Under the new Personal Data Protection Act of Thailand (“PDPA”), sending an email newsletter to your customers, employees or business partners will now be subject to legal compliance requirements. This article summarizes the key issues:
The distribution of a newsletter will from now on require consent from the recipients. There are three types of consent that are relevant in the context of the PDPA: (1) explicit consent (opt-in), (2) implied consent and (3) opt-out consent. With regards to the distribution of email newsletters, the consent required is explicit opt-in consent.
Opt-in consent means that a person must take explicit affirmative action to offer their consent. The most common way that opt-in methods are implemented is with checkboxes. When presented with a checkbox, the data owner must take action to check the box – which denotes their consent. Opting in can be used in a variety of situations, including email and newsletter mailing lists, cookie use, and legal policy agreements. It must also be noted that where opt-in consent is required, it is the duty of the data controller to also provide a measure for unsubscribing (also usually in the form of checkboxes).
Section 95 of the PDPA states that personal data that has been previously collected by the data collector before the enactment of the PDPA can be retained and used for its original purpose. However, the data controller must provide an easy method for “consent withdrawal” for those data owners who no longer wish for their data to be collected or stored for any use by the data collector or controller. Such an easy method of opting out is e.g. clicking an “unsubscribe” button which is provided and easily visible. The aforementioned rules apply for the use of names and email addresses on a newsletter mailing list if they were collected and used before 27th May 2020.
It should be noted that the purpose of such earlier collection must have been to send email newsletters, the PDPA certainly allows only the use according to the original intended purpose.
Consent, as described above, must always be informed consent with regards to the processing of the personal data that is given. It is therefore recommended that senders of email newsletters provide detailed privacy statements to ensure that the data owners are aware of the ways their personal data is processed. A privacy statement serves this purpose: it is a statement that informs the data owner about such methods. It must be submitted to the data owner prior to the owner providing opt-in consent and may be included in the consent request, either with the full text or by providing a hyperlink to the full text.
There is usually a checkbox at the end of the privacy statement which allows the data owner to either accept the terms and agree to have his or her data collected, or reject them and prevent the data collector from collecting his or her data.
In conclusion, the PDPA requires opt-in consent to send email newsletters to the emails that have been collected after the enactment of the PDPA.
Regarding emails that were collected before the enactment of the PDPA, the act stipulates that if such emails were collected for the purpose of sending email newsletters (original intended purpose), the continuation of such activity is permitted, but there must be an easy method for unsubscribing provided to the data owner.
To ensure that the consent is informed consent, privacy statements must be provided to the data owners prior to them stating their consent.
Feel free to contact us if there are any questions regarding the Email Newsletters Under The New PDPA at [email protected].