Vietnam PDPL

Law on Personal Data Protection (Law No. 91/2025/QH15)

Flag of VN
VietnamOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 1, 2026
Enacted
June 26, 2025
Enforcing Authority
Ministry of Public Security (MPS) through the Department of Cybersecurity and Hi-Tech Crime Prevention
Consent Model
Opt-in
Applies To
All organizations processing personal data of Vietnamese individuals, including foreign organizations (extraterritorial)

Overview

Vietnam's PDPL marks a significant upgrade from decree-level rules (Decree 13/2023) to a comprehensive national law. Consent must be voluntary, clear, and expressed in text or verifiable electronic format — silence does not constitute consent. The penalty framework is among the strictest in Southeast Asia, with cross-border violations carrying up to 5% of revenue.

What This Means for Your Website

  • Consent must be in text or verifiable electronic format — voluntary and clear
  • Silence or non-response does not constitute consent
  • Separate consent is required for cross-border data transfers
  • Data localization requirements apply to certain categories
  • Foreign organizations must designate a domestic representative
  • Cross-border violations carry penalties up to 5% of annual revenue

Key Requirements

The Ministry of Public Security enforces the PDPL through the Department of Cybersecurity. Cross-border transfer violations carry VND 3 billion to 5% of revenue. Illegal data sale penalties start at VND 3 billion with up to 10x the illegal gain. The law takes effect January 1, 2026.

How ConsentStack Handles This

ConsentStack applies text-based consent for Vietnamese visitors with separate consent for cross-border transfers, meeting the PDPL's stringent requirements.

Penalties

Cross-border violations: VND 3B to 5% of revenue. Illegal data sale: VND 3B minimum, up to 10x illegal gain. Other: up to VND 3B.

Revenue-based
5% of annual revenue

Key Requirements

  • Consent must be voluntary, clear, and in text or verifiable electronic format
  • Silence or non-response does not constitute consent
  • Consent withdrawal must be as easy as providing consent
  • Separate consent for cross-border data transfers
  • Data localization for certain data categories
  • Foreign organizations must designate domestic representative

Notable Provisions

  • Elevated from decree to comprehensive national law (2025)
  • Cross-border violations carry up to 5% of revenue penalties
  • Covers AI and blockchain technologies
  • Among strictest penalty frameworks in Southeast Asia

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

When does Vietnam's PDPL take effect?

January 1, 2026. It supersedes Decree 13/2023 and elevates data protection from a government decree to a comprehensive national law.

What are Vietnam's cross-border transfer penalties?

VND 3 billion to 5% of annual revenue — among the strictest in Southeast Asia.

Does silence count as consent in Vietnam?

No. The PDPL explicitly states that silence or non-response does not constitute consent. Consent must be in text or verifiable electronic format.

Stay compliant with Vietnam PDPL

ConsentStack helps you implement Opt-in consent for Vietnam automatically.

Get started free