How the Personal Data Protection Act will affect startups
Rules are changing for how startups in Thailand can interact with audiences online. Thailand’s upcoming Personal Data Protection Act (PDPA) will regulate how websites can collect data from their users.
As with Europe’s General Data Protection Regulation (GDPR), the PDPA will require all sites to gain clear and informed consent from users before collecting any personal data through digital cookies. The type of data being collected will need to be stated plainly to gain consent – and once collected, additional rules will govern how this data is allowed to be stored, analyzed and distributed.
Rather than having to ‘opt out’ of data collection, users under the new system will need to affirmatively ‘opt in’.
In effect, the PDPA will let ordinary internet users have greater control of their personal data online, enabling them to determine whether it is collected and how it may be used. The act was intended to take effect this year, but enforcement has been pushed back to next year due to the pandemic.
Towards an even playing field
Online businesses typically enjoy significant freedom to harvest users’ personal data for their market research and sales purposes. Often this opens the door to customized services, such as when Amazon offers shopping suggestions based on your web history. But when left unchecked, this kind of data harvesting often crosses privacy boundaries to an uncomfortable level, of which most internet users are unaware.
The PDPA applies to all online businesses operating in Thailand but will mainly affect those that depend on third-party analytics and shared customer information. Instead of taking user data for granted, these entities – both large and small – will need to work harder to gain consent to gather and retain user data.
Startups could enjoy a competitive advantage over more established companies thanks to the PDPA. Newer software systems are typically far easier to update and adapt than older ones which are built into many legacy business models. Moreover, companies which have been collecting user data for years will need to spend considerable time and money on converting that data into a usable, PDPA-compliant format.
By making a quick pivot, startups could get a head start on using transparency to build trust with their customers and employees. Leveraging data for marketing is easier and quicker than trying to establish trust, but it is a far sturdier base on which to build long-term customer relationships.
A fairer future for customers
The PDPA frees well-intentioned companies from a system of poor incentives. Data harvesting is an effective way to generate sales, but it can also lead to a more manipulated online experience for many users. The new regulations will provide an even playing field – not just between vendors and customers, but also between companies that have different views on the importance of digital privacy.
Websites will have to offer users something substantial in return. Companies that find creative ways to add value to their potential customers will stay ahead of their less imaginative rivals.
There are costs, of course. Software upgrades will require time and energy, frequent consent-request messages will take away from the convenience of the internet, and some services may not run as smoothly without user data as input. But on the whole, startups should welcome the return to a level playing field and a healthier internet culture which puts the privacy and needs of customers first.