The Drum Awards Festival - Extended Deadline

-d -h -min -sec

GDPR Data & Privacy Technology

What does Thailand’s Personal Data Protection Act mean for digital advertising?

January 31, 2020 | 7 min read

It seems regulators have an attachment to certain dates. On 27 May, Thailand’s new Personal Data Protection Act (PDPA) will go into force — almost two years to the day that data management practices were turned upside down by the GDPR. But the parallels between these laws run deeper than a similar birthday.


Heavily based on the GDPR, the PDPA borrows many of its rules and requirements.

Heavily based on the GDPR, the PDPA borrows many of its rules and requirements. These include several old favorites, such as the right for consumers to be informed, access data and request its deletion, alongside a strict consent provision. Unless companies can prove they meet one of several legal bases, they must gain explicit consent from individuals before collecting and using their personal data.

So much for a legal crossover, but what about the issue most interesting to marketers: how will this law impact digital advertising?

Moving with the data privacy tide

First and foremost, the PDPA’s remit makes it more pertinent at a regional level. This is not a far off regulation applying within Europe; it’s a law covering any business processing the personal data of Thailand’s citizens, whether locally based not — meaning any publisher, brand or advertiser dealing in data that can directly or indirectly identify individuals must sit up and take notice.

The legislation is also part of a wider shift in data perception and accountability that marketers, in particular, can’t afford to ignore. As highlighted by Joseph Suriya, senior marketing director at Tealium: “The GDPR ripple effect is running across Asia-Pacific, with more and more countries adopting privacy protection laws. In part, this latest step from Thailand is driven by the urge to keep up with evolving legislation, but it’s also a signal that recognition of the need to prioritize consumer privacy is growing. Regulators know consumers are increasingly aware of data use and calling for better digital safeguards, and they’re creating tighter rules to meet that need. Marketers must start following this example.”

While some industry players may be growing weary of the relentless regulatory tide, Suriya argues it’s all a matter of perspective: “instead of seeing this new law as an obstacle, they should view it as an opportunity to fulfill their ultimate goal: giving consumers what they want. By satisfying demand for greater transparency and control with enhanced privacy practices, they can win the trust and loyalty that helps build longer-lasting relationships.”

The key to unlocking the potential of compliance is in the preparation. For Suriya, a grounding of efficient data orchestration can make a major difference to the ease and complexity of abiding by the rules: “ahead of implementation, industry focus needs to be fixed on applying data first-strategy. Taking inspiration from well-regulated sectors (such as financial services) data management must go beyond basic compliance — aiming to cover the nuances and regulations of every region. For instance, brands are increasingly looking to customer data platforms (CDPs) that help form a foundation of trusted, clean data to fuel their entire stack. In addition to improving growth retention and other organizational goals, these tools provide the means to automate and coordinate consent; enabling easier data flow between departments and channels that ensures individual privacy preferences — and expectations of responsible data use — are consistently met across all interactions.”

Expanding targeting horizons

Setting data frameworks aside for a moment, the PDPA is also due to have sizeable ramifications for the everyday mechanics of digital advertising. According to Nickolas Rekeda, CMO at MGID, tougher restrictions are vital to increase data clarity and drive a necessary pivot away from increasingly narrow personalization efforts. “Any step towards making the APAC advertising industry a more transparent place should be welcomed with open arms. With the introduction of PDPA, brands can now use a newer approach to targeting their audience; using data they have gained in a trustworthy manner to appeal to users based on their interests and content they are already engaging with.”

Over the last decade, minute tailoring has become standard for digital ads, but Rekeda believes it’s time for a welcome change. “By applying a new logic and releasing ad targeting from the confines of aligning with individual profiles, marketers and brand managers can open up greater possibilities for enjoyable experiences and deeper connections through context-centric advertising. Messages can be closely matched to their specific environment, maximizing the chances of a subtle yet significant effect. When clearly labelled as ads and accurately connected to content, these ads can allow buyers and sellers to resonate with users on a personal level while avoiding data legislation pitfalls."

Shining a light on programmatic

When it comes to the automated side of online advertising, the post-PDPA outlook is mixed. On the one hand, stringent regulations could upset streamlined operations. Programmatic campaigns require vast audience insight and fast processing, but with consent needed for most data points, maintaining momentum could be difficult.

But on the other, the inner workings of automated trading and delivery could benefit from some illumination. Amid rising concerns about how data is used and where it flows, Kevin Smyth, SEA general manager at Telaria, believes there is scope for the PDPA to trigger positive progress: “in a region where there have traditionally been fewer regulatory restrictions in digital advertising, the Personal Data Protection Act (PDPA) will bring the Thai industry more in-line with Europe and put transparency in the programmatic ecosystem in focus. Transparency is always a priority for Telaria and we hope to see this regulation drive greater commitment to providing clarity across the industry.”

To be specific, refining data practices will shine a brighter light along previously dark corners of programmatic dealing. As Smyth points out: “marketers need to work in close collaboration on industry initiatives to ensure each data point in the supply chain is functioning as it should, with data processors and controllers employing best practice. This announcement — and the threat of varied and quite hefty fines — will hopefully encourage media companies to start strategy planning now to be well prepared for the May roll-out.”

Much like the GDPR before it, Thailand’s PDPA is unlikely to be the harbinger of data doom. Insight collection and application parameters might be tighter, but as industry leaders note, that’s no bad thing. With publishers, marketers and brands judged on their data processes, adopting strict privacy standards are now essential to obey the law and retain consumer confidence. Responsible data management has become a crucial competitive advantage.

Rather than railing against yet another regulation, the industry as a whole must tackle this challenge in the same way it has handled many other big changes: through a mix of pragmatism and ingenuity. By ensuring data processors abide by data legislation and exploring smart ways of maintaining relevance without personal data, digital advertising will continue to survive and thrive.

Joseph Suriya is senior marketing director at Tealium.

GDPR Data & Privacy Technology

More from GDPR

View all


Industry insights

View all
Add your own content +