E-commerce Law (Direct Sales and Marketing Act, Consumer Protection Act, and Personal Data Act): Thailand, Part 3 of a 3-Part Series


May 2023

Electronic commerce, commonly known as e-commerce, refers to the Internet-based buying and selling of services and products via electronic means. E-commerce uses Internet technology, mobile business, electronic funds transfers, escrowing services, electronic data interchange, supply chain management, inventory management systems, Internet marketing, data collection systems, and many other technologies and innovative business systems. Most, if not all, e-commerce transactions use the Internet for at least one point of commerce.

E-Commerce law addresses legalities associated with e-commerce. Each type of e-commerce company must abide by specific rules and regulations, just like any other business, and can run into legal issues that require legal advice from an experienced e-commerce law practitioner.

This third part of a three-part series discusses Thailand’s e-commerce law on Telemarketing. 

For references to part 1 or 2 of this series, please see the following links:

Part 1: E-commerce Law: Thailand, 1 of 3

Part 2: E-commerce Law: Thailand, 2 of 3

Part 3: Telemarketing


1.1. Legislation

  • Direct Sale and Direct Marketing Act B.E. 2545 (2002) (“DMA”)
  • Consumer Protection Act B.E. 2522 (1979) (“CPA”)
  • Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

1.2. Regulatory authority guidance

Please note that 3 relevant regulatory authorities are responsible for the direct marketing activity. Kindly see the following relevant regulatory authorities below:

  1. Office of the Consumer Protection Board (“OCPB”)

The OCPB has issued the following guidance:

  • Guidance on consumer protection regarding the advertisement (only available in Thai via the OCPB’s website) and
  • Guidance on e-register for direct marketing (only available in Thai via the OCPB’s website).
  • Personal Data Protection Committee (“PDPC”)

Currently, there is no PDPC’s guidance regarding Telemarketing and the PDPA.

  • Ministry of Digital Economy and Society (“MDES”)

Currently, there is no MDES guidance regarding Telemarketing and the PDPA.


Marketing Calls: There is no definition of ‘marketing calls’ in Thai law. However, the CPA refers to advertising media as a thing used as advertising media, such as telephone. Per Article 29 of the DMA, the provisions regarding consumer protection for the part involving advertisement under the law on consumer protection, which covers Marketing Calls, shall apply to the communication of information to offer the sale of goods or services of the direct marketing business operator, mutatis mutandis.

Personal data: According to Section 6 of the PDPA, personal data means any information relating to a person that enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons.

Consent: There is no specific definition of consent under Thai law. However, consent can refer to any freely given, specific, informed, and unambiguous indication from the data subject to the data controller on collecting and processing their personal data.


3.1. B2C

Consent requirements between person-to-person and automated calls in the business-to-consumer (‘B2C’) are as follows:

Person to Person Calls

The PDPA states that the data controller shall not collect, use, or disclose personal data unless the data subject has provided prior consent or performed on another legal basis (e.g., the performance of a contract, compliance with a law, legitimate interest, etc.). Kindly note that the telephone number of an individual is also regarded as their data; the consent of such a person must be obtained before collection, utilization, and disclosure of such personal data. Further, please note that the consent of a data subject can be withdrawn at any time, and a data controller is obliged to put in place the examination system for the erasure or destruction of personal data as necessary to comply when a data subject withdraws consent.

Therefore, as the telephone number of an individual is regarded as its personal data, the consent for collecting the telephone number (i.e., personal data) of a consumer must be obtained before the provision of marketing via telephone number in the business to the consumer (B2C). Please note that the customer can withdraw their consent to collect their telephone number at any time, and the consumer’s telephone number must be erased or destroyed to comply with the consent withdrawal.

Further, please be informed that based on the Royal Decree on Organizations and Businesses of which Personal Data Controllers are Exempt from Complying with the Personal Data Protection Act No.1 and 2 (“Royal Decree”), the enforcement date of the PDPA has been postponed to 1 June 2022. The Royal Decree lists various types of businesses qualified for the extension of the enforcement, including businesses in communication, telecommunication, digital, science, technology, banking, education, industrial and commercial industries, among others.

However, the CPA states that Marketing calls advertisement shall not contain any statement which is unfair to consumers or any statement which may produce adverse effects on society at large, be it a statement as to origins, conditions, qualities, or characteristics of goods or services as well as the delivery, procurement or use of goods or services.

The following statements are deemed to be statements that are unfair to consumers or statements that may produce adverse effects on society at large:

(1)          a false or exaggerated statement.

(2)          a statement causing fundamental misunderstanding as to the goods or services, whether it is made through the use or reference to technical reports, statistics, or anything false or exaggerated or not.

(3)          a statement directly or indirectly supporting a violation of law or morals or conducive to cultural depreciation of the nation.

(4)          a statement causing disunity or prejudice amongst people.

(5)          other statements as prescribed in the Ministerial Regulation.

Moreover, Marketing calls shall not be conducted by any means that may be harmful to health or cause physical or mental harm or may cause disturbances to consumers, as specified in Section 23 of the CPA.

Automated Calls

Under Thai Laws, prior consent is not required when making automated B2B telemarketing calls to the general number of a business/legal entity (opt-out).

3.2. B2B

Consent requirements between person-to-person and automated calls in the business-to-business (‘B2B’) context.

Person-to-Person Calls

Organizations are not required to obtain prior consent when making B2B telemarketing calls to the main company telephone number.

Automated Calls

Under Thai Laws, prior consent is not required when making automated B2B telemarketing calls to the general number of a business/legal entity (opt-out).

3.3. Exceptions

According to the PDPA, before collecting, using, and disclosing data subject’s data, a data controller does not require the prior consent of the data subject if a data controller has performed under the following legal basis:

1)      Performance of a contract

2)      Compliance with a law

3)      Suppressing danger to a data subject’s life

4)      Public interest; and

5)      Legitimate interest

In case the marketing business operator, as a data controller, has performed under the abovementioned legal basis, prior consent is not required to obtain.

3.4. Additional requirements

According to Section 27 of the DMA, please note that before direct marketing to the customer (both individual and legal entity or business), the marketing operator must register to operate direct marketing with the OCPB. The offering of any advertisement to a customer via telephone number must also comply with the provision of advertising under the CPA. The CPA prescribed that the advertisement will not be:

1)            false or exaggerated.

2)            cause misunderstanding in the essential elements concerning goods or services.

3)            directly or indirectly encouraging the commission of unlawful or immoral action which adversely affects the national culture; and

4)            cause disunity or adversely affect the unity among the public.

Right to object

Under the PDPA, a data subject shall have the right to object to the processing of their data under specific circumstances.

  • Personal data that is collected without consent due to tasks carried out in the public interest or based on a legitimate interest pursued by the data controller or third party.
    • The processing of personal data is for direct market purposes and
    • The processing of personal data is for scientific, historical, or statistical research purposes.

However, a data controller can object to the request of a data subject and continue to collect, use, and disclose their database on 2 grounds:

  • A controller can demonstrate that the collection, use, and disclosure of personal data is based on a legitimate ground that overrides the data subjects’ interests or
    • A collection, use, and disclosure of personal data has the purpose of establishing, exercising, or defending against a legal claim.

Therefore, if the personal data are processed for direct market purposes, the customer, as a data subject, has the right to object at any time, but if a marketing provider, as a controller, has a legal ground we mentioned above, the provider shall object the request of the recipient of the telemarketing.


As the PDPA does not define “child” not “children”, and where the minor’s consent is not an act which the minor may be entitled to provide, as prescribed under the Code, or where the minor is under the age of 10 years, consent must be obtained from the holder of the parental responsibility for the child.

In addition, the PDPA does not specify whether specific protection should be given when children’s data is used for marketing or collected for information society services offered directly to a child.


The marketing provider who uses databases obtained from a third party must ensure that the data has been collected lawfully (e.g., by prior consent, legitimate interest, etc.), that it is accurate and up to date, and that the individuals have consented to receive telemarketing.


Thailand does not operate a national opt-out list for Telemarketing.



If the Telemarketing provider does not register to be a direct marketing business operator and operates the direct marketing business illegally, such operator shall be subject to an imprisonment penalty for not more than 1 year or a fine for not more than THB 100,000 or both. In addition, such an operator will be fined in the amount of not more than THB 10,000 per day during the period of violation of the DMA.


In case the Telemarketing business operator fails to follow the provision prescribed in the CPA regarding the content of the advertisement, such operator will have a penalty for imprisonment, not more than 6 months, or a fine in the amount of not more than THB 60,000 or both.


Regarding the penalties under the PDPA, in the case of non-compliance, imprisonment for up to one year and/or a fine up to THB 1 million (approx. €29,700) shall be imposed. The PDPA also provides authority for a competent court to increase the amount of compensation by up to double the actual damages at the court’s discretion as punitive damages. In addition, an administrative fine of up to THB 5 million (approx. €148,500) (which is subject to the severity of the circumstances) may be issued by the authorities for non-compliance.

For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at info@fosrlaw.com

Related Posts