Malaysia PDPA

Personal Data Protection Act 2010 (Act 709), as amended 2024

Flag of MY
MalaysiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
November 15, 2013
Enacted
June 2, 2010
Enforcing Authority
Personal Data Protection Commissioner, under PDPD, Ministry of Communications and Digital
Consent Model
Opt-in
Applies To
Any person processing personal data in commercial transactions (excludes public sector)

Overview

Malaysia's PDPA was significantly overhauled by the 2024 Amendment Act — the most significant reform since the law's inception. New requirements include mandatory DPOs, breach notification, data portability, and enhanced penalties. Consent must now meet updated standards for granular, specific, and withdrawable consent.

What This Means for Your Website

  • Consent must be granular, specific, and withdrawable under the updated 2024 standards
  • Mandatory DPO appointment for both controllers and processors from June 2025
  • Breach notification to the Commissioner must occur as soon as practicable from June 2025
  • Data portability rights take effect from June 2025
  • Maximum penalties increased to MYR 1,000,000 and/or 3 years imprisonment
  • The law does not apply to the public sector — a significant limitation

Key Requirements

The PDPD enforces the PDPA with penalties up to MYR 1 million and 3 years imprisonment. The phased implementation (January, April, June 2025) allows progressive compliance. Cross-border transfer rules have been strengthened. The public sector exemption means federal and state governments are not covered.

How ConsentStack Handles This

ConsentStack applies granular, specific consent for Malaysian visitors meeting the 2024 amended standards, with withdrawal mechanisms as required.

Penalties

Maximum fine: MYR 1,000,000 (~USD 236,000) (raised from MYR 300,000 by 2024 Amendment). Maximum imprisonment: 3 years. Both may be imposed.

Maximum Fine
MYR 1,000,000 per violation

Key Requirements

  • Consent required for processing personal data in commercial transactions
  • Consent must be granular, specific, and withdrawable (2024 standards)
  • Mandatory DPO from June 2025
  • Mandatory breach notification as soon as practicable from June 2025
  • Data portability from June 2025
  • Cross-border transfer rules strengthened

Notable Provisions

  • 2024 Amendment Act — most significant overhaul since inception
  • Penalties raised from MYR 300K to MYR 1M
  • Phased implementation: January, April, June 2025
  • Public sector exempt — significant limitation

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

What changed in Malaysia's PDPA in 2024?

The 2024 Amendment Act introduced mandatory DPOs, breach notification, data portability, enhanced penalties (MYR 1M), and updated consent standards for granular, specific, and withdrawable consent.

Does Malaysia's PDPA cover the public sector?

No. Federal and state governments are exempt — a significant limitation unique to Malaysia's framework.

What are the current Malaysian penalties?

Up to MYR 1,000,000 (~USD 236,000) and/or 3 years imprisonment. Both may be imposed concurrently.

Stay compliant with Malaysia PDPA

ConsentStack helps you implement Opt-in consent for Malaysia automatically.

Get started free