Consenti

PDPA Compliance Guide (Thailand)

ℹ️Compliance group: opt-in — opt-in with cross-border transfer rules enforced. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.

Thailand's Personal Data Protection Act B.E. 2562 (PDPA) was enacted in 2019 and came into full enforcement on 1 June 2022. It is administered by the Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society. Consenti supports Thailand PDPA via regulation: 'pdpa-th'.

⚠️Consenti provides Partial coverage for Thailand PDPA. The consent UI and audit logging are fully supported. Cross-border transfer agreements and data localisation obligations must be managed at the infrastructure level by your legal and engineering teams.

Official references

Key requirements

RequirementDetail
Consent modelOpt-in — explicit, informed, freely given
Sensitive dataExplicit consent required (race, ethnicity, political opinions, religious beliefs, sexual behaviour, criminal records, health data, disability, trade union membership, genetic/biometric data)
MinorsUnder-10 requires parental consent; 10–20 requires at minimum assent
WithdrawalMust not be more difficult than giving consent
Cross-border transferDestination country must have adequate protection or SCCs/BCRs in place
Data Protection OfficerMandatory for large-scale or sensitive data processing
EnforcerPDPC — Personal Data Protection Committee

Enabling Thailand PDPA mode

Frontend widget

ts
new ConsentiSetup({
  core: {
    regulation: 'pdpa-th',
  },
})

Profile configuration (dashboard)

json
{
  "regulation": "pdpa-th",
  "pdpaTh": {
    "dataControllerName": "Acme Co., Ltd.",
    "dpoEmail": "[email protected]",
    "purposeDescription": "To operate the website and provide requested services."
  }
}

Cross-border transfers

PDPA Section 28 restricts sending personal data to third countries without adequate protection. Consenti's backend stores data in SQLite (local) by default. If you use the MongoDB or PostgreSQL adapter with a foreign host, ensure your Data Processing Agreement covers PDPA cross-border transfer requirements.

Erasure

http
DELETE /consenti/api/v1/consent/:visitorId