When the Chatbot Becomes a Friend: Thailand’s Emerging Liability Question

Thailand does not yet have a reported judgment concerning allegations that a child was harmed through interactions with a companion-style AI chatbot. There is no dedicated statute for AI companions, no chatbot-specific child-safety regime, and no settled Thai authority on emotional dependency on a conversational system.

That does not make the exposure theoretical.

A child-facing conversational product can already create legal risk in Thailand. The relevant questions sit in familiar places: product design, data practices, representations made to users, and the way the service is deployed. The absence of a reported case is more likely a matter of timing than the absence of a legal framework.

Not every chatbot is the same product

A conventional chatbot answers questions, explains a concept, or completes a transaction. A companion-style system is designed to do more: sustain conversation, remember prior interactions, mirror a user’s mood, encourage disclosure, and feel like a constant, emotionally responsive presence.

For an adult, that may be a design preference. For a child or vulnerable teenager, it may change the nature of the product.

The point is not that relationship-based design is inherently improper. A conversational system can be useful, engaging, and supportive without creating legal exposure. The issue is whether the product is designed in a way that encourages a young user to treat it as a substitute for human support, and whether the operator has considered the foreseeable consequences of that design.

UNICEF has identified emotional dependency, privacy intrusion, harmful content, and displacement of real-world support as material risks in this category. The US Federal Trade Commission has likewise sought information from major providers about how they assess and limit risks to children and teenagers.[1][2]

Those are foreign developments. The underlying questions are not foreign-specific. A business serving Thai users may eventually need to explain what relationship its product was designed to create, who was realistically using it, and what safeguards existed once that relationship became unsafe.

The starting point is a wrongful-act claim, not a missing statute

A harmed user does not need a novel “AI claim” to seek compensation. Section 420 of the Civil and Commercial Code provides that a person who willfully or negligently and unlawfully injures another’s life, body, health, liberty, property, or rights is liable in damages.[3]

A claimant would still need to establish fault, unlawfulness, causation, and loss. Causation would be genuinely difficult: a child’s distress, self-harm, or psychiatric injury rarely has one clean source. That is a real evidentiary hurdle, not a reason to treat the exposure as remote.

But the conduct under examination need not be a single chatbot response. It may be an accumulation of decisions: the system’s personality design, prompts that encourage disclosure, memory features, engagement tools, weak age assurance, the handling of crisis language, and the company’s response once a foreseeable risk becomes apparent.

The question is not simply whether a chatbot “failed to save” a user. It is whether the operator’s own design and deployment choices created or amplified a foreseeable risk, and whether the safeguards were reasonable in light of that risk.

Nor does a child’s own conduct automatically end the inquiry. The Supreme Court’s consolidated judgment in Decisions Nos. 7973–7975/2548 illustrates a limited causation point in a very different context. After explosives were scattered following a negligent transport accident, the Court treated villagers’ interaction with them as foreseeable rather than as a new and independent cause.[4] The case also involved hazardous materials and statutory safety failures. It does not establish a rule for AI products. It does, however, illustrate that foreseeable intervening conduct does not necessarily end the causation analysis.

A provider may point to a child’s own actions, parental conduct, or other personal circumstances as the real cause of harm. Those matters may be important on the facts. They should not be treated as automatically dispositive. The question remains whether the injury alleged was a reasonably foreseeable consequence of the way the product was designed, marketed, and deployed.

Conversational data is not covered by a generic privacy notice

A companion-style chatbot may collect much more than a name and email address. Over time, it may receive information about a child’s family, school life, relationships, fears, physical health, and emotional state — material that can fall within the PDPA’s sensitive-personal-data regime.[5]

Thailand’s PDPA can apply to overseas organisations that offer services to, or monitor the behaviour of, persons in Thailand. Incorporation outside the country does not, by itself, remove a Thai-facing chatbot from the statute’s scope.[5]

The practical questions are specific. Can the operator identify when a user is likely to be a minor, and has it made a defensible decision about consent and legal basis? Is conversational data used to personalise responses, build profiles, target engagement, or train models — and is that explained in language a younger user could understand? Is retention limited to what the stated purpose requires?

The PDPA’s treatment of minors also goes beyond a generic click-through approach. Section 20 ties consent to a minor’s legal capacity under the Civil and Commercial Code, and specifically requires consent from the person exercising parental power for a child under ten.[5]

A privacy notice written for an e-commerce checkout does not answer those questions for a product designed to draw out a child’s inner life. As FOSR has discussed in Thailand PDPA in Its Second Phase: What Recent Developments Really Indicate, Thai privacy compliance is increasingly tested through operational accountability: whether the business can identify real data flows, apply appropriate controls, and demonstrate that its governance works in practice.

Exposure does not stop at the model developer

Potential exposure does not end with the company that built the underlying model. It may also involve the platform distributing the service, the local business marketing or configuring it for Thai users, and the organisation embedding it into an education, wellness, gaming, or consumer-facing product.

Each may control a different part of the risk: the user experience, age settings, data flow, system prompts, knowledge base, or promises made to users and parents.

A business that licenses a third-party model and presents it to Thai teenagers as a study companion sits within this analysis. So does a wellness app that adds a conversational feature without reviewing how it responds to vulnerable users, and a platform that distributes an emotionally intensive product without meaningful safeguards.

Contracts can allocate responsibility between commercial parties, but they do not determine how a regulator or court will assess actual control. A disclaimer that a chatbot is “not a therapist” may be sensible, but it will not answer a claim that the product was designed or marketed to encourage a vulnerable child to treat it as emotional support.

When an incident occurs, the dispute often turns on evidence before doctrine: which model version was live, what the system prompt said, what data was retained, what testing had been done, and what the company knew. A business that cannot reconstruct that record will be in a weaker position than one that can point to logs, testing history, and a documented decision trail.

Separately, depending on how the service is structured, an operator may also fall within Thailand’s Digital Platform Services framework.[6] That question depends on whether the service falls within the Royal Decree’s definition of an electronic intermediary platform and, if so, whether the applicable notification requirements are triggered. It is not determined merely by the fact that the product uses AI.

Those obligations may arise whether or not a child is ever harmed. A business should therefore assess the Thai-facing service itself — including its operating model, data flow, user-facing terms, and local arrangements — rather than assume that its agreement with the model provider resolves the regulatory position.

A pending AI law does not change the current picture

Thailand is developing a national AI-governance framework. The Electronic Transactions Development Agency and the Ministry of Digital Economy and Society opened consultation on draft AI-law principles in 2025. The consultation has since closed, and the draft remains under development with no confirmed enactment date.[7]

That process is worth watching, but it is not a reason to wait.

As discussed in Regulating AI Without Illusions: Technical Limits, Legal Chokepoints, and Practical Accountability, the more immediate issue is accountable deployment through existing legal and regulatory touchpoints. Product design, data handling, consumer representations, and foreseeable harm are already governed by existing law. A future AI Act may add more specific obligations. It will not create the underlying exposure from nothing.

The task now, not the prediction later

For organisations deploying conversational AI in Thailand, the immediate task is not to predict the first lawsuit. It is to identify which product features create relationship risk, who controls them, what data is collected, how minors may access the service, and whether the safeguards could withstand scrutiny after an incident.

The central question is not whether an AI system can become a friend. It is whether the company that designed it to feel like one took reasonable steps to protect the young people most likely to rely on it.


Notes

[1] UNICEF, When AI Becomes a Friend: Child Rights Risks, Harms, and Regulatory Responses to AI Chatbots and Companions (June 2026).

[2] US Federal Trade Commission, FTC Launches Inquiry into AI Chatbots Acting as Companions (11 September 2025), and related Section 6(b) materials.

[3] Civil and Commercial Code of Thailand, Section 420.

[4] Supreme Court Decisions Nos. 7973–7975/2548 (consolidated judgment).

[5] Personal Data Protection Act B.E. 2562 (2019), Sections 5, 20 and 26.

[6] Royal Decree on the Operation of Digital Platform Service Businesses Subject to Notification B.E. 2565 (2022), as applicable to the particular platform and service structure.

[7] Electronic Transactions Development Agency and Ministry of Digital Economy and Society, draft principles for an AI law, public consultation concluded 9 June 2025; the revised draft remains under development with no confirmed enactment date.


Disclaimer

This article is provided for general informational purposes only and does not constitute legal advice. The information contained in this article may not reflect the most current legal, regulatory, or policy developments and should not be relied upon as a substitute for specific legal advice.

For further inquiries, please contact Formichella & Sritawat using the contact form below.


Authors

  • M.L. Numlapyos Sritawat is a distinguished Thai legal practitioner with extensive experience in appellate litigation, including numerous appearances before the Supreme Court of Thailand. His legal practice spans complex civil and commercial disputes, with a particular emphasis on cases involving statutory interpretation and precedent-setting legal issues. Holding the honorific title "M.L."—or Mom Luang—Mr. Sritawat is a member of the Thai nobility by descent, a background that complements his dedication to public service and legal scholarship. His Supreme Court advocacy reflects a deep understanding of both procedural rigor and the evolving jurisprudence of Thailand’s highest court.

  • Naytiwut Jamallsawat is a partner at Formichella & Sritawat and a recognized legal advisor in Thailand’s telecommunications, media, and energy sectors. He represents leading multinational and Thai companies in complex legal and regulatory matters, with a focus on high-compliance industries, including telecommunications licensing, satellite operations, media platforms, and data privacy.

    In the energy sector, Naytiwut has advised on numerous greenfield and brownfield generation projects—both conventional and renewable—providing legal guidance on project development, transactional structuring, and compliance with Thai regulatory frameworks.

    He leads the firm’s specialized group of lawyers focused on telecommunications, media, technology (TMT), and data privacy. In this role, he ensures the delivery of practical, business-focused legal solutions across regulated and fast-evolving sectors. Naytiwut also works closely with founding partner John Formichella on TMT and energy mandates, providing integrated legal support on transactions and compliance matters involving international and domestic stakeholders.