Privacy Regulations in Asia Pacific

25 privacy and data protection laws across Asia Pacific

PIPL
China
Flag of CN
Opt-in

China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.

Thailand PDPA
Thailand
Flag of TH
Opt-in

Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.

Singapore PDPA
Singapore
Flag of SG
Opt-out

Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.

APPI
Japan
Flag of JP
Opt-in

Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.

South Korea PIPA
South Korea
Flag of KR
Opt-in

South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.

Australian Privacy Act
Australia
Flag of AU
Opt-in

Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Indonesia PDP Law
Indonesia
Flag of ID
Opt-in

Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Taiwan PDPA
Taiwan
Flag of TW
Opt-in

Taiwan's PDPA governs personal data across both government and private sectors. The November 2025 amendments are the most significant reform since 2010, establishing Taiwan's first independent data protection authority (PDPC) and making breach notification mandatory rather than discretionary.

Hong Kong PDPO
Hong Kong
Flag of HK
Opt-in

Hong Kong's PDPO is built around six Data Protection Principles covering collection, accuracy, use, security, transparency, and access. Cookies collecting personal data require clear notices and consent. The 2021 amendment added strong anti-doxxing provisions with criminal sanctions up to HKD 1 million and 5 years imprisonment.

Malaysia PDPA
Malaysia
Flag of MY
Opt-in

Malaysia's PDPA was significantly overhauled by the 2024 Amendment Act, introducing mandatory DPOs, breach notification, data portability, and enhanced penalties (MYR 1M, up from 300K). Consent mechanisms must now meet updated standards for granular, specific, and withdrawable consent. Phased implementation runs January-June 2025.

Vietnam PDPL
Vietnam
Flag of VN
Opt-in

Vietnam's PDPL elevates data protection from a decree to comprehensive law level. Consent must be voluntary, clear, and in text or verifiable electronic format — silence does not constitute consent. Cross-border transfer violations carry up to 5% of revenue penalties. The law covers AI and blockchain technologies.

India DPDPA
India
Flag of IN
Opt-in

India's first comprehensive data protection law requires explicit consent that is freely given, unconditional, informed, and unambiguous. Cookie consent requires affirmative action like clicking Accept Cookies. Consent managers — certified entities helping individuals manage consent across platforms — are a distinctive feature. Full compliance required by May 2027 with no grace period.

Philippines DPA
Philippines
Flag of PH
Opt-in

The Philippines DPA requires consent via clear affirmative action with layered privacy notices at or before cookie deployment. One of the few Asian data protection laws with criminal sanctions — up to 6 years imprisonment for sensitive data violations. The NPC has not yet finalized dedicated cookie regulations but actively issues guidance.

China CSL
China
Flag of CN
Opt-in

The CSL establishes China's legal framework for cybersecurity obligations including network security, critical infrastructure protection, and data security. The January 2026 amendments represent the first major overhaul since 2017, significantly increasing penalties and broadening extraterritorial enforcement. Cookie-specific requirements are addressed by the PIPL.

China DSL
China
Flag of CN
Opt-in

The DSL establishes China's data security governance framework with a classification system for core, important, and general data. For website operators, it primarily affects how collected data is stored and secured rather than how consent is obtained. Cookie-specific consent is addressed by the PIPL.

Bangladesh PDPO
Bangladesh
Flag of BD
Opt-in

Bangladesh's first comprehensive data protection framework, promulgated as an ordinance under constitutional powers. Every citizen is recognized as the rightful owner of their personal data, making explicit consent mandatory. Profiling, behavioral tracking, and targeted advertising directed at minors are explicitly prohibited.

New Zealand Privacy Act
New Zealand
Flag of NZ
Opt-out

New Zealand's Privacy Act does not require opt-in cookie consent — transparency and opt-out mechanisms are the primary requirements. Organizations must be transparent about cookie use and provide opt-out options. Consent is required for targeted advertising. Penalties are low by international standards. New Zealand holds an EU adequacy decision.

Macau PDPA
Macau
Flag of MO
Opt-in

Macau's PDPA is modeled on the Portuguese Data Protection Act (based on EU Directive 95/46/EC), giving it one of Asia's most explicitly EU-style cookie consent frameworks. Article 6 exempts strictly necessary cookies but requires consent for all other cookies. Controllers must register with the GPDP before processing.

Sri Lanka PDPA
Sri Lanka
Flag of LK
Opt-in

Sri Lanka was the first South Asian country to pass comprehensive privacy legislation in 2022. However, core enforcement provisions were delayed — the March 2025 enforcement date was repealed just four days before taking effect, creating uncertainty about the practical timeline. The DPA was appointed in early 2024.

Brunei PDPO
Brunei
Flag of BN
Opt-in

Brunei's PDPO 2025 is the country's first comprehensive data protection law for the private sector, modeled on Singapore's PDPA. Organizations have a one-year grace period for compliance. The last major ASEAN economy to enact comprehensive data protection legislation.

Mongolia PDPL
Mongolia
Flag of MN
Opt-in

Mongolia's PDPL replaced the 1995 Law on Personal Secrecy with a comprehensive framework. Requires written or electronic consent before collecting personal data including through cookies. Data collection is limited to what is strictly necessary, and cross-border transfers require data subject consent.

Laos LEDP
Laos
Flag of LA
Notice

Laos's LEDP outlines principles for electronic data protection with opt-out rights but does not mandate prior opt-in consent. It classifies electronic data into categories and establishes data controller responsibilities. The law is considered limited in scope and enforcement compared to more modern ASEAN data protection laws.

Bhutan ICMA
Bhutan
Flag of BT
Notice

Bhutan's ICMA provides minimal data privacy coverage with limited digital scope. Only 7 of 10 second-generation data protection principles are included. There is no standalone data protection law, no dedicated DPA, and no specific provisions for cookie consent. The Act primarily focuses on cybercrime.

Maldives DPA
Maldives
Flag of MV
Opt-in

The Maldives has a basic Data Protection Act (2017) outlining principles for data collection, use, and disclosure. It is not a comprehensive GDPR-style law. A more robust Privacy and Personal Data Protection Bill was released for consultation in 2023 but has not been enacted.

Nepal Privacy Act
Nepal
Flag of NP
Opt-in

Nepal's Privacy Act covers both physical and informational privacy but has significant limitations in the digital context. Critically, the law explicitly does NOT cover IP addresses, cookies, location data, or online identifiers, making it largely irrelevant to website consent management. Penalties are among the lowest globally.