E-commerce Law: Thailand, 2 of 3

May 2023

Electronic commerce, commonly known as e-commerce, refers to the Internet-based buying and selling of services and products via electronic means. E-commerce uses Internet technology, mobile business, electronic funds transfers, escrowing services, electronic data interchange, supply chain management, inventory management systems, Internet marketing, data collection systems, and many other technologies and innovative business systems. Most, if not all, e-commerce transactions use the Internet for at least one point of commerce.

E-Commerce law addresses legalities associated with e-commerce. Each type of e-commerce company must abide by specific rules and regulations, just like any other business, and can run into legal issues that require legal advice from an experienced e-commerce law practitioner.

This three-part series discusses Thailand’s e-commerce law starting with the law that covers SMS/MMS Marketing. 

For references to part 1 or 3 of this series, please see the following links:

Part 1: E-commerce Law: Thailand, 1 of 3

Part 2: E-commerce Law: Thailand, 3 of 3

Part 2 SMS/MMS Marketing


1.1. Legislation

  • Direct Sale and Direct Marketing Act B.E. 2545 (2002) (“DMA”)
  • Consumer Protection Act B.E. 2522 (1979) (“CPA”)
  • Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

1.2. Regulatory authority guidance

Three relevant regulatory authorities are responsible for the direct marketing activity as follows:

  1. Office of the Consumer Protection Board (“OCPB”)
  • Personal Data Protection Committee (“PDPC”)
  • Ministry of Digital Economy and Society (“MDES”)


SMS/MMS:  SMS/MMS can refer to the transmissions or receptions of signs, signals, writings, images, or sounds by electromagnetic means.

SMS/MMS Marketing: Under Section 3 of the DMA, direct marketing means directly communicating an offer of a good and service to a customer to obtain the customer’s responsibility to purchase such a good and service. Therefore, SMS/MMS Marketing can certainly be regarded as direct marketing.

Personal data: According to Section 6 of the PDPA, personal data means any information relating to a person, which enables identifying such person, whether directly or indirectly, but not including the information of deceased persons.

Consent: Consent can refer to any freely given, specific, informed, and unambiguous indication from the data subject to the data controller on collecting and processing their personal data.


3.1. B2C

The PDPA states that a data controller shall not collect, use, or disclose personal data unless the data subject has provided prior written consent or on another legal basis (e.g., the performance of a contract, compliance with a law, legitimate interest, etc.). Kindly note that the telephone number of an individual is also regarded as their data. Further, please note that a data subject’s consent can be withdrawn at any time, and a data controller must put in place a system to erase or destroy personal data as necessary to comply when a data subject withdraws consent.

Therefore, as the telephone number of an individual is regarded as their data, the written consent for collecting the telephone number (i.e., personal data) of a consumer must be obtained before the provision of marketing via SMS/MMS. Please note that the customer can withdraw the consent to collect their telephone number at any time, and the consumer’s telephone number must be erased or destroyed to comply with the consent withdrawal.

3.2. B2B

The PDPA only protects living individuals and expressly excludes information relating to legal entities. Therefore, Marketing SMS/MMS sent to a generic email address for a legal entity does not require prior written consent.

3.3 Exceptions

Under the PDPA, before collecting, using, and disclosing a data subject’s data, a data controller does not require the prior written consent of the data subject if a data controller acts under the following legal circumstances:

  1. performance of a contract.
  2. compliance with law.
  3. suppressing danger to a data subject’s life.
  4. public interest; and
  5. legitimate interest.

If the marketing business operator, as a data controller, has performed under the abovementioned legal basis, prior written consent is not required.

3.4. Additional requirements

Section 27 of the DMA states that a marketing operator must register for direct marketing with the OCPB before starting operations. The offering of any advertisement to a customer via email must also comply with the CPA. The CPA prescribes that any advertisement will not be:

  1. false or exaggerated.
  2. cause misunderstanding of goods or services.
  3. directly or indirectly encouraging the commission of unlawful or immoral action which adversely affects national culture; and
  4. cause disunity or adversely affects unity among the public.

Items 3 and 4 are commonly used legal concepts in Thailand. The standard is akin to “community standards” under Common Law wherein the legal test is whether an average person, applying contemporary community standards, the dominant theme of the material taken as a whole, would encourage unlawful action or cause disunity among the public.

Right to object

Under the PDPA, a data subject shall have the right to object to processing their data under specific circumstances.

  • Personal data collected without consent due to tasks carried out in the public interest or based on a legitimate interest pursued by the data controller or third party.
  • The processing of personal data is for direct market purposes; and
  • The processing of personal data is for scientific, historical, or statistical research purposes.

However, a data controller can object to the request of a data subject and continue to collect, use, and disclose their database on two grounds:

  • A controller can demonstrate that the collection, use, and disclosure of personal data is based on a legitimate ground that overrides ta data subjects’ interests; or
  • A collection, use, and disclosure of personal data aim to establish, exercise, or defend against a legal claim.

Therefore, if the personal data are processed for direct marketing purposes, the customer, as a data subject, has the right to object at any time. Still, if a marketing provider, as a data controller, has the legal grounds mentioned above, the data controller may object to the data subject’s objection.


Thai laws have strict laws regarding minors; anyone under 20 is considered a minor. Therefore, a minor’s rights to provide consent or enter any transaction can be voidable if done without parental consent.  

However, the PDPA does not specify whether specific protection should be given when children’s data is used for marketing or collected for information society services offered directly to a child.


A marketing provider who uses databases obtained from a third party must ensure that the data has been collected lawfully (e.g., by prior consent, legitimate interest, etc.), that it is accurate and up to date, and that data subjects have consented to receive marketing emails from other operators.

The marketing provider should erase and destroy a telephone number of a data subject who withdraws consent and maintain an up-to-date list of individuals who have opted out from receiving any future marketing messages.


Thailand does not operate a national opt-out list for SMS/MMS marketing.



If the SMS/MMS marketing provider does not register with the OCPB before operating, such an operator is subject to incarceration for not more than one year or a fine of not more than THB 100,000 or both. In addition, such an operator will be fined in the amount of not more than THB 10,000 per day during the DMA violation period.


Suppose the SMS/MMS marketing business operator fails to follow the provisions in the CPA regarding the advertisement’s content. In that case, such an operator is subject to imprisonment of not more than six months, a fine of not more than THB 60,000 or both.


As for penalties under the PDPA, in the case of non-compliance, imprisonment for up to one year and/or a fine up to THB 1 million (approx. €29,700) may be imposed. The PDPA also provides authority for a court to increase the amount of compensation by up to double the actual damages at the court’s discretion as punitive damages. In addition, the authority may issue an administrative fine of up to THB 5 million (approx. €148,500) (which is subject to the severity of the circumstances) for non-compliance.

For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at info@fosrlaw.com

Related Posts