News, insights and resources for data protection, privacy and cyber security leaders

Online Privacy Policies in Thailand: Designing and Implementing an Effective Policy

The “catch-all” online privacy policies in Thailand

In many countries, it is mandatory for site operators to have an online privacy policy in place. Catch-all online privacy policies, whereby operators may collect, use and share a wide range of users’ personal information are widely used by site operators. They are designed to obtain broad agreement from users in respect to processing any personal data that is collected.

The validity and enforceability of catch-all online privacy policies have been increasingly challenged. In a country like Thailand, which is still in the process of implementing its first general personal data protection law, questions commonly arise as to the degree to which online privacy policies and online consent provided by users can be enforced under the present law (i.e., in the absence of a general personal data protection law).

Thailand’s Constitution generally recognises the principle of privacy protection. It states that “a person shall have the right to privacy”, and “any act which wrongfully violates or affects the rights … or utilisation of personal data in any way is prohibited”. In addition, a number of sector-specific statutes impose personal data protection requirements on parties operating within the telecommunications, securities, banking and other industries.


What is “consent” in Thailand?

However, as Thailand lacks a general personal data protection law, there are no regulatory requirements on online privacy policies or on obtaining individual consent from users to process personal data. This means that there are no requirements on specific forms of consent (e.g., in writing, express consent, required by Thai law, etc.). Therefore, certain types of implied consent in online privacy policies may be acceptable and may constitute a privacy policy agreement with the users under Thai law.

In determining which types of implied consent are effectively sufficient, factors such as the timing of the consent provision, the person to whom consent is given or the elements of fraud, deception or misrepresentation, if any, are considered among other related circumstances.

An online privacy policy with an opt-in requirement (i.e., users are required to expressly click “I agree” after scrolling down to the end of the privacy policy terms during the process of site registration), arguably obtains a user’s consent to create an effective online privacy policy agreement between the site operator and its users. However, it should be noted that a minor — generally deemed to be a person aged less than 20 years old — who enters into a contractual transaction without parental consent could make the transaction voidable.

Another key concern is the effectiveness of catch-all provisions, which could fall within the ambit of Thailand’s Unfair Contract Terms Act. If catch-all provisions are considered as unfair by the Thai courts (i.e., they impose an excessive burden which is more than a reasonable person could have anticipated), the Unfair Contract Terms Act enables the courts to intervene by voiding or limiting any unfair terms.

There are no Supreme Court decisions on unfair catch-all online privacy policies, so it is difficult to ascertain to what degree the court will exercise its discretion when an online privacy policy term is found to be unfair. To err on the side of caution, online privacy policies should provide clear and precise explanations of the specific types of information collected, the specific activities for which the information is being used and with whom the information is shared.

The importance of review

Site operators should also keep their online privacy policies up to date with current practices. Onlinee privacy policies are not one-sided agreements — operators can enforce a policy against users, and users can enforce against operators. Therefore, if an operator has an obligation under its online privacy policy to notify affected data subjects about any material changes to personal data handling practices, and there has been a change in the handling practices (e.g., the location of the stored data or the third party vendor handling the collected data has changed), but the operator has failed to notify the affected data subjects, the operator could be seen as having broken the online privacy policy. Although monetary damages arising from such a breach would most likely be minimal, the breach could possibly cause reputational damage to the site operators and/or owners.

Site operators should regularly review their online privacy policies to ensure they are in line with current practices and do not dissuade users from interacting with their sites. An effective online privacy policy can help mitigate exposure to liability in operating a site. An ineffective online privacy policy, on the other hand, could lead to costly legal actions and a tarnished reputation.


Luxsiri Supakijjanusorn

Attorney-at-Law at Tilleke & Gibbins
Luxsiri Supakijjanusorn is an attorney-at-law in Tilleke & Gibbins’ corporate and commercial group. She has experience across a range of Southeast Asian jurisdictions, with her practice focused primarily on Thailand, Laos, and Myanmar. Luxsiri specializes in various investment and corporate matters, including outflow and inflow investment, joint venture establishment, cross-border taxation, and domestic tax. She also advises on data privacy and anticompetition issues in Thailand. With her extensive knowledge of the investment environment and regulatory landscape, Luxsiri is a contributor to the World Bank’s Doing Business guide, and she has penned numerous articles in international journals.

Latest posts by Luxsiri Supakijjanusorn

    Athistha Chitranukroh

    Of Counsel at Tilleke & Gibbins
    Athistha (Nop) Chitranukroh is Of Counsel in Tilleke & Gibbins’ corporate and commercial group. With expertise across a broad range of corporate and commercial matters, Athistha counsels domestic and multinational clients on market entry, regional operations, data privacy, distribution and commercial agreements, strategic transactions, corporate restructuring, mergers and acquisitions, and employment, among other areas. Prior to joining Tilleke & Gibbins, Athistha served as Senior Vice President – General Counsel at American International Group (AIG), where she oversaw all operations within the legal department in Thailand. She was responsible for a wide range of legal and regulatory issues in Thailand and throughout Southeast Asia and led significant restructuring, business expansion, and shared service projects. Before joining AIG Thailand, Athistha was a Counsel Member of the AIG Asia Pacific – Regional Legal Team based in Singapore. She previously worked in private practice for a number of years at DLA Piper’s Bangkok office.

    Latest posts by Athistha Chitranukroh

    Leave A Reply

    Your email address will not be published.

    Subscribe and Get 50% Off 6-Hour Workshop Video

    PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

    Thanks for subscribing!

    Pin It on Pinterest

    Share This