E-commerce regulation in Thailand: legal framework, requirements, and recent updates

What is e-commerce?

E-commerce, or electronic commerce, is the process of conducting commercial transactions over the internet. This broad category includes the sale of goods, services, and digital products through online platforms, mobile applications, and social media channels. It encompasses different types of business models such as Business-to-Consumer (B2C), where companies sell directly to individual customers; Business-to-Business (B2B), where transactions occur between companies; and Consumer-to-Consumer (C2C), typically facilitated through marketplaces where individuals sell to one another.

E-commerce is designed for a wide range of participants, including large corporations, small businesses, and individual entrepreneurs. It is particularly beneficial for businesses looking to reach a broader audience beyond their physical locations, as it allows for global transactions 24/7. Consumers benefit from the convenience of purchasing products from anywhere with access to the internet, as well as access to a broader array of products and competitive pricing.

In Thailand, engaging in e-commerce requires businesses to comply with various legal regulations, such as the Electronic Transactions Act B.E. 2544 (2001), which provides the legal foundation for electronic contracts and signatures. Moreover, businesses must follow consumer protection laws, like the Consumer Protection Act B.E. 2522 (1979), ensuring fair trading practices and transparency in online transactions.

The legal framework for e-commerce in Thailand

• Electronic Transactions Act B.E. 2544 (2001)

The Electronic Transactions Act B.E. 2544 (2001) (ETA) is the foundational law governing e-commerce in Thailand. It provides the legal recognition of electronic contracts, signatures, and records, ensuring that electronic transactions have the same legal standing as those conducted on paper. Under Section 7 of the ETA, electronic contracts are deemed legally binding if the parties have consented to the use of electronic means for communication.

The Act also mandates businesses to ensure the integrity, authenticity, and reliability of electronic data. Section 23 of the ETA provides that businesses must adopt measures to safeguard electronic records against unauthorized alterations or damage. This requirement applies to both business-to-business (B2B) and business-to-consumer (B2C) transactions conducted online.

• Direct Sales and Direct Marketing Act B.E. 2545 (2002)

The Direct Sales and Direct Marketing Act B.E. 2545 (2002) (DSDMA) applies to businesses engaging in e-commerce that involves direct marketing activities. The law requires businesses to register with the Office of the Consumer Protection Board (OCPB) if their online operations include direct sales or marketing. Section 8 of the Act mandates that any business engaged in direct sales or direct marketing through electronic means must obtain a direct marketing license in addition to the standard e-commerce registration.

This law serves as a consumer protection mechanism, ensuring that businesses engaging in direct marketing activities adhere to fair marketing practices and provide consumers with clear, accurate, and transparent information about their products or services.

• Personal Data Protection Act B.E. 2562 (2019)

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) is Thailand’s primary legislation on data privacy, closely modeled after the European Union’s General Data Protection Regulation (GDPR). The PDPA imposes obligations on e-commerce businesses concerning the collection, processing, storage, and use of personal data. Under the PDPA, businesses must obtain explicit consent from consumers before collecting their personal information for marketing or transactional purposes.

The Electronic Transactions Development Agency (ETDA) plays a crucial role in enforcing the PDPA. Under Section 39 of the PDPA, businesses failing to comply with data protection requirements may face severe penalties, including fines and criminal charges.

Recent updates in e-commerce regulation

• Notification Re: Business Regulations (Effective June 5, 2024)

As part of Thailand’s efforts to modernize its e-commerce regulatory framework, the new notification, officially called “Notification Re: Business Regulations That Commercial Operators Must Register and Businesses That Are Not Subject to the Commercial Registration Act B.E. 2567”, was introduced, coming into effect on June 5, 2024. This new regulation brings significant changes, particularly exempting certain business entities from the mandatory e-commerce registration requirement.

• Exemptions: Registered legal entities, including private limited companies, limited partnerships, and public limited companies, are no longer required to obtain a separate e-commerce license if they have already been registered under the Commercial Registration Act B.E. 2499 (1956). Their commercial registration certificates will suffice for legal compliance. This update aims to reduce bureaucratic hurdles and streamline the registration process for established entities.
• New requirements for natural persons: In contrast, natural persons and certain business groups, including ordinary partnerships and cooperatives, must still comply with the e-commerce registration requirement if they engage in commercial activities online. This update ensures that small-scale operators and individual entrepreneurs remain accountable under the e-commerce legal framework.

• Cybersecurity Act B.E. 2562 (2019)

The Cybersecurity Act B.E. 2562 (2019) introduces additional obligations for e-commerce businesses, particularly regarding the implementation of cybersecurity measures. The law mandates that businesses protect their online platforms against cyber threats and unauthorized access. Under Section 43 of the Cybersecurity Act, businesses must establish a cybersecurity management system to prevent data breaches and cyber-attacks.

The National Cybersecurity Committee (NCSC) oversees compliance, with authority to impose penalties on businesses that fail to implement adequate cybersecurity measures. E-commerce businesses must adhere to these standards to ensure the protection of both consumer data and the integrity of their transactions.

• Updates to direct marketing regulations

The Direct Sale and Direct Marketing Act B.E. 2545 (2002) was also amended in 2024 to tighten the requirements for businesses using direct marketing techniques. The updated regulations provide that businesses engaging in direct marketing via digital platforms, such as social media, must obtain a direct marketing license from the Office of the Consumer Protection Board (OCPB). Furthermore, businesses must ensure that their marketing practices comply with the guidelines set out in the Unfair Contract Terms Act B.E. 2540 (1997).

Licensing and compliance: how to obtain an e-commerce license

• Application Process

Businesses intending to engage in e-commerce activities must apply for a license from the Department of Business Development (DBD). The application process involves submitting the following documents:

• A copy of the company’s commercial registration certificate;
• Details of the company’s shareholders and directors;
• A comprehensive description of the business’s e-commerce activities, including a breakdown of products or services offered online;
• A fully functional website, with clear terms and conditions, pricing information, and a secure payment gateway.

The DBD requires that applications be submitted within 30 days of commencing e-commerce operations. Businesses that fail to comply with this timeline may face penalties, including fines or suspension of their operations.

• Direct Marketing License

If the business engages in direct marketing activities, it must also obtain a direct marketing license from the Office of the Consumer Protection Board (OCPB). This additional license ensures that the business adheres to the consumer protection guidelines set out in the Direct Sale and Direct Marketing Act. The process for obtaining this license is similar to the standard e-commerce registration process, with businesses required to submit information about their marketing practices, including how they plan to engage with consumers online.

Penalties for non-compliance

Businesses that fail to comply with Thailand’s e-commerce regulations face a range of penalties. Under the Electronic Transactions Act, businesses may be fined or have their operations suspended for failing to obtain the necessary licenses or failing to safeguard electronic records. Similarly, under the Cybersecurity Act, businesses that do not implement adequate cybersecurity measures may face fines or criminal prosecution.

Moreover, under the Personal Data Protection Act, businesses that violate data protection laws face fines of up to THB 5 million per violation, as well as potential civil liability for damages caused by data breaches.

Conclusion

Thailand’s e-commerce regulatory framework is robust and continues to evolve in response to the growing digital economy. With the recent updates to the Electronic Transactions Act, Cybersecurity Act, and Direct Marketing Regulations, businesses must stay vigilant to ensure they remain compliant. Navigating these laws effectively requires businesses to not only understand the requirements but also implement comprehensive strategies for data protection, consumer rights, and cybersecurity.

Compliance with Thailand’s e-commerce regulations not only ensures legal operation but also enhances consumer trust and business credibility in a competitive digital marketplace.