Sri Lanka PDPA

Personal Data Protection Act, No. 9 of 2022

Flag of LK
Sri LankaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 19, 2022
Enacted
March 19, 2022
Enforcing Authority
Data Protection Authority of Sri Lanka
Consent Model
Opt-in
Applies To
Controllers and processors of personal data in Sri Lanka

Overview

Sri Lanka became the first South Asian country to pass comprehensive privacy legislation in 2022. However, the core enforcement provisions (Parts I, II, III, VII) were scheduled for March 18, 2025 but the government repealed this date just four days before enforcement was to begin, creating legal uncertainty.

What This Means for Your Website

  • Consent must be demonstrable by the data controller
  • Consent requests must be clearly distinguishable from other matters
  • Data subjects must be informed that consent can be withdrawn at any time
  • Core enforcement provisions are delayed — enforcement timeline uncertain
  • Repeat offense fines double for each subsequent violation

Key Requirements

The DPA enforces the PDPA with penalties up to LKR 10 million per instance, doubling for repeat offenses. DPIAs are required for high-risk processing. Cross-border transfers require adequacy. The DPA was appointed in early 2024 and has been building capacity.

How ConsentStack Handles This

ConsentStack applies consent standards for Sri Lankan visitors, ensuring readiness for when enforcement provisions take full effect.

Penalties

Up to LKR 10 million (~USD 30,000) per non-compliance instance. Repeat offenses: fine doubles for each subsequent violation.

Maximum Fine
LKR 10,000,000 per violation

Key Requirements

  • Consent must be demonstrable by the controller
  • Consent requests must be clearly distinguishable from other matters
  • Data subjects must be informed consent can be withdrawn anytime
  • Mandatory data breach notification
  • Data subject rights: access, rectification, erasure, restriction, objection
  • Data Protection Impact Assessments for high-risk processing

Notable Provisions

  • First South Asian country to pass comprehensive privacy law
  • Core enforcement provisions delayed — March 2025 date repealed 4 days before
  • DPA appointed early 2024 but operational capacity building ongoing
  • Repeat offense fines double for each subsequent violation

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Is Sri Lanka's privacy law being enforced?

Not fully. Core enforcement provisions were delayed in March 2025, four days before they were to take effect. The practical enforcement timeline remains uncertain.

Was Sri Lanka first in South Asia for privacy law?

Yes. Sri Lanka was the first South Asian country to pass comprehensive privacy legislation when the PDPA was enacted in March 2022.

What are Sri Lanka's penalties?

Up to LKR 10 million (~USD 30,000) per instance, doubling for each subsequent repeat offense.

Stay compliant with Sri Lanka PDPA

ConsentStack helps you implement Opt-in consent for Sri Lanka automatically.

Get started free