Thailand PDPA and analytics
Thailand's Personal Data Protection Act (PDPA), in full effect from 1 June 2022, is the country's comprehensive data-protection law. It requires a lawful basis — often consent or a documented legitimate ground — and a clear privacy notice for processing personal data, with stricter rules for sensitive data. It can apply extraterritorially to processing aimed at people in Thailand. Analytics that collects identifiers from Thai visitors can fall in scope. This is educational, not legal advice.
What this means
The PDPA, supervised by the Personal Data Protection Committee (PDPC), protects personal data of people in Thailand and can apply to overseas controllers offering goods or services to, or monitoring, people there. Processing needs a lawful basis; for many web purposes that means consent or another documented ground. A privacy notice must explain purposes, retention, and data-subject rights.
Why it touches analytics
Analytics that captures IP addresses, device identifiers, or behaviour about identifiable Thai visitors processes personal data under the PDPA. Where consent is the basis, it should be informed and specific; where a legitimate ground is relied on, document the reasoning. Sensitive data carries stricter rules and generally requires explicit consent. Collecting less and anonymising IPs reduces the footprint the PDPA governs.
Guidance from the PDPC continues to develop, so check current sub-regulations.
- Lawful basis plus a clear privacy notice
- Extraterritorial reach for services aimed at Thailand
- Stricter handling for sensitive personal data
How it appears in analytics and logs
If your analytics stores identifiers from Thai visitors, the PDPA may apply: you need a lawful basis and a notice, and tighter rules govern sensitive data.
Diagnostic use case
Assess whether analytics processes personal data of people in Thailand, since the PDPA ties processing to a lawful basis and a clear notice.
What WebmasterID can help detect
WebmasterID minimises personal data and anonymises IPs at ingest, shrinking what the PDPA's lawful-basis and notice obligations would otherwise reach.
Common mistakes
- Assuming the PDPA only applies to Thai-registered companies.
- Relying on bundled consent for sensitive data.
- Skipping a privacy notice that states purposes and retention.
Privacy and accuracy notes
This page is educational, not legal advice. Minimised, aggregated measurement reduces how much personal data the PDPA's consent and notice rules govern.
Related pages
- Lawful basis for analytics processing
The GDPR requires a lawful basis for processing personal data. For analytics the realistic candidates are consent and legitimate interests, each with conditions: consent must be valid and is often required where ePrivacy applies to cookies, while legitimate interests demands a balancing test and grants the visitor a right to object. Picking and documenting the basis is the operator's job. This is educational, not legal advice.
- Sensitive data categories and analytics
The GDPR designates 'special categories' of personal data — racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic and biometric data, health, sex life, and sexual orientation — that warrant heightened protection and generally require an explicit lawful condition. Analytics can accidentally collect or infer such data via URLs, search terms, or profiling, which is a serious risk to avoid. This is educational, not legal advice.
- Privacy policy requirements
Privacy and data-protection laws generally require a clear, accessible privacy notice telling people what data you process, why, on what basis, who receives it, how long you keep it, and what rights they have. This page summarises, educationally, the disclosure elements transparency rules commonly expect and how analytics fits into a notice.
- Privacy-first analytics
Minimised data narrows the PDPA's consent and notice scope.
Sources and verification notes
- PDPC Thailand — Personal Data Protection ActOfficial Thai data-protection authority. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.