Today, asking users for cookie consent is a requirement on accessing websites. Strict PDPA affects how cookies are used. Coupled with increasing concern for privacy, gaining visitor’s trust becomes a part of branding. Cookie consent is now an important vocabulary after tougher regulations have been introduced. This article will help you understand cookie consent and what you must do to be compliant.
How Cookie Consent is Essential to Marketing after PDPA
When Personal Data Protection Act (PDPA) comes into effect, website owners, as personal data controllers, must comply with the act. For example, they must ask consent to collect data from visitors or data owners. Purposes and data types being collected must be clear stated. Thus, formats of consent banners vary based on information website owners aim to collect. Today, we will focus on cookie consent.
Before getting to cookie consent that every website is required to display, let’s take a look at PDPA first. There are 8 fundamentals that help you understand its impact on your businesses.
1. The Personal Data Protection Committee
The first fundamental of PDPA compliance is establishing Personal Data Protection Committee. The committee ensures organisations follow PDPA guidelines.
2. Extraterritorial Application
The PDPA has both territorial and extraterritorial application. This means Thailand’s PDPA applies when the government or organisations have jurisdiction over Thai citizens staying abroad. In other words, government agencies, organisations, businesses, websites, or other entities that use, collect, or disclose data on its citizens must comply with PDPA. At the same time, personal information cannot be transferred overseas.
3. Definitions
The third PDPA fundamental include definitions which are key to PDPA compliance.
- Data controller is a person or an entity who can decide the collection, use, or disclosure of personal data.
- Data processor is an entity who collect, use, or disclose personal data pursuant to orders given by or on behalf of a personal data controller.
- Personal data is information relating to a person, which can be used to identify him/her directly or indirectly.
4. Consent
PDPA requires that websites must obtain consent from users in Thailand before collecting data, using cookies and tracking tools, and disclosing any personal data. The consent can be in either written or electronic form.
5. Sensitive Personal Data
PDPA has a dedicated section for sensitive personal data, which includes health data, sexual orientation, disability, ethnic origin, political opinions, religious beliefs, and etc. The latest act forbids collection of any sensitive data without permission, except when necessary for compliance to legal claims or medical emergency.
6. Data Subject Rights
Under PDPA, data subjects have the rights to access and modify their personal data. They can also withdraw their consents at any time. After withdrawal, organisations with their data must stop processing it for marketing and other purposes.
7. Transfer of Personal Data
Data controllers are forbidden to transfer personal data to any third parties unless data subjects give explicit consent.
8. Civil and Criminal Penalties
The last fundamental of PDPA is penalties. Data controllers who do not comply with the act could be punished with both civil and criminal penalties. The fines can be up to 5 million Baht.
What is Cookie Consent?
Cookie consent is the requirement that website owners must ask for visitor’s consent to use cookies which processes personal data. Some information collected by cookies is considered personal data. Thus, websites must notify and obtain consent of non-necessary cookies first. Visitor must be able to change the consent at all times. There are 2 parts to cookie consent.
Privacy policy. Website operators or owners must display their privacy policies clearly and in detail. Users must be informed on what data will be collected, what purposes it will be used for, to whom it will be disclosed, how it will be protected, and what rights they have on the personal data. Cookie consent is shown as a banner asking for permission to use cookies during a certain period set by PDPA. Users can change their consent at any time.
Cookie Types That Requires Consent
Generally, there are 2 main types of cookies – first-party cookies and third-party cookies. First-party cookies are managed by websites users visit. Third-party cookies are managed by third parties via website components such as chatbots, social media plugins, ads, etc.
Cookies are categorised further based on functionality. Some cookies are necessary for website functions such as secure cookies, or cookies that save items in your cart whilst you are shopping online. These cookies are called strictly necessary cookies. Most privacy policies allow their use without consent. Other cookies are considered non-essential and must obtain consent before.
Who Needs Cookie Consent Banner
Generally, there are 3 types of business or website owners who must comply with PDPA
- Owners of websites that use personal data such as marketing websites or e-commerce websites.
- Websites hosted overseas, but collect data from subjects who are in Thailand.
- Websites related to processing of customer’s personal data.
In addition to cookie consent banner, PDPA requires website owners to create and enforce privacy policies. These businesses, organisations, and websites must have clear privacy policies.
- Any business collecting personal data of users or customers, such as names, e-mails, or phone numbers, for purposes of offering services or products, or marketing.
- Any website collecting log-in credentials of e-mail or social network accounts.
- Online merchants who collect customer’s payment information.
Privacy policies must cover data subject’s rights to privacy in a clear and complete manner. For owners or organisations needing legal expertise, we can offer you professional PDPA-related services which cover both creating consent banners and privacy policies. Log on to https://whitefact.co/ for more details.
Source