Laos LEDP

Law on Electronic Data Protection No. 25/NA

Flag of LA
LaosNoticeNational
Back to Regulations Guide

Key Facts

Effective Date
May 12, 2017
Enacted
May 12, 2017
Enforcing Authority
Ministry of Technology and Communications (MTC)
Consent Model
Notice
Applies To
Individuals, organizations, and legal entities handling electronic data within Lao PDR, including foreign entities

Overview

Laos's LEDP provides a basic framework for electronic data protection, classifying data into general and protected categories. Unlike most of its ASEAN neighbors, Laos follows a notice-only/opt-out model rather than requiring prior opt-in consent, making it one of the less developed data protection frameworks in the region.

What This Means for Your Website

  • Data controllers must inform individuals about data collection (notice-based)
  • Individual rights include access, rectification, erasure, and opt-out
  • The law covers foreign entities without physical presence in Laos
  • Enforcement mechanisms are limited compared to more modern ASEAN laws
  • Specific penalty amounts are not publicly documented

Key Requirements

The Ministry of Technology and Communications oversees the LEDP. Data is classified into general and protected categories with corresponding controller responsibilities. Individual rights include being informed, access, rectification, erasure, and objection/opt-out.

How ConsentStack Handles This

ConsentStack applies appropriate notice and opt-out mechanisms for Laotian visitors, meeting the LEDP's requirements.

Penalties

Not publicly documented in specific amounts.

Key Requirements

  • Data classified into general and protected categories
  • Data controllers responsible for managing electronic data
  • Individual rights: informed, access, rectification, erasure, objection/opt-out
  • Foreign entities without physical presence covered
  • Security measures required

Notable Provisions

  • Notice-only/opt-out model — less strict than ASEAN neighbors
  • One of the less developed ASEAN data protection frameworks
  • Covers foreign entities without physical presence
  • Limited enforcement mechanisms

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does Laos require cookie consent?

Laos's LEDP does not mandate prior opt-in consent for cookies. It follows a notice-only/opt-out model, which is less strict than most ASEAN neighbors.

How does Laos compare to other ASEAN countries?

Laos has one of the less developed data protection frameworks in ASEAN, lacking the specificity and enforcement of laws in Thailand, Singapore, or the Philippines.

Does Laos's law apply to foreign companies?

Yes. The LEDP covers foreign entities without physical presence that handle electronic data within Lao PDR.

Stay compliant with Laos LEDP

ConsentStack helps you implement Notice consent for Laos automatically.

Get started free