PDPA for SMEs: The Complete Marketing Compliance Guide

PDPA for SME marketing in Thailand is no longer optional — it is the baseline standard for any business that collects a customer’s name, phone number, or digital footprint. Whether you run a café loyalty programme, a clinic booking form, or a Facebook Ads funnel, Thai law holds you accountable for every piece of personal data you touch. This guide translates complex legal obligations into a practical, plain-English playbook so you can protect your brand, avoid six-figure fines, and turn privacy compliance into a genuine competitive advantage.

🕵️ Have You Ever Felt “Spooked” by a Brand?

Picture this: you stop at your favourite coffee shop, give your phone number at the counter to collect reward points — and two days later, an unsolicited loan SMS arrives. Then a life-insurance call. Then another.

Annoying? Almost certainly. Alarming? Possibly. Because the first question that crosses your mind is: where did they get my number?

As a business owner, if your customers ever ask that question about your brand, you are already in crisis territory. Personal data travels faster than any viral post in the digital age — and when it ends up in the wrong hands, or is used without explicit permission, the damage is not limited to a regulatory fine. What collapses in an instant is Trust — the single most durable currency in business.

PDPA-compliant customer data collection for Thai SME marketing strategy
Protecting customer data is the foundation of every modern marketing strategy.

Today, I want to walk Thai SME owners through PDPA for SME — not as a dry legal lecture, but as a “survival strategy” that can transform you from a transactional merchant into a brand your customers genuinely love and trust.


🛡️ What Is Data Protection and PDPA? The Fundamentals Every Thai SME Must Know

Think of it like a bank account. When you deposit money, you trust the bank to keep it in a vault — not to hand it to a stranger, or invest it recklessly without telling you. Customer data works the same way. The moment a customer shares their name, phone number, or browsing behaviour with your business, you become their data custodian. Three core obligations follow:

Your obligations as a data custodian are:

  1. Keep it secure: Prevent unauthorised access or theft — this is your Security obligation under PDPA Section 37.
  2. Use it for the stated purpose only: If you collected a phone number to arrange delivery, use it for delivery — not to sell insurance. This is the Purpose Limitation principle.
  3. Be transparent: Tell customers clearly what data you collect, why, and how. This is Transparency — and it is non-negotiable.

How Thai Law Defines “Personal Data” in a Business Context

Personal data under Thailand’s PDPA (Personal Data Protection Act B.E. 2562 / 2019) extends well beyond a name and national ID. In a typical SME marketing context, it includes:

  • Mobile phone numbers and Line IDs — the lifeblood of Thai CRM systems
  • Purchase history and transaction records, however informally stored
  • Website browsing behaviour captured via Cookies, Facebook Pixel, or Google Analytics
  • IP addresses, GPS coordinates, and any other device-level identifiers


⚖️ Why Thai SMEs Must Comply with PDPA (It Goes Far Beyond Avoiding Fines)

A common misconception among Thai SME operators is that PDPA is enforcement machinery aimed exclusively at large corporations. That is incorrect. While the law does offer a limited exemption from maintaining a formal Record of Processing Activities (RoPA) for businesses with annual revenue below ฿300 million, it does not exempt smaller operators from security obligations or the requirement to obtain valid consent. This position is confirmed by Tilleke & Gibbins’ analysis of Thailand’s data privacy landscape in 2025.

Trust Is the Key to Sustainable Revenue

Thai consumers are becoming increasingly sophisticated about their data rights. Once they discover that a brand has shared or sold their contact details without permission, they disengage permanently — and they tell others. The business case for privacy is no longer theoretical. According to the Usercentrics Data Privacy Statistics Report 2025, every ฿1 invested in privacy infrastructure generates a return of up to ฿42 — a 4,200% ROI — because customers who trust a brand are willing to share richer, more accurate data that enables genuinely personalised marketing.

Regulatory Penalties Are Real — and Already Being Imposed

PDPA is not aspirational guidance. As of August 2025, Thailand’s Personal Data Protection Committee (PDPC) has issued confirmed administrative fines totalling over ฿21.5 million across just eight enforcement actions. The most significant single penalty reached ฿7,000,000 — imposed on an IT product distributor that lacked adequate security controls and had failed to appoint a Data Protection Officer (DPO) as required by law. Reference: Bangkok Post — PDPC Levies Fines in Data Breach Cases.

  • Maximum administrative fine: ฿5,000,000 per offence (PDPA Section 82–90)
  • Civil liability: Up to 2× actual damages (punitive damages) if a data breach causes proven harm
  • Criminal exposure: Up to 1 year imprisonment for the most serious intentional violations
Why Thai SMEs must comply with PDPA - regulatory penalties and trust implications
Why Thai SMEs Cannot Afford to Ignore PDPA — penalties, trust, and competitive positioning.


📣 Permission Marketing: The Strategic Shift from Interruption to Invitation

The era of Interruption Marketing — blasting promotions at anyone who happens to scroll past — is over. The strategic framework that replaces it is Permission Marketing: a discipline built on the simple premise that earned attention converts at a dramatically higher rate than purchased attention.

“Turn strangers into friends, and friends into customers — through respect.”
— Seth Godin

The 3 Iron Rules: Opt-In, Double Opt-In, and Easy Opt-Out

  1. Always request consent (Opt-In): Never assume that a customer who provides their contact details during a transaction has consented to receive marketing communications. You must present an active, unticked checkbox — “I agree to receive news and promotions” — for the customer to select voluntarily. Pre-ticked consent boxes are strictly prohibited under PDPA Section 19.
  2. Verify identity (Double Opt-In): When a customer submits an email address, send a confirmation link before adding them to any marketing list. This confirms the address is genuine, protects you from third-party abuse, and strengthens the legal basis of the consent record.
  3. Make withdrawal effortless (Easy Opt-Out): An Unsubscribe link or “Stop messages” option must be visible, functional, and honoured immediately. Burying opt-out mechanisms is both a legal risk and a brand-destroying practice.

📚 Case Study: Costly Lessons from a Beauty Clinic’s PDPA Breach

To illustrate the real-world consequences, consider the “Kind Beauty Clinic” (fictitious name) — a composite drawn from documented enforcement cases in Thailand in 2025.

The Situation: The clinic ran Facebook Ads offering a free facial trial, collecting names and phone numbers through a landing-page form. There was no Privacy Notice on the form. An administrator extracted the leads and added them to a LINE group for repeated promotional broadcasts. Patient consultation records were stored on paper and disposed of through a general waste contractor — without any data destruction protocol.

Real Enforcement Precedents from 2025 (Source: DLA Piper Global Data Protection Overview):

  1. Data Breach Case: A cosmetics company was fined ฿2,500,000 after inadequate security controls allowed customer data to reach a call-centre fraud operation, resulting in direct financial harm to customers.
  2. Improper Disposal Case: A private hospital was fined ฿1,210,000 after outsourcing medical record destruction to a contractor who instead sold the paper documents as scrap — which subsequently appeared as food packaging bags sold near a local school.

Business Impact: Beyond the seven-figure fines, these organisations suffered immediate and lasting reputational damage. Customer relationships built over years evaporated overnight. For an SME operating on tighter margins, the reputational cost alone — compounded by lost customer lifetime value — can be existential. This is precisely the risk that every Thai SME must take seriously.


✅ Survival Checklist: 6 Actions Every SME Owner Must Take Immediately

The following framework is Kooru’s recommended baseline for any Thai SME that collects customer data — regardless of size or sector. For a deeper dive into PDPA Compliance Audits for Thai businesses, see our dedicated resource.

Audit Your Website and Data Collection Points

  • [ ] Website Audit: Does your homepage display a Cookie Consent Banner? Is the “Reject All” button genuinely functional — or just decorative? Under PDPA, both acceptance and rejection must be equally accessible.

  • [ ] Consent Forms: At every touchpoint where you collect names or phone numbers — online and offline — is there a separate, unticked checkbox for marketing consent? The checkbox must be independent from the service-agreement tick box.

  • [ ] Update Your Privacy Policy: Is your Privacy Notice written in plain, readable Thai — or is it a copy-pasted legal template that no ordinary person would understand? A valid Privacy Notice must state what data you collect, why, how long you keep it, and who you share it with.

  • [ ] Staff Training: Do your sales team and chat administrators understand their PDPA obligations? Screenshotting customer data and sharing it via personal LINE chats is a data security violation — full stop.

  • [ ] Revocation System: If a customer requests removal from your marketing list, do you have an operational process to action that request immediately — and document it?

  • [ ] Access Control: Who in your organisation can view the full customer database? Limit access strictly to those with a business need. Not everyone on the payroll should have access to every customer record.

    PDPA compliance checklist for Thai SME business owners - 6 essential steps
    PDPA Compliance Checklist — 6 Steps Every Thai SME Must Complete


🏆 Conclusion: Turn Data Protection into a Golden Business Opportunity

“Data Protection is not a burden — it is a golden opportunity.”

While your competitors continue spamming inboxes and ignoring data security, you have a strategic window to differentiate. Declare your position: “We treat your data the way we treat family.” That single commitment, backed by genuine compliance, will earn you a level of customer loyalty that no advertising budget can buy.

If your internal audit today returns the verdict “at risk” — act now. The PDPC does not send warning letters before enforcement. The fine comes first.

Ready for a professional PDPA Compliance Audit or a bespoke Privacy Policy for your business? The Kooru team specialises in PDPA Compliance Audits tailored specifically for Thai SMEs. [Contact us today for an initial consultation] — and protect your business before the regulator reaches your door.



❓ Frequently Asked Questions (FAQ)

1. Does my Thai SME need to comply with PDPA?
Yes — PDPA applies to every business that collects personal data, regardless of size. While SMEs with annual revenue below ฿300 million may qualify for a limited exemption from maintaining a formal Record of Processing Activities (RoPA) under PDPA Ministerial Regulations, that exemption does not extend to security measures or the obligation to obtain valid consent. If your business collects even a single customer’s phone number, PDPA obligations apply to you.


2. What is the maximum PDPA fine in Thailand?
The maximum administrative fine under PDPA is ฿5,000,000 per offence (Sections 82–90). Where a data breach causes demonstrable harm to data subjects, the court may additionally award civil damages of up to twice the actual loss (Punitive Damages). Criminal liability carries a maximum of one year’s imprisonment for the most serious intentional violations. In practice, the PDPC imposed fines totalling ฿21.5 million across eight cases by August 2025.


3. What is Permission Marketing and how does it relate to PDPA?
Permission Marketing is the practice of obtaining explicit, informed consent from customers before sending them any marketing communication — the Opt-In model. Under PDPA, this is not merely a best practice: it is a legal requirement where the purpose of data use is marketing. Businesses that adopt Permission Marketing consistently achieve higher engagement rates, lower complaint volumes, and stronger customer lifetime value than those relying on interruptive, broadcast-style advertising.


4. Can I market to a customer who has not given consent?
No. Where a customer has not provided Marketing Consent, you may communicate with them only for purposes that are strictly necessary to fulfil your contract with them — for example, delivery notifications, invoices, or post-sale service updates directly related to an agreed transaction. Sending promotional content to a customer without valid marketing consent is an unlawful processing act under PDPA Section 24 and may result in both administrative and civil liability.


5. Is recording customer data in a handwritten notebook a PDPA violation?
It can be. PDPA applies equally to paper-based and digital records. The critical test is whether adequate security measures are in place. A 2025 enforcement precedent is instructive: a private hospital was fined ฿1,210,000 after patient records stored on paper were passed to a disposal contractor who sold them as scrap material — pages ultimately appeared as food packaging near a school. Handwritten notebooks must be stored in a locked cabinet and destroyed via a certified, auditable method.


6. Do I need to re-obtain consent from existing customers?

Data collected before 1 June 2022 (the end of the PDPA transitional period) may continue to be used for its original stated purpose without fresh consent. However, you must provide a clear, accessible Opt-Out mechanism so that any customer can withdraw from that use at any time. If you intend to use pre-existing data for a new purpose — one not covered by the original collection notice — fresh, explicit consent is legally required before that new processing begins.


7. Does using LINE OA for business trigger PDPA obligations?
Yes. A LINE ID constitutes personal data under PDPA because it identifies a specific individual. Any business operating a LINE Official Account that communicates with customers must publish a Privacy Notice — ideally on the Rich Menu or as an automated message when a customer adds the account as a friend. This notice must clearly state why the LINE ID is being collected, what it will be used for, and how customers can withdraw consent or request deletion of their data.


8. If I hire an agency to run my ads, who is responsible for PDPA?

Both parties bear distinct PDPA obligations. As the business owner, you are the Data Controller — you determine the purpose and means of processing, and you carry primary legal accountability. Your agency operates as a Data Processor. PDPA Section 40 requires that a written Data Processing Agreement (DPA) be executed between you and any agency that processes customer data on your behalf, specifying permitted uses, security standards, and the agency’s duty to notify you of any breach within 72 hours.


9. Must promotional SMS messages include an unsubscribe option?
Yes, without exception. Every commercial SMS sent to a customer’s mobile number must include a clear, functional mechanism for the recipient to opt out of future messages — whether a dedicated short-code reply keyword (e.g., “STOP”), an unsubscribe URL, or a stated contact number. Failing to provide an opt-out pathway constitutes an infringement of the data subject’s right to withdraw consent under PDPA Section 19(3) and exposes your business to administrative enforcement action.


10. Is a website without a Cookie Consent Banner a PDPA violation?
Yes, if the website deploys non-essential tracking technologies. If your website uses any Tracking Cookies — including Facebook Pixel, Google Analytics, TikTok Pixel, or any remarketing tag — you must obtain the visitor’s consent before those cookies are activated. Essential Cookies required for the website’s core functionality (session management, shopping cart, login) are exempt from the consent requirement but must still be disclosed in your Cookie Policy. Operating tracking without prior consent is an unlawful processing act under PDPA.


By: Khun Phuwara Krobtaku — Senior Advisor, Business Strategy & Legal-Tech, The Kooru Data Tech & Law (Thailand)

Primary Keyword: PDPA for SME
Secondary Keywords: personal data protection Thailand, permission marketing PDPA, PDPA consent management, PDPA fine penalty Thailand, customer data protection