Bhutan ICMA

Information, Communications and Media Act of Bhutan, 2018

Flag of BT
BhutanNoticeNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2018
Enacted
January 1, 2018
Enforcing Authority
Bhutan InfoComm and Media Authority (BICMA)
Consent Model
Notice
Applies To
Users of information, communications, and media systems in Bhutan

Overview

Bhutan has the most limited data protection framework in South Asia. The ICMA 2018 includes some privacy provisions (online privacy, payment security, unsolicited email) but lacks a standalone data protection law, dedicated DPA, or specific cookie consent provisions. The Act primarily addresses cybercrime.

What This Means for Your Website

  • No specific cookie consent requirements exist under Bhutanese law
  • Basic protections against unlawful disclosure and unauthorized access apply
  • No dedicated data protection authority exists
  • The law primarily focuses on cybercrime rather than proactive data protection
  • Only 7 of 10 second-generation data protection principles are covered

Key Requirements

BICMA oversees the ICMA with penalties for cybercrime and data protection violations, though specific amounts are not widely documented. The absence of cookie consent provisions means no specific legal obligation for consent banners.

How ConsentStack Handles This

ConsentStack applies best-practice consent for Bhutanese visitors as a precautionary measure despite the absence of specific cookie consent requirements.

Penalties

Provided for cybercrimes and data protection violations but specific amounts not widely documented.

Key Requirements

  • Protections against unlawful disclosure of data
  • Restrictions on unauthorized downloading, copying, and extraction
  • Restrictions on unauthorized access to computer material
  • Protections for payment and personal information security
  • Regulation of unsolicited email

Notable Provisions

  • Most limited data protection framework in South Asia
  • No standalone data protection law
  • No dedicated DPA
  • No cookie consent or tracking provisions
  • Primarily cybercrime-focused

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does Bhutan have cookie consent requirements?

No. Bhutan's ICMA does not include specific cookie consent or tracking provisions. It has the most limited data protection framework in South Asia.

Does Bhutan have a data protection authority?

No dedicated DPA exists. BICMA (Bhutan InfoComm and Media Authority) oversees the ICMA but focuses primarily on cybercrime.

Is Bhutan developing data protection legislation?

Bhutan has not announced plans for a standalone data protection law as of March 2026.

Stay compliant with Bhutan ICMA

ConsentStack helps you implement Notice consent for Bhutan automatically.

Get started free