PDPA and Website Cookies: What Businesses Should Know

How does the PDPA relate to websites?

The PDPA, or Personal Data Protection Act, immediately applies to websites when they collect, use, or disclose information that can be linked to individuals, such as names, phone numbers, email addresses, IP addresses, user account information, purchase history, or information entered through contact forms.

article PDPA and websites. Creative has previously summarized that website owners should consider this from the beginning of website development, rather than adding it after the website is completed. Because if the structure, forms, membership systems, or marketing tools are designed without considering personal data, making changes later is often more complicated than expected.

The PDPA does not prohibit data collection, but it must be collected justifiedly.

Websites can collect customer data, but it should be clear what that data is for, only what is necessary, how long it will be used, who it will be shared with, and how customers can claim their rights. The simple principle is: don't collect data without knowing what you'll use it for, because unnecessary data could become a burden when it comes time to maintain security or explain things to customers.

What types of information on the web are considered personal data?

Personal information on websites isn't limited to names and phone numbers. Sometimes, technical data can be linked to users, such as IP addresses, cookie IDs, device IDs, or behavioral data that can be combined with other information to identify individuals. Websites using membership systems, remarketing advertising, or analytics tools should therefore clearly check what types of data are flowing through their systems.

Examples of commonly found data storage locations.

• Contact form, request a quote, sign up for membership, or book a service.
• Ordering system and payment history.
• Chat system or appointment scheduling channel.
• Website visitor behavior analysis tools
• Cookies for advertising, measurement, or user recognition.

Questions to ask before adding a new form.

Is this information necessary for providing the service? If this information isn't collected, will we still be able to contact the customer? Who on the team will see this information, and to what tools will the information be shared? Asking these questions helps to shorten the form, make it easier to use, and reduce data risk.

How should Cookie Consent be handled?

Some types of cookies are essential for a website to function, such as remembering items in the shopping cart, security, or login. However, cookies for behavioral analytics and advertising are often involved in user tracking, so they should be clearly explained to users and allow them to make appropriate choices.

Good cookie consent shouldn't just be a text bar with a single "Accept All" button prominently displayed. Instead, it should indicate the type of cookie, its purpose, and provide options to manage consent, such as accepting only necessary cookies, selecting specific categories, or changing one's mind later.

Types of cookies that should be clearly categorized.

• Cookies are essential: Use this to ensure the website functions normally, such as maintaining security or remembering basic state.
• Analytics cookies: Used to measure website performance, visitor count, and overall user behavior.
• Marketing cookies: Used for advertising, tracking campaigns, or remarketing.
• Third-party cookies: It comes from external tools such as analytics, pixels, chat, video embeds, or advertising systems.

Don't forget to save proof of consent.

If a website has a consent management system, it should keep records of what users selected and when, and provide a way to change those settings. Good consent isn't a one-time transaction; it should allow for retrospective review and appropriate correction.

Privacy Policy and Pre-Collection Notification.

A privacy policy is a document that tells users what data a website collects, how it's used, the legal basis or justification for doing so, how long the data is retained, who it's shared with, and what rights the data owner has. However, in areas where forms are filled out, a short message should be included near the form so customers immediately know how the information they provide will be used.

If the website has... Contact Form There are many types of forms, such as "Contact Us," "Subscribe to Newsletter," "Request a Quote," or "Download Documents." Each form may have a different purpose, so the message should not be used the same way for all forms without considering the context.

The Privacy Policy should be easier to read than you think.

Many websites write extremely long policy statements that are too much for most people to read. The crucial information should be communicated in business terms that customers can understand. For example, clearly explaining why we collect this data: to contact you, to send products, to analyze usage, or to send you information with your consent. The clearer the communication, the more customers feel the brand is being honest about their data.

How to collect leads for marketing without interruption.

Many business websites want to collect leads so that their sales or marketing teams can contact them, such as for quotes, consultations, trial offers, or promotions. It's important to avoid vague leads; clearly state what the customer will be contacted for, and provide separate options for additional information or updates.

If the business's campaign is approved. Digital Marketing Systematically collecting data from the start helps identify where leads are coming from, what products they are interested in, and how to follow up, without having to scour scattered information across multiple chats or spreadsheets.

Points to watch out for when running a campaign.

• Do not use the pre-selected checkbox for receiving news.
• Separate requested callbacks from promotional subscriptions.
• Clearly state the contact information and method for withdrawing consent.
• Restrict access to lead information for team members.
• Check external tools that receive data, such as CRM, email marketing, or advertising systems.

Important Note

This article provides general information for website owners and is not specific legal advice. If your business stores sensitive data, has a large membership system, or sends data internationally, you should consult a legal professional or data privacy administrator.

Check the PDPA and Cookie checklist before opening a website.

Before launching a website or starting an advertising campaign, thoroughly check the content, system, and team members. PDPA isn't just about placing banner cookies; it involves how data is collected, used, transferred, and managed throughout its lifecycle.

Checklist of things to check.

• There is a Privacy Policy that reflects the actual usage of the website.
• There is a Cookie Policy, or a section that explains cookies in an easy-to-understand way.
• Separate necessary, analytics, and marketing cookies appropriately.
• The data collection form has a message stating the purpose near the data entry point.
• There are methods available for users to contact us to exercise their data subject rights.
• Know which external devices receive data from the website.
• Someone is responsible for correcting, deleting, or exporting data as requested.

Ongoing support after going online.

After the website is live, you should re-check any new plugins, analytics tools, advertising campaigns, or forms, as these may change how the website collects and transmits data. Having... Website maintenance services Help your team remember to check these points when the website changes.

In summary: Trustworthy websites should be transparent about their information.

The PDPA and cookies aren't something to be intimidated by, but rather an opportunity for businesses to communicate with customers transparently. When websites clearly state what data they collect, what it's used for, and give users more control, trust is built more easily than with websites that request all information but offer no explanation.