Skip to main content

ETDA Recommendation on Electronic Privacy Notices and Consent

  • Articles

ETDA Recommendation on Electronic Privacy Notices and Consent

On 29 September 2021, the Electronic Transactions Development Agency (ETDA) of the Ministry of Digital Economy and Society issued its Recommendation on ICT Standard for Electronic Transactions on Electronic Privacy Notices and Consent (“E-Privacy Recommendation”). This E-Privacy Recommendation aims to give a guideline and standard recommendation on what should be included in privacy notices for electronic transactions, as well as provide suggestions on obtaining consent, recording of consent and consent management.

The E-Privacy Recommendation is mainly based on the Personal Data Protection Act B.E. 2562 (2019) (PDPA), which will come fully in force as of June 2022. Some suggestions in the E-Privacy Recommendation are not compulsory under the PDPA; rather, they are suggestive and normative . The recommendations are categorised into three levels using three terms, i.e. “shall”, “should” and “may”. 

Regarding a privacy notice, the E-Privacy Recommendation recommends that it should be concise, clearly written and easy to understand even for data subjects who do not have experience in law or any technical background. In such regard, a data controller shall make available a privacy notice in the Thai language for Thai data subjects. Moreover, a privacy notice in the native language(s) of targeted foreign data subjects should also be available. 

In a privacy notice, a data controller shall inform data subjects about the types of personal data to be collected; this may be in a list format. A privacy notice should also include how personal data will be collected, e.g. directly obtained from the data subjects; indirectly obtained by an agent; monitoring of behaviour; or inferred data (inferred data is user data generated by a system and not explicitly provided by the user). The E-Privacy Recommendation additionally suggests that a data controller should also inform about the nature of personal data that will be processed, i.e. whether it is raw personal data, inferred data from analysis or in combination with other information.

Furthermore,, it is also suggested that if there is a high risk to the privacy rights of the data subjects from the processing activities, such risk should also be informed to the data subjects in a privacy notice.

For consent management, the E-Privacy Recommendation suggests that a data controller shall record all consent and also send a consent receipt to a data subject after obtaining his/her consent. The record of consent and consent receipt would together create clear evidence for both sides, which may help to avoid any potential problems regarding the processing in the future.

Please note that this E-Privacy Recommendation has no legal binding effect but it shall nevertheless be considered as guideline or suggested practice for business. Adopting this E-Privacy Recommendation would help mitigate risk of being in compliance with the PDPA and also other laws relevant to privacy rights and freedom of data subjects.