations are non-compliant by default. Three configurations are mandatory: enable IP Anonymisation to prevent storage of full IP addresses; disable Data Sharing settings that allow your analytics data to be used in Google's own modelling; and obtain informed user consent via a compliant Cookie Banner before the analytics script fires. Organisations seeking a privacy-first alternative may consider Plausible Analytics or Matomo, both of which are architected to operate without requiring tracking consent when configured appropriately.

Is purchasing an email list from a data broker legal under Thailand's PDPA?

This practice is strongly discouraged and carries material legal risk. PDPA requires consent to be specific, informed, and freely given for each distinct processing purpose. A consent obtained to receive communications from one organisation does not automatically extend to receiving communications from another — even if contact data was sold through a broker. Unless the original consent documentation explicitly covers sharing with third-party marketers, the data cannot lawfully be used for your campaigns. Additional risks include PDPA enforcement action, damage to sender reputation, and potential spam classification of your entire email domain.

How quickly must I report a data breach to the PDPC under Thailand's PDPA?

PDPA Section 37 requires notification to Thailand's Personal Data Protection Committee (PDPC) within 72 hours of the data controller becoming aware that a breach has occurred. Where the breach creates high risk to data subjects — for example, involving health data, financial records, or sensitive personal data categories — the affected individuals must also be notified directly, without undue delay. Deliberately concealing a breach or failing to report within the statutory 72-hour window constitutes a separate aggravating offence and has been treated by the PDPC as grounds for enhanced penalties.

PDPA for Digital Marketers: The Privacy-First Survival Guide for Thai SMEs (2026)

🔥 Introduction: When “Trust” Is Worth More Than Your Ad Budget

Picture this. It is Monday morning. You walk into the office, coffee in hand, open your laptop — and discover that the promotional campaign you launched last week is delivering a 300% spike in sales. Then, less than an hour later, your phone rings. It is your CEO. The voice is not congratulatory.

We have just been notified by the PDPC — the Personal Data Protection Committee — that a customer has filed a complaint about a data breach. The press is already calling.

This is not fiction. It is the real-world nightmare that hit multiple Thai SMEs throughout 2025.

According to the PDPC Annual Report 2025, enforcement actions have resulted in fines totalling over THB 21.5 million. The single largest penalty — THB 7 million — fell on a well-known IT retailer whose data security infrastructure was found to be inadequate. Yet the fine itself was not the most damaging consequence. What proved irreplaceable was the customer trust that was destroyed overnight.

In this guide, Khun Phuwara — senior business strategy and Legal-Tech consultant at The Kooru — walks you through a practical, campaign-ready framework built on Privacy by Design (PbD). This is not a compliance checkbox exercise for your IT or Legal teams. It is a marketer’s strategic playbook that simultaneously protects you from regulatory exposure and positions your brand as one consumers genuinely choose to trust.

🛡️ Part 1: Privacy by Design (PbD) — The Marketer’s Secret Weapon

What Is Privacy by Design — and Why Does It Matter Right Now?

Privacy by Design is not a “Privacy Policy” notice you paste at the bottom of your website and forget. It is the discipline of engineering privacy protections into every process before a risk materialises — proactive, not reactive.

The framework was pioneered by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Canada, and has since been codified into law across multiple jurisdictions:

GDPR (European Union) — Article 25: Data Protection by Design and by Default
PDPA (Thailand) — Sections 37 and 39: Controller obligations for appropriate security measures
DPDPA (India) — Section 8: Obligations of Data Fiduciaries

Why Should Marketers Care?

Every marketer is, in effect, sitting on a ticking time bomb. The personal data you routinely collect — including:

Full name and surname
Email address
Mobile phone number
Purchase history
Location data (GPS coordinates)
Behavioural data (website browsing patterns and click-through activity)

— all of it qualifies as personal data under Thailand’s PDPA, and every item carries legal obligations the moment you collect it.

Fail to meet those obligations and the consequences are concrete:

Collecting without disclosing the purpose → violates Section 19 (Transparency)
Using data beyond its stated scope — for instance, using a phone number collected for an order to sell insurance — → violates Section 21 (Purpose Limitation)
Allowing a customer list to leak via a personal LINE group → violates Section 37 (Security Measures)

The ROI You Cannot See on a Dashboard: When Privacy Becomes Revenue

The Cisco Privacy Benchmark Study 2025 quantifies what many marketers still treat as abstract:

Organisations that invest seriously in privacy generate an average ROI of 1.6× their spend
94% of consumers report they would not purchase from a brand they do not trust to protect their personal data
97.9% of Thai consumers are willing to share personal information when they receive a clear Value Exchange — a discount, an exclusive benefit, or a personalised service — (Thailand MarTech Report 2025)

The conclusion is unambiguous: Privacy is not a cost centre. It is a growth lever.

Data Minimization strategy for digital marketers under PDPA Thailand 2026 — Data Minimization Strategy for Digital Marketers

🚀 Part 2: 5 Steps to Embed Privacy into Your Marketing Campaigns

Step 1: Run a Privacy Impact Assessment (PIA) Before Every Campaign Launch

What is a PIA? A Privacy Impact Assessment is a structured evaluation of privacy risks conducted before a new project or campaign goes live — not after a complaint has been filed.

Core questions every marketer must answer at the outset:

What is the risk classification of the data we intend to collect? (Low / Medium / High)
What is the realistic harm to customers if this data were exposed or misused?
Does this campaign involve health data, financial data, children’s data, or any other Sensitive Personal Data category?

Non-negotiable rule: If your campaign touches health information, financial records, or data relating to minors, a formal PIA is mandatory — and engagement with your Data Protection Officer (DPO) is strongly advised before proceeding.

Step 2: Transition to an Ethical First-Party Data Strategy

The end of Third-Party Cookies is not coming — it has arrived.

The landscape shifted decisively:

Safari and Firefox blocked Third-Party Cookies from 2020 onwards
Google Chrome has now introduced a “User Choice” model, enabling users to opt out of cross-site tracking with a single click — effective from Q2 2025

The consequence for marketers is direct: legacy retargeting methods — following users across the open web — are no longer viable as a primary acquisition strategy.

The sustainable alternative: First-Party Data Strategy

First-Party Data is information you collect directly from your customers, through channels and touchpoints you own:

Membership and loyalty programmes
LINE Official Account (LINE OA)
Email newsletters
CRM systems or a CDP (Customer Data Platform)

The strategic advantages are threefold:

✅ 100% data accuracy — no intermediary distortion
✅ Full legal compliance — the customer provided the data directly and knowingly
✅ Long-term relationship capital — the foundation of genuine loyalty

Step 3: Data Minimisation — Collect the Minimum, Not the Maximum

The governing rule: never collect data “just in case”.

PDPA Section 22 requires that personal data collection be limited to what is strictly necessary for the stated purpose. Excess collection is not a neutral act — it is a legal violation waiting to be triggered.

Illustrative examples of correct versus incorrect practice:

Marketing Objective	Incorrect Data Request ❌	Correct Data Request ✅
Sending a birthday coupon	Full date of birth + National ID number	Birth month only
Sending an electronic receipt	Full name + postal address + GPS location	Email address only

Audit your forms today — apply these two disciplines immediately:

✂️ Remove every field that cannot be directly justified by the campaign’s stated purpose
🔒 Make all Sensitive Data fields optional — never mandatory

Step 4: Lock Down Your Data Environment (End-to-End Security)

Two data states — both demand protection:

Data at Rest — data stored in servers, databases, or cloud environments
- ✅ Apply AES-256 encryption as the baseline standard
- ✅ Implement automated backups on at least a weekly cadence
Data in Transit — data moving between systems or users
- ✅ Enforce TLS 1.3 across all HTTPS connections
- ✅ Prohibit transmission of customer files via personal LINE or WhatsApp — use Secure File Sharing platforms such as properly permissioned Google Drive

Recommended tools for Thai SMEs:

CRM: HubSpot, Salesforce (enterprise-grade, internationally certified security controls)
Email Marketing: Mailchimp, GetResponse (GDPR / PDPA compliant infrastructure)
File Encryption: VeraCrypt, Cryptomator (open-source, zero cost)

Step 5: Radical Transparency and Accountability — Earn the Right to Market

Your Privacy Policy must be written for humans, not for lawyers to hide behind.

What to stop writing ❌:

The Company reserves the right to process the data subject’s personal data for marketing purposes as specified in the terms and conditions set forth herein.

What to write instead ✅:

We will use your email address to send you special promotions — once or twice a month. You can unsubscribe at any time, instantly, with one click.

Apply the Layered Notice technique:

Layer 1: A concise, plain-language notice adjacent to every data collection field — a tooltip or a contextual pop-up
Layer 2: A link to the complete Privacy Policy page for those who want full detail

Transparency and Accountability in PDPA-compliant digital marketing Thailand — Transparency & Accountability in PDPA-Compliant Marketing

🍪 Part 3: Surviving the Cookieless World — When Cookies Crumble

From “Tracking Everywhere” to “Earning Trust Everywhere”

The current reality:

Google Chrome has implemented a user-choice model allowing individuals to opt out of tracking across sites — effective Q2 2025
Survey data indicates that more than 70% of users are choosing to disable tracking when given the option

The operational impact on marketing teams is severe:

📉 Retargeting audience precision has degraded substantially
📉 Conversion rate tracking is producing material measurement errors
📉 Multi-touch attribution models are breaking down

Four Proven Paths Forward

1. Contextual Targeting — Return to First Principles

Instead of tracking individual behaviour across the web, serve advertising based on the content a user is actively consuming:

Outdated Approach (Behavioural) ❌	Modern Approach (Contextual) ✅
Follow a user who searched “running shoes” across every website they visit	Serve running shoe ads on sports news sites and marathon running blogs — where intent is already self-declared

2. Server-Side Tracking

Replace client-side pixel scripts (JavaScript running in the browser) with server-side event data collection, where conversion signals pass through your own server infrastructure before being forwarded to analytics platforms.

The operational advantages are meaningful:

✅ Ad blockers cannot intercept server-side signals
✅ Data fidelity improves — no mid-funnel signal loss
✅ Reduced exposure — fewer data points sent directly to Third-Party platforms

Recommended platforms: Google Tag Manager (Server-Side container), Segment, RudderStack

3. CMP — Consent Management Platform

Is your Cookie Banner actually compliant?

What you must never do ❌:

Pre-ticked consent checkboxes
Obscuring or visually deprioritising the “Reject All” option
Requiring users to click “Accept All” before accessing site content

What you must implement ✅:

Clear, equally prominent options: “Accept All” | “Reject All” | “Manage Preferences”
A Consent Log — a timestamped, auditable record of every consent decision — retained for a minimum of 3 years

Recommended CMP tools: OneTrust, Cookiebot, Usercentrics

4. Build Your Own CDP — Customer Data Platform

Rather than relying exclusively on Google Analytics or Meta Pixel, build a proprietary unified customer data foundation that aggregates signals from every owned touchpoint:

🛒 E-commerce platform — purchase history and product affinities
📧 Email marketing — open rates, click-through rates, and engagement cadence
💬 LINE Official Account — conversation history and sticker interactions
📞 Call centre — contact history and stated preferences

Leading CDP platforms: Segment, Salesforce CDP, Adobe Real-Time CDP

🌏 Part 4: Cross-Border Data Transfers — The Compliance Trap SMEs Miss

Where Is Your Customer Data Actually Flowing?

You may assume that because your company operates in Thailand, your customer data stays in Thailand. This assumption is incorrect — and legally dangerous.

If you are using any of the following:

☁️ Cloud infrastructure — AWS, Google Cloud, Microsoft Azure
📧 Email marketing platforms — Mailchimp, SendGrid, Klaviyo
💼 CRM or SaaS tools — HubSpot, Salesforce, Zoho

— then your customers’ personal data may be actively transiting to Singapore, the United States, or Ireland without your direct awareness.

The Legal Obligation Under PDPA Section 28

The statutory requirement is clear: Any transfer of personal data to a foreign country is lawful only where that country provides an adequate level of personal data protection as determined by Thailand’s PDPC.

Where adequacy cannot be established, you must implement one of the following safeguard mechanisms:

✅ SCCs (Standard Contractual Clauses) — model contract clauses approved by the European Commission and adopted as a benchmark under PDPA cross-border transfer rules
✅ BCRs (Binding Corporate Rules) — intra-group governance frameworks for multinational corporate structures
✅ Encryption — cryptographic protection applied to data before transmission

Practical Checklist: Build Your Data Flow Map Today

Step 1: Document your data flow architecture

[Customer completes form]
    ↓
[Your website (Thailand)]
    ↓
[Google Cloud Server (Singapore)]
    ↓
[Mailchimp (United States)]
    ↓
[Analytics Dashboard (Ireland)]

Step 2: Verify your DPA (Data Processing Agreement) with every vendor

Every third-party tool in your stack must demonstrate:

✅ A clearly executed DPA governing their handling of your customers’ data
✅ Explicit support for SCCs for international data transfers
✅ A published Data Breach Notification Policy

Step 3: Encrypt data at every transfer point

Apply TLS 1.3 for all Data in Transit and AES-256 for all Data at Rest — without exception.

Robust data security measures for PDPA compliance in Thailand digital marketing — Robust Security Framework for PDPA Compliance

🔒 Part 5: 12 Data Security Best Practices You Can Implement Today

The following is an actionable checklist your team can begin executing immediately — no external consultant required to get started.

1. Obtain Explicit and Freely Given Consent

What you must never do ❌:

Pre-ticked consent boxes — any box relating to marketing must start unticked
Conditioning service access on accepting marketing communications (unless strictly necessary for service delivery)
Burying consent language in small-print terms and conditions

What you must implement ✅:

Separate, clearly labelled consent checkboxes — “I accept the Terms of Use” is distinct from “I consent to receive marketing communications”
Granular consent options — allow customers to select which categories of communication they agree to receive
A Consent Log with timestamps — your primary evidentiary record in any enforcement action

2. Data Minimisation — Collect Only What You Can Justify

Conduct a quarterly data audit applying these disciplines:

🗑️ Delete personal data belonging to customers who have been inactive for more than 2 years
🔍 Review every data collection form — remove every field that cannot be directly justified by a stated processing purpose
📊 Use anonymised or pseudonymised data for analytics wherever possible — you rarely need a real name to generate actionable insights

3. Transparency — Deploy Layered Notice Architecture

Apply the Layered Notice approach consistently across all collection points:

Layer 1 — Just-in-Time Notice:

A tooltip or contextual note adjacent to every data field, for example:

💡 “We are collecting your email address to send you your electronic receipt and occasional exclusive promotions — typically once or twice a month.”

Layer 2 — Full Privacy Policy:

A direct link to your complete Privacy Policy for users who wish to review all detail before consenting.

4. User Control — Honour All Eight PDPA Rights

Thailand’s PDPA grants data subjects eight enforceable rights. Your systems must support all of them:

Right	Implementation Method
Right of Access	A “Request My Data” form accessible from your website
Right to Rectification	Self-service profile editing within Account Settings
Right to Erasure (Right to be Forgotten)	A “Delete My Account” button or a formally submitted deletion request form
Right to Withdraw Marketing Consent	A clearly visible Unsubscribe link in every marketing email
Right to Data Portability	The ability to export personal data in a machine-readable format (CSV or JSON)

Response deadline: All data subject requests must be fulfilled within 30 days of receipt — as required by PDPA Section 39.

5. Robust Security — MFA and Role-Based Access Control

Minimum security architecture across three tiers:

Level 1: Individual accounts

✅ Passwords of 12+ characters with complexity requirements
✅ Two-Factor Authentication / MFA enabled (Google Authenticator, Authy)

Level 2: Backend systems and Admin Panels

✅ MFA mandatory for every administrative account without exception
✅ IP Whitelisting — restrict Admin Panel access to office IP ranges only
✅ Password rotation enforced every 90 days

Level 3: Database access

✅ Role-Based Access Control (RBAC) with strict least-privilege principles:
- Marketing staff — access limited to name and email only
- Finance staff — access limited to payment transaction data only
✅ Full Audit Log of every database access event

6. Privacy Policy in Plain Language

Replace this ❌:

The Company may process your personal data for the purposes of its ordinary business operations as set out in these terms and conditions.

With this ✅:

We store your email address and name for two purposes:
To send you your purchase receipt
To send you promotional news — once or twice a month
You can unsubscribe at any time with a single click.

Practical writing techniques:

Use descriptive subheadings and bullet points to create scannable structure
Include a Table of Contents so users can navigate directly to sections relevant to them
Illustrate every policy point with a real-world example from your actual operations

7. Vendor Management — Sign a DPA with Every Third-Party Provider

Every tool in your marketing technology stack must be covered by a signed Data Processing Agreement.

Vendor selection checklist:

☑️ Holds ISO 27001 certification or SOC 2 Type II attestation
☑️ Provides SCCs to cover international data transfers
☑️ Has a published Breach Notification Policy committing to notification within 72 hours
☑️ Provides a contractual Data Deletion Guarantee upon contract termination

For agencies and freelancers you engage:

✅ Require execution of both an NDA and a DPA before access to any customer data is granted
✅ Explicitly prohibit use of your customer data on any other client engagement
✅ Contractually require certified deletion of all data upon project completion

8. Respect Opt-Out Signals — Including GPC

Treat every Unsubscribe request as a genuine commitment, not an obstacle to route around:

✅ The Unsubscribe link must be visually prominent in every marketing communication — not a grey 6pt footnote
✅ Unsubscribe requests must be actioned within 24–48 hours — no exceptions, no grace periods
✅ Users must never be required to log in to an account in order to unsubscribe from marketing messages

Global Privacy Control (GPC): This is a browser-level signal indicating that a user has opted out of tracking. Any website operating in a jurisdiction where GPC is recognised must honour this signal automatically — without requiring the user to interact with a consent banner.

9. Privacy by Default — Set the Most Private Option as the Starting State

The governing principle: every system setting should default to maximum privacy. Users who wish to share more can actively choose to do so. The inverse — collecting broadly and asking permission later — is non-compliant.

Feature	Non-Compliant Default ❌	Compliant Default ✅
User profile visibility	Public	Private
Marketing communication subscription	Opted in	Opted out (user must actively subscribe)
Data sharing with partner organisations	Permitted	Blocked

10. Data Retention — Set Expiry Dates and Automate Deletion

Old data you are not using is not an asset — it is a liability.

Establish a documented, automated retention schedule:

🗓️ Inactive customer personal data (no activity for more than 2 years) → automated deletion
🗓️ Consent records and Consent Logs → retained for 3 years as evidentiary proof of compliance
🗓️ Transaction logs → retained for 5–10 years in accordance with accounting and commercial law requirements

Automation tools: Google Workspace retention policies, AWS S3 Lifecycle rules — configure once, enforce perpetually.

11. Staff Training — Address the Largest Vulnerability in Your Organisation

Your technology is only as secure as your least-trained team member.

According to the IBM Security Report 2025, 95% of data breaches are attributable to human error. The most sophisticated encryption infrastructure cannot protect you from a phishing email successfully targeting a junior marketing assistant.

Minimum required training curriculum:

🎯 Recognising Phishing and Social Engineering attacks — with real examples from Thai incidents
🎯 Password hygiene — never reuse credentials, never share passwords, use a password manager
🎯 Device security — lock screens when stepping away from a workstation, encrypt laptop drives
🎯 Incident reporting — what constitutes an anomaly, and how to escalate to your IT or DPO immediately

Recommended frequency: Full training every 6 months, with live Phishing Simulation Drills every quarter.

12. Breach Drill — Rehearse Before the Real Incident Occurs

A data breach response plan that has never been tested is not a plan. It is a document.

Scenario for your next drill:

Monday morning. A threat actor contacts your organisation claiming they have exfiltrated personal data belonging to 10,000 customers and will publish it within 24 hours unless a ransom is paid.

Who does what — and in what order:

IT Team: Immediately isolate the affected system from the network (Containment phase) — prevent further data exfiltration
DPO / Legal: Notify the PDPC within 72 hours of confirmed breach awareness — mandatory under PDPA Section 37
PR / Marketing: Prepare a transparent, factually accurate Press Release — do not obscure, minimise, or spin the incident
CEO: Determine ransom payment position (the universal recommendation from law enforcement: do not pay — payment does not guarantee data deletion and funds further criminal operations)

Document templates to prepare and maintain in advance:

✅ Breach Notification Letter (in Thai and English)
✅ Customer Service FAQ script for handling customer enquiries following a breach
✅ Official Media Statement

PDPA compliance for digital marketers Thailand 2026 — practical guide — PDPA for Digital Marketers — A Practical 2026 Compliance Framework

🎯 Conclusion: The Future of Marketing Is Integrity

Taking PDPA compliance seriously is not a strategy for avoiding penalties. It is a long-term investment in the only sustainable competitive advantage available to any brand: trust.

In a market where consumers are better informed, better equipped with tools to protect themselves, and more willing to switch brands than at any previous point in history, the differentiator between brands that survive and brands that do not is not budget, reach, or creative. It is credibility.

It takes 20 years to build a reputation and five minutes to ruin it.
— Warren Buffett

A single data breach can erase years of earned trust in hours.

But for brands that commit — genuinely and visibly — to the following three propositions:

✅ “We respect your data”
✅ “We operate with full transparency”
✅ “We protect you”

— the return is not just regulatory safety. It is:

💚 Trust — earned, not purchased
💙 Loyalty — durable, not transactional
💛 Long-term Customer Lifetime Value — compounding, not one-time

✅ Quick-Start Checklist: What CMOs and Heads of Marketing Must Action This Quarter

Print this list. Pin it on your desk. Begin today.

[ ] Convene a cross-functional session — Marketing, IT, and Legal — to produce a documented Data Flow Map
[ ] Audit your Cookie Banner — verify it is implemented through a compliant CMP solution
[ ] Review every data collection form — remove all fields that cannot be justified by a specific processing purpose
[ ] Verify your DPA documentation — confirm all agencies and vendors have signed a current DPA
[ ] Schedule a Privacy and Security training session — for all staff, within the next 30 days
[ ] Complete a PIA — for any major campaign currently in planning
[ ] Establish an automated Data Retention Policy — configure deletion rules for legacy and inactive data
[ ] Plan a Breach Response Drill — schedule for Q2, no later

💼 Need Expert Guidance? Speak with Kooru’s PDPA Specialists

If your organisation requires specialist support across any of the following:

✅ PDPA Audit & Gap Analysis — identify your current exposure and prioritise remediation
✅ Privacy by Design Consultation — embed compliant architecture into your marketing workflows from the ground up
✅ DPO-as-a-Service — access a fully qualified Data Protection Officer on a retained, cost-effective basis
✅ Cyber Security Assessment — validate your technical controls against current threat models
✅ Staff Training & Breach Drill Facilitation — structured, scenario-based programmes for teams at every level

Contact Kooru today — your partner for both regulatory security and winning lasting customer confidence.

📧 Email: sale@kooru.com
🌐 Website: www.kooru.com
📞 LINE OA: @koorudata

❓ Frequently Asked Questions: PDPA for Digital Marketers

1. Do I need customer consent to upload contact data to Facebook Custom Audiences?

Answer: Yes — without exception. Uploading a customer’s mobile number or email address to Facebook’s Custom Audience tool constitutes use of personal data for marketing purposes under PDPA. You must have obtained explicit Marketing Consent from each individual before uploading their data. Using a number collected during an order checkout to run advertising campaigns — without a separate, specific consent — is a direct violation. This applies even if the data was legitimately collected for a different purpose at an earlier point in time.

2. Is storing customer data in Google Sheets a PDPA violation?

Answer: It is not automatically a violation, but it carries significant operational risk that most organisations underestimate. If you continue to use Google Sheets for customer data, the minimum safeguards are: set Sharing permissions to “Specific people only” — never “Anyone with the link”; enable 2-Step Verification on all Google accounts with access; and ensure no Sensitive Personal Data categories are stored in spreadsheet form. The more sustainable recommendation for any growing operation is to migrate to a CRM system with enterprise-grade access controls and audit logging — both of which Google Sheets cannot provide.

3. If a customer unsubscribes, must I delete all their data immediately?

Answer: No — but the distinction matters. You are required to cease all marketing communications immediately — within 24 to 48 hours of the unsubscribe action being recorded. You are not, however, required to delete the customer’s entire data record. Transaction records, purchase histories, and other commercially or legally necessary data may be retained for the applicable statutory period — typically 5 to 10 years under Thai accounting and commercial law — for audit and legal evidentiary purposes. The obligation is to stop marketing, not to erase all history.

4. Does my small business need a DPO (Data Protection Officer)?

Answer: Under PDPA Section 41, appointment of a DPO is not mandatory for all organisations. However, a DPO is strongly recommended — and arguably essential to responsible operation — if your organisation processes health data (such as a clinic or wellness brand), processes data relating to children under 18, or holds personal data on more than 100,000 individuals. For smaller operations without a full-time DPO requirement, Kooru offers a DPO-as-a-Service model that provides qualified Data Protection Officer coverage on a retained basis, without the overhead of a full-time hire. See our guide to DPO-as-a-Service for Thai SMEs for more detail.

5. Does using Google Analytics violate PDPA?

Answer: Not inherently — but the configuration matters enormously and many implementations are non-compliant by default. Three steps are mandatory for legal use: enable IP Anonymisation to prevent storage of full IP addresses; disable Google’s Data Sharing settings to prevent your analytics data being used for Google’s own modelling; and obtain user consent via a compliant Cookie Banner before the analytics tracking code fires. Organisations with higher privacy standards may choose to migrate to Plausible Analytics or Matomo — both of which are designed with privacy-first architecture and require no consent for basic measurement when configured correctly.

6. Must I obtain consent before deploying Facebook Pixel on my website?

Answer: Yes — Facebook Pixel is a tracking technology that collects behavioural data from website visitors and transmits it to a third-party platform (Meta). Under both GDPR and Thailand’s PDPA, deploying any tracking technology that processes personal data requires prior informed consent. Your Cookie Banner must present users with a genuine, meaningful choice to accept or decline Pixel tracking before the script activates. A banner that presents “Accept All” as the primary call to action while obscuring “Reject” functionality does not meet this standard.

7. How quickly must I respond to a customer’s data access request?

Answer: Under PDPA Section 39, the statutory response deadline is 30 days from the date the written request is received. In circumstances involving unusual complexity or volume — for example, a request requiring extensive data retrieval across multiple systems — the deadline may be extended by a further 30 days, but only where the requesting individual is notified of the extension and its reasons before the original deadline expires. Failing to respond within the applicable timeframe is an independent regulatory violation, separate from any underlying data handling issue.

8. Is purchasing an email list from a data broker legal under PDPA?

Answer: This practice is strongly discouraged and carries material legal risk regardless of the broker’s representations. PDPA requires consent to be specific, informed, and freely given for each distinct purpose for which data is used. A consent obtained from an individual to receive communications from Company A does not automatically extend to receiving communications from Company B — even if Company B purchased that individual’s contact data from a broker who facilitated the original consent. Unless the original consent documentation explicitly covers sharing with third-party marketers, the data cannot lawfully be used by you. The practical risks extend beyond PDPA: purchased lists routinely degrade sender reputation, triggering spam classifications that harm your entire email programme.

9. How quickly must I report a data breach to the PDPC?

Answer: PDPA Section 37 requires notification to the Personal Data Protection Committee within 72 hours of the data controller becoming aware that a breach has occurred. Where the breach is likely to result in high risk to the rights and freedoms of data subjects — for example, where sensitive personal data, financial information, or health records are involved — you are additionally required to notify the affected individuals directly, without undue delay. Deliberately concealing a breach or failing to report within the statutory window constitutes a separate aggravating offence that the PDPC has treated as grounds for enhanced penalties in enforcement actions to date.

10. What compliance obligations apply when using LINE Official Account for customer engagement?

Answer: LINE OA is an effective First-Party channel, but the compliance obligations are frequently misunderstood. A user following your LINE OA — the equivalent of “Add Friend” — does not constitute consent to receive marketing communications. Consent for marketing purposes must be specifically obtained, ideally through a formal consent flow within your LINE OA welcome sequence. Additionally, customer data gathered through LINE OA interactions must never be shared with third parties — including your own agencies or technology vendors — without a supporting DPA and explicit authorisation from the data subject. Every broadcast message must include a clear, frictionless opt-out mechanism: for example, the instruction “Reply STOP to unsubscribe” must result in immediate cessation of commercial messaging.

By: Khun Phuwara (ภูวรา ครอบตะคุ) — Senior Business Strategy and Legal-Tech Consultant, The Kooru Data Tech & Law (Thailand)

PDPA for Digital Marketers: Privacy-First Guide 2026