E-commerce Law: Thailand, Part 1 of 3

April 2023

Electronic commerce, commonly known as e-commerce, refers to the Internet-based buying and selling of services and products via electronic means. E-Commerce uses Internet technology, mobile business, electronic funds transfers, escrowing services, electronic data interchange, supply chain management, inventory management systems, Internet marketing, data collection systems, and many other technologies and innovative business systems. Most, if not all, e-commerce transactions use the Internet for at least one point of commerce.

E-Commerce law addresses legalities associated with e-commerce. Each type of e-commerce company must abide by specific rules and regulations, just like any other business, and can run into legal issues that require legal advice from an experienced e-commerce law practitioner.

This three-part series discusses Thailand’s e-commerce law starting with the law that covers E-Marketing.

For references to part 2 or 3 of this series, please see the following links:

Part 2: E-commerce Law: Thailand, 2 of 3

Part 3: E-commerce Law: Thailand, 3 of 3

Part 1 E-Marketing


· Direct Sale and Direct Marketing Act B.E. 2545 (2002) (“DMA“)

· Consumer Protection Act B.E. 2522 (1979) (“CPA“)

· Personal Data Protection Act B.E. 2562 (2019) (“PDPA“)

· Computer-Related Crime Act B.E. 2550 (2017) (“CCA“)

Regulatory authority guidance 

Please note that three relevant regulatory authorities are responsible for direct marketing activity as follows:

  1. Office of the Consumer Protection Board (“OCPB“)

The OCPB has issued the following guidance relating to E-marketing:

· Guidance on consumer protection regarding the advertisement; and

· Guidance on e-registration for direct marketing.

2) Personal Data Protection Committee (“PDPC“)

To date, there is no specific PDPC guidance regarding E-marketing, but as written below, there are concepts of data protection that generally apply to E-Marketing.

3) Ministry of Digital Economy and Society (“MDES“)

Like the PDPC, there is no current MDES guidance regarding E-marketing, PDPA, or the CCA, but as written below, there are legal concepts that generally apply.


Direct marketing: According to Section 3 of the DMA, direct marketing means communicating an offer of goods and services to a customer directly to obtain the customer’s responsibility to purchase such goods and services.

Email: There is no specific definition of “email” prescribed under Thai law. However, the Email Charter can refer to an ‘electronic message’ as any text, voice, sound, or image sent electronically, a generally accepted definition in Thailand both commercially and legally.

Email Marketing: No specific definition of email marketing is prescribed under Thai law. However, email marketing can refer to sending any message intended to promote, directly or indirectly, goods, services, or the image of a person selling goods or providing services. 

Personal data: According to Section 6 of the PDPA, personal data means any information relating to a person which enables the identification of such person, whether directly or indirectly, but not including the information of deceased persons.

Consent: There is no specific definition of consent under Thai law. However, consent can legally refer to any freely given, specific, informed, and unambiguous indication from the data subject to the data controller on collecting and processing their personal data.

Spam: There is no specific definition of spam prescribed under Thai law. However, in a general legal sense, spam can refer to simple unsolicited commercial emails or scam emails.



The PDPA states that a data controller shall not collect, use, or disclose personal data unless the data subject has provided prior consent or the data controller is performing on another legal basis (e.g., the performance of a contract, compliance with a law, legitimate interest, etc.).

Kindly note that a person’s email address is also regarded as personal data under the PDPA, which requires written consent from the data owner before collection, utilization, and disclosure. Further, please note that a data subject’s consent can be withdrawn at any time, and a data controller is obliged to put in place a system for the erasure or destruction of personal data as necessary to comply when a data subject withdraws consent.

Therefore, as an individual’s email address is regarded as personal data, consent for collecting their email address (i.e., personal data) must be obtained before the utilisation for marketing purposes. Customers can withdraw their consent to collect their email addresses anytime. To comply with a consent withdrawal, a consumer’s email address must be erased or destroyed.


The PDPA only protects living individuals and expressly excludes information relating to legal entities. Therefore, marketing emails sent to generic email addresses of legal entities do not require prior written consent.

Social Media Marketing

The DMA, CPA, PDPA, and CCA (“Statutes“) will also apply to social media marketing. The Statutes do not differentiate between social media and email. Therefore, prior written consent must be obtained when providing social media marketing. Such consent can be withdrawn at any time. After the customer withdraws their consent, the consumer’s email address must be erased or destroyed to comply with the consent withdrawal.

Viral Marketing

As the Statutes do not differentiate between viral marketing and email marketing, in case the marketing business operator wants to provide viral marketing, prior written consent for collecting recipients’ email addresses is also required. 


Under the PDPA, before the collection, utilisation, and disclosure of the data subject’s data, a data controller does not require the prior written consent of the data subject if a data controller has performed such action under the following legal basis:

1) performance of a contract.

2) compliance with the law.

3) suppressing danger to a data subject’s life.

4) public interest; and

5) legitimate interest.

If a marketing business operator, as a data controller, has acted under the abovementioned, prior written consent from the data subject is not required. 

Additional requirements

According to Section 27 of the DMA, before direct marketing to customers (both an individual or legal entity), a marketing operator must register with the OCPB as a direct marketing business operator. The offering of any advertisement to a customer via email must also comply with the CPA.

Further, sending computer data or electronic mail to others (i) covering up or counterfeiting the source of the sender in a manner that disturbs the routine use of others’ computer systems; or (ii) has no opt-out clause to allow such person to cancel or deny reception, which is found to disturb the recipient, will be regarded as an offence under Section 11 of the CCA. The definition of “disturb” is subjective but is generally understood to be emails that cause harm to a computer, are intended to offend, or violate community standards. Therefore, email marketing must comply with the conditions prescribed in the CCA.

Right to object

Under the PDPA, a data subject has the right to object to the processing of their data under specific circumstances:

  • Personal data collected without consent due to tasks carried out in the public interest or based on a legitimate interest pursued by the data controller or third party.
  • The processing of personal data is for direct market purposes; and
  • The processing of personal data is for scientific, historical, or statistical research purposes.

However, a data controller can object to the request of a data subject and continue to collect, use, and disclose their database on two grounds:

  • A controller can demonstrate that the collection, use, and disclosure of personal data is based on a legitimate ground that overrides the data subjects’ interests; or
  • The collection, use, and disclosure of personal data aim to establish, exercise, or defend against a legal claim.


The PDPA does not define “child” or “children”. Thai laws are generally strict regarding minors; anyone under 20 is considered a minor. The minor’s rights to provide consent or enter into any transaction can be voidable if done without parental consent. 


A marketing provider who uses databases obtained from a third party must ensure that the data has been collected lawfully (e.g., with prior written consent, legitimate interest, etc.), that it is accurate and up to date, and that the individuals have consented to receive marketing emails from other operators.

A marketing provider should erase and destroy any email address from which a data subject withdrew and maintain an up-to-date list of individuals who have opted out of receiving future marketing messages.


Thailand does not operate a national opt-out list for E-marketing.



Suppose an E-marketing provider does not register as a direct marketing business operation as the law requires. In that case, such an operator shall be subject to an imprisonment penalty for not more than one year or a fine of not more than THB 100,000 or both. In addition, such an operator will be fined for not more than THB 10,000 per day during the DMA violation period.


Suppose an E-marketing business operator needs to follow the provisions prescribed in the CPA regarding the advertisement’s content. In that case, such an operator will have a penalty for imprisonment, not more than six months, or a fine of not more than THB 60,000 or both.


As for penalties under the PDPA, in the case of non-compliance, imprisonment for up to one year and/or a fine up to THB 1 million (approx. €29,700) applies. Furthermore, the PDPA also provides authority for a competent court to increase the amount of compensation by up to double the actual damages at the court’s discretion as punitive damages. In addition, the authority may issue an administrative fine of up to THB 5 million (approx. €148,500) (subject to the severity of the circumstances) for non-compliance. 


Under the CCA, penalties for sending computer data or electronic mail to others (i) covering up or counterfeiting the source of the data in a manner that disturbs the routine use of others’ computer systems will be fined for not more than THB 100,000; or (ii) without an opt-out clause to allow such person to cancel or deny reception, which is found to disturb the recipient of such data or electronic mails will be fined in the amount of not more than THB 200,000.

For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at info@fosrlaw.com

Related Posts