Image of man using tablet with lock symbol representing the design and implementation on online privacy policies in Thailand
Online Privacy Policies in Thailand Designing and Implementing an Effective Policy

Online Privacy Policies in Thailand: Designing and Implementing an Effective Policy

The “catch-all” online privacy policies in Thailand

In many countries, it is mandatory for site operators to have an online privacy policy in place. Catch-all online privacy policies, whereby operators may collect, use and share a wide range of users’ personal information are widely used by site operators. They are designed to obtain broad agreement from users in respect to processing any personal data that is collected.

The validity and enforceability of catch-all online privacy policies have been increasingly challenged. In a country like Thailand, which is still in the process of implementing its first general personal data protection law, questions commonly arise as to the degree to which online privacy policies and online consent provided by users can be enforced under the present law (i.e., in the absence of a general personal data protection law).

Thailand’s Constitution generally recognises the principle of privacy protection. It states that “a person shall have the right to privacy”, and “any act which wrongfully violates or affects the rights … or utilisation of personal data in any way is prohibited”. In addition, a number of sector-specific statutes impose personal data protection requirements on parties operating within the telecommunications, securities, banking and other industries.

What is “consent” in Thailand?

However, as Thailand lacks a general personal data protection law, there are no regulatory requirements on online privacy policies or on obtaining individual consent from users to process personal data. This means that there are no requirements on specific forms of consent (e.g., in writing, express consent, required by Thai law, etc.). Therefore, certain types of implied consent in online privacy policies may be acceptable and may constitute a privacy policy agreement with the users under Thai law.

In determining which types of implied consent are effectively sufficient, factors such as the timing of the consent provision, the person to whom consent is given or the elements of fraud, deception or misrepresentation, if any, are considered among other related circumstances.

An online privacy policy with an opt-in requirement (i.e., users are required to expressly click “I agree” after scrolling down to the end of the privacy policy terms during the process of site registration), arguably obtains a user’s consent to create an effective online privacy policy agreement between the site operator and its users. However, it should be noted that a minor — generally deemed to be a person aged less than 20 years old — who enters into a contractual transaction without parental consent could make the transaction voidable.

Another key concern is the effectiveness of catch-all provisions, which could fall within the ambit of Thailand’s Unfair Contract Terms Act. If catch-all provisions are considered as unfair by the Thai courts (i.e., they impose an excessive burden which is more than a reasonable person could have anticipated), the Unfair Contract Terms Act enables the courts to intervene by voiding or limiting any unfair terms.

There are no Supreme Court decisions on unfair catch-all online privacy policies, so it is difficult to ascertain to what degree the court will exercise its discretion when an online privacy policy term is found to be unfair. To err on the side of caution, online privacy policies should provide clear and precise explanations of the specific types of information collected, the specific activities for which the information is being used and with whom the information is shared.

The importance of review

Site operators should also keep their online privacy policies up to date with current practices. Onlinee privacy policies are not one-sided agreements — operators can enforce a policy against users, and users can enforce against operators. Therefore, if an operator has an obligation under its online privacy policy to notify affected data subjects about any material changes to personal data handling practices, and there has been a change in the handling practices (e.g., the location of the stored data or the third party vendor handling the collected data has changed), but the operator has failed to notify the affected data subjects, the operator could be seen as having broken the online privacy policy. Although monetary damages arising from such a breach would most likely be minimal, the breach could possibly cause reputational damage to the site operators and/or owners.

Site operators should regularly review their online privacy policies to ensure they are in line with current practices and do not dissuade users from interacting with their sites. An effective online privacy policy can help mitigate exposure to liability in operating a site. An ineffective online privacy policy, on the other hand, could lead to costly legal actions and a tarnished reputation.