Currently, most enterprises are striving to develop and find ways to enhance their competitiveness in both commerce and services. This goal is to compete with other products and services in the market and maximize the organization’s profit potential. One of the key methods to boost efficiency is through ‘Marketing,’ and to achieve effective marketing, businesses need to collect a large amount of personal data from target groups or customers through various channels. This data is then analyzed to assess business performance and understand customer needs, enabling the development of precise marketing strategies and targeted sales campaigns. Ultimately, business cannot avoid the use of personal data in their operations.
The Personal Data Protection Act B.E. 2562 (2019), commonly known as the "PDPA," aims to establish standards for the protection of personal data. It outlines the responsibilities of organizations that utilize personal data, such as informing data subjects about how their data is used and obtaining consent for data usage. Importantly, the PDPA does not prohibit businesses from using personal data for marketing purposes. However, it requires that organizations must carefully consider how their marketing activities comply with PDPA regulations. This is especially critical when handling sensitive data or engaging in activities that may excessively infringe on an individual’s privacy, or using data in ways that the data subject would not reasonably expected.
Customer profiling involves the use of large amounts of personal data--such as behavior, preferences, economic status, location, IP address, cookies, and more--to analyze or predict individual characteristics for targeted advertising purposes. Businesses typically collect this personal data from customers’ behavior on online platforms. However, data subjects may not always be aware of their information is being collected, and this data processing is not essential for fulfilling contractual obligations. Therefore, whether profiling is based on directly collected customer behavior or predictive analytics, businesses are required to obtain explicit conset from data subject before using their personal data for these purposes.
Direct marketing differs from general advertising or other forms of marketing in public media. Direct marketing involves contacting individual customers directly through communication channels stored in the business's database, allowing for quicker and more targeted customer engagement. However, this form of marketing is not always welcomed or expected by all customers, as the business's database may be complied from activities or operations unrelated to the primary serviced provided. Therefore, when conducting direct marketing activities that utilize individual customer profiles, businesses are required to obtain explicit consent from customers. They must clearly explain how marketing information will be delivered—whether through phone calls, emails, or other channels—and provide an easy-to-access option for withdrawing consent if the customer no longer wishes to receive such communications.
Additionally, if the marketing involves general advertising of products or services to customers who have registered as members, subscribed to newsletters, or previously used the services, businesses may rely on a legitimate interest basis for processing this data instead of seeking explicit consent..
In promotional activities involving lucky draws or random prize selections, businessess may collect personal data such as name, address, and phone number only as necessary to facilitate prize distribution. Depending on the specifics of the event, businesses can rely on either contractual basis or legitimate interest basis as ground for data processing. However, businesses still have the obligation to inform participants about data disclosure and their right to object to the processing. For example, if winner’s names must be published publicly to ensure transparency, this should be clearly communicated to participants.
Regarding prize announcements, businesses should take care not to infringe on the privacy of the individuals. One approach is to publish the surname and general location of the winners, following the guidelines of the Advertising Standards Authority (ASA) in the UK. Alternatively, business may adapt this to local norms by announcing winners using first names and initials of surnames to align with Thailand’s context.
It is evident that the PDPA is not an obstacle to marketing activities. Rather, it regulates the use of personal data to balance business interests with individuals’ privacy rights. Complying with the PDPA is not only a legal requirement but also an opportunity to build trust and enhance security for both businesses and the customers. Prioritizing personal data protection is an investment in the long-term stability and safety of your organization.
If you have any questions regarding marketing activities, Athentic Consulting Co., Ltd. has personal data protection law experts who are ready to assist you closely in achieving PDPA compliance.
