China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.
Taiwan's PDPA governs personal data across both government and private sectors. The November 2025 amendments are the most significant reform since 2010, establishing Taiwan's first independent data protection authority (PDPC) and making breach notification mandatory rather than discretionary.
Hong Kong's PDPO is built around six Data Protection Principles covering collection, accuracy, use, security, transparency, and access. Cookies collecting personal data require clear notices and consent. The 2021 amendment added strong anti-doxxing provisions with criminal sanctions up to HKD 1 million and 5 years imprisonment.
Malaysia's PDPA was significantly overhauled by the 2024 Amendment Act, introducing mandatory DPOs, breach notification, data portability, and enhanced penalties (MYR 1M, up from 300K). Consent mechanisms must now meet updated standards for granular, specific, and withdrawable consent. Phased implementation runs January-June 2025.
Vietnam's PDPL elevates data protection from a decree to comprehensive law level. Consent must be voluntary, clear, and in text or verifiable electronic format — silence does not constitute consent. Cross-border transfer violations carry up to 5% of revenue penalties. The law covers AI and blockchain technologies.
India's first comprehensive data protection law requires explicit consent that is freely given, unconditional, informed, and unambiguous. Cookie consent requires affirmative action like clicking Accept Cookies. Consent managers — certified entities helping individuals manage consent across platforms — are a distinctive feature. Full compliance required by May 2027 with no grace period.
The Philippines DPA requires consent via clear affirmative action with layered privacy notices at or before cookie deployment. One of the few Asian data protection laws with criminal sanctions — up to 6 years imprisonment for sensitive data violations. The NPC has not yet finalized dedicated cookie regulations but actively issues guidance.
The CSL establishes China's legal framework for cybersecurity obligations including network security, critical infrastructure protection, and data security. The January 2026 amendments represent the first major overhaul since 2017, significantly increasing penalties and broadening extraterritorial enforcement. Cookie-specific requirements are addressed by the PIPL.
The DSL establishes China's data security governance framework with a classification system for core, important, and general data. For website operators, it primarily affects how collected data is stored and secured rather than how consent is obtained. Cookie-specific consent is addressed by the PIPL.
Bangladesh's first comprehensive data protection framework, promulgated as an ordinance under constitutional powers. Every citizen is recognized as the rightful owner of their personal data, making explicit consent mandatory. Profiling, behavioral tracking, and targeted advertising directed at minors are explicitly prohibited.
New Zealand's Privacy Act does not require opt-in cookie consent — transparency and opt-out mechanisms are the primary requirements. Organizations must be transparent about cookie use and provide opt-out options. Consent is required for targeted advertising. Penalties are low by international standards. New Zealand holds an EU adequacy decision.
Macau's PDPA is modeled on the Portuguese Data Protection Act (based on EU Directive 95/46/EC), giving it one of Asia's most explicitly EU-style cookie consent frameworks. Article 6 exempts strictly necessary cookies but requires consent for all other cookies. Controllers must register with the GPDP before processing.
Sri Lanka was the first South Asian country to pass comprehensive privacy legislation in 2022. However, core enforcement provisions were delayed — the March 2025 enforcement date was repealed just four days before taking effect, creating uncertainty about the practical timeline. The DPA was appointed in early 2024.
Brunei's PDPO 2025 is the country's first comprehensive data protection law for the private sector, modeled on Singapore's PDPA. Organizations have a one-year grace period for compliance. The last major ASEAN economy to enact comprehensive data protection legislation.
Mongolia's PDPL replaced the 1995 Law on Personal Secrecy with a comprehensive framework. Requires written or electronic consent before collecting personal data including through cookies. Data collection is limited to what is strictly necessary, and cross-border transfers require data subject consent.
Laos's LEDP outlines principles for electronic data protection with opt-out rights but does not mandate prior opt-in consent. It classifies electronic data into categories and establishes data controller responsibilities. The law is considered limited in scope and enforcement compared to more modern ASEAN data protection laws.
Bhutan's ICMA provides minimal data privacy coverage with limited digital scope. Only 7 of 10 second-generation data protection principles are included. There is no standalone data protection law, no dedicated DPA, and no specific provisions for cookie consent. The Act primarily focuses on cybercrime.
The Maldives has a basic Data Protection Act (2017) outlining principles for data collection, use, and disclosure. It is not a comprehensive GDPR-style law. A more robust Privacy and Personal Data Protection Bill was released for consultation in 2023 but has not been enacted.
Nepal's Privacy Act covers both physical and informational privacy but has significant limitations in the digital context. Critically, the law explicitly does NOT cover IP addresses, cookies, location data, or online identifiers, making it largely irrelevant to website consent management. Penalties are among the lowest globally.