Cookiebot

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

    News & Articles

    Compliance with Malaysia's PDPA by Cookiebot CMP.

    Published February 8, 2021.

    Malaysia’s Personal Data Protection Act (PDPA) regulates the processing of personal data for commercial use inside the country. It applies to any website, company or organization located inside Malaysia.

    Malaysia’s PDPA requires you to obtain end-user consent prior to processing any personal data, and to inform Malaysian users about the details of your website’s data processing.

    In this blogpost, we break down Malaysia’s PDPA, what is means for your website’s use of cookies – and how you can become compliant.

    Quick summary

    Malaysia’s PDPA, in brief

    Malaysia’s Personal Data Protection Act (PDPA) was passed in 2010, took effect in 2013 and was last updated in 2016.

    Malaysia’s PDPA revolves around end-user consent, requiring your website to first obtain express and explicit consent from its visitors before activating any cookies and trackers that process personal data, much like other major data privacy laws around the world such as the EU’s GDPRBrazil’s LGPD and South Africa’s POPIA.

    The Malaysian PDPA governs the commercial use of personal data, and does not apply to the public sector, federal or state governments.

    Most websites in the world use cookies and trackers that process personal data, such as IP addresses, unique IDs, search and browser history. Under Malaysia’s PDPA, you need to ask for and get the explicit consent from your website’s visitors before activating any of these cookies.

    Did you know that a website on average has 21 cookies in use?
    Scan your website for free to detect and control them all

    In short, Malaysia’s PDPA requires that you obtain end-user consent, requires you to inform Malaysian users about your website’s data processing, empowers Malaysian residents with the rights to access and correct their data, regulates all personal data processing through its 7 PDPA Principles. It is enforced by the Department of Personal Data Protection (PDP) and applies to any website, company or organization in Malaysia that processes personal data from Malaysian residents.

    Malaysia's PDPA protects the personal data of Malaysian residents. Try PDPA compliance with Cookiebot CMP.

    Malaysia’s PDPA requires that you obtain consent from your website’s visitors in order to use cookies and trackers.

    Malaysia’s PDPA quick breakdown –

    • Malaysia’s PDPA took effect in November 2013 and was amended in 2016.
    • Malaysia’s PDPA regulates the processing of personal data for commercial use in the country. It does not apply to the public sector or government, federal or state.
    • Malaysia’s PDPA applies to websites, companies or organizations in Malaysia who process personal data from Malaysian residents. It does not have extraterritorial scope.
    • Malaysia’s PDPA requires you to obtain explicit/express end-user consent prior to any personal data processing and to inform users about the data processing; its purpose and who it is shared with. Implied consent like continued scrolling is not valid under the PDPA.
    • Malaysia’s PDPA operates on its 7 Data Protection Principles (PDPA Principles), which spell out its consent requirements, notification and information requirements, as well as requirements for security and retention of the personal data collected.
    • Malaysia’s PDPA empowers Malaysian residents with the right of access to their personal data, the right to correct their personal data, the right to withdraw consent at any time, and the right to stop the processing of their data for direct marketing purposes or if deemed that the processing is likely to cause damage or harm.
    • Malaysia’s PDPA defines personal data in relation to commercial transactions as information that is able to identify an individual, either directly or indirectly. This includes cookies and trackers on your website that process data such as IP addresses, unique IDs, search and browser history.
    • Malaysia’s PDPA defines processing broadly to include collecting, using, sharing, selling, storing etc. of personal data. This means that cookies on your website collecting personal data and sharing it with third parties falls under the definition of processing under Malaysia’s PDPA.
    • Malaysia’s PDPA prohibits transfers of personal data outside of Malaysia, with the exception of countries that have been whitelisted by the Malaysian government, or if specific consent is obtained from the end-user to do so.
    • Malaysia’s PDPA is enforced by the Department of Personal Data Protection (PDP) and its appointed Commissioner.
    • Non-compliance with Malaysia’s PDPA can result in fines up to MYR 500,000 and/or up to three years imprisonment.
    Malaysia's PDPA requires that your website obtains consent from users. Try PDPA compliance with Cookiebot CMP today.

    Under Malaysia’s PDPA, Malaysian residents are empowered with enforceable rights over their personal data.

    Try Cookiebot consent management platform (CMP) for free

    Scan your website to see all cookies and trackers in use

    Malaysia PDPA compliance with Cookiebot CMP

    Cookiebot CMP is a world-leading solution for controlling all cookies and trackers on your website to ensure compliance with major data privacy laws around the world, including Malaysia’s PDPAEU’s GDPR, UK’s GDPRCalifornia’s CCPABrazil’s LGPDSouth Africa’s POPIA and many others.

    Since Malaysia’s PDPA requires you to ask for and obtain the express and explicit consent from Malaysian users before using cookies and trackers on your website, Cookiebot CMP is the optimal solution to make your domain fully compliant without any need for complex technical implementation on your end.

    Cookiebot CMP is a plug-and-play compliance solution that has automated the entire PDPA compliance process – from automatically detecting all your website’s cookies and controlling them, to collecting the PDPA compliant consents from end-users and securely storing them, as well as renewing them regularly.

    Logo banner powered by Cookiebot by Usercentrics

    Consent banner by Cookiebot CMP for PDPA compliance in Malaysia.

    By giving you detailed information on each cookie on your website, including the purposedurationtechnical specifications and providerCookiebot CMP enables your website to meet the notification and information requirements necessary for PDPA compliance in Malaysia.

    Cookiebot CMP comes with highly customizable consent banners to match your website’s layout and can be shaped to fit compliance requirements under most other major data privacy laws in the world.

    Try Cookiebot CMP for PDPA compliance in Malaysia

    Scan your website for free to see what cookies and trackers are in use

    Get started with Cookiebot CMP and Google Consent Mode

    Logo banner powered by Cookiebot by Usercentrics

    Malaysia’s PDPA, in detail

    Let’s break down Malaysia’s PDPA in detail and have a look at its 7 PDPA Principles, which spell out the specifics of its compliance requirements, as well as making a comparison between Malaysia’s PDPA and the EU’s GDPR.

    The Personal Data Protection Act (PDPA) forms Malaysia’s data privacy regime and is accompanied by both the Personal Data Protection Regulations (PDPR) 2013 that detail the practical aspects of PDPA compliance, and the Codes of Practice 2017 that set best-practice standards for PDPA compliance in each sector of Malaysia.

    Under Malaysia’s PDPA, you are required to register as a data user with the Department of Personal Data Protection (PDP) if you process personal data within sectors such as communications, banking, finance, insurance, tourism, education, and others.

    You are also required to, as part of the registration to Commissioner at the PDP, to appoint a representative responsible for PDPA compliance.

    See the full Malaysia PDPA law text (in English)

    See the full Personal Data Protection Regulations (in Malay)

    See the full Codes of Practice for the Communications sector (relevant for websites) (in English)

    Visit the Department of Personal Data Protection (PDP) for more on Malaysia’s PDPA

    Malaysia’s 7 PDPA Principles

    Under Malaysia’s data privacy law, compliance is governed by seven data protection principles that detail how your website is required to handle user’s personal data.

    The seven Malaysian PDPA Principles are –

    • General Principle
    • Notice and Choice Principle
    • Discourse Principle
    • Security Principle
    • Retention Principle
    • Data Integrity Principle
    • Access Principle
    Compliance with Malaysia's PDPA through Cookiebot CMP.

    End-users are protected under Malaysia’s PDPA from unconsented data harvest by third parties.

    Malaysia’s PDPA Principle 1 – General Principle

    Under the first Malaysian PDPA Principle called the “General Principle”, the requirement for your website to obtain the valid consent from users prior to any personal data collection is explained.

    This PDPA Principle states that consent must be an explicit, affirmative opt-in on part of a user for it to be valid under Malaysia’s PDPA.

    This means that implied consent does not constitute valid consent under Malaysia’s PDPA (e.g. having a cookie banner on your website saying that personal data is being collected with no real way for users to first consent to the collection or to opt out).

    In general, under Malaysia’s PDPA, personal data is only allowed to be processed if it’s –

    • directly related to a lawful purpose for your website’s activity
    • necessary for that lawful purpose
    • and limited to what is adequate to fulfill that purpose

    Exceptions to the consent requirement are also detailed and include situations such as when personal data is collected in order to fulfill a contract, among others.

    For data to be regarded as personal data under Malaysia’s PDPA, it must meet the following three thresholds –

    • be processed in connection with a commercial purpose/transaction
    • be processed partly or fully by automated means
    • be directly or indirectly identifiable of an individual in Malaysia

    Sensitive personal data includes –

    • Health and medical data
    • Political convictions
    • Religious beliefs

    There are no specific requirements in regard to consent when it comes to sensitive personal data – all consents must be explicit and express opt-in on part of the end-user.

    Cookiebot CMP offers compliance with Malaysia's PDPA.

    Under Malaysia’s PDPA, personal data includes the stuff that most cookies on websites process: IP addresses, search history, browser history, device details and unique IDs.

    Try Cookiebot CMP for PDPA compliance today

    Scan your website to see if you have cookies and trackers that process personal data

    Malaysia’s PDPA Principle 2 – Notice and choice

    The second PDPA Principle explains how you must give end-users a prior notice about- and detailed information on your website’s personal data processing activities.

    You must inform your Malaysian end-users about –

    • your website’s intention to collect personal data
    • what kinds of data is to be collected
    • why your website collects personal data (for what purposes)
    • who you share this personal data with
    • their rights to access and correct personal data
    • whether the data collection is mandatory or voluntary (e.g. as part of a contract)
    • any means by which the end-users can limit the processing of their personal data
    • your contact information

    This notice for your Malaysian end-users forms part of the basis for the consent requirement, since users must know what they are consenting to.

    The notice must be given before any processing takes place of personal data from end-users, and it must be given in both Malay and English.

    Try Cookiebot CMP for PDPA compliance today

    Scan your website to see if you process personal data in Malaysia

    Malaysia’s PDPA Principle 3 – Disclosure

    Disclosure of personal data to any third party is prohibited by Malaysia’s PDPA unless explicit consent has been obtained from the end-user.

    This means that whatever personal data your website collects through its cookies and trackers, e.g. via analytics services or social media plugins, can only be shared with anyone else if your website’s visitors have given you their express consent to do so.

    In general, sharing and disclosure of personal data is restricted to the purposes stated in your notice and information to the end-user and limited to the third parties that you’ve listed.

    Correct and accurate lists of third parties that your website shares personal data with can be requested by the Personal Data Protection Department of Malaysia (PDPD) and subject to inspection.

    Malaysia's PDPA require end-user consent. Compliance with Cookiebot CMP.

    While transfers of personal data abroad is not prohibited under Malaysia’s PDPA, end-users must consent to all third parties, who their personal is shared with.

    Try Cookiebot CMP for PDPA compliance today

    Scan your website to see what cookies and trackers are in use

    Malaysia’s PDPA Principle 4 – Security

    Under Malaysia’s PDPA, it is mandatory for you to put in place safeguards to protect whatever personal data you collect from end-users.

    To meet this PDPA compliance requirement, your website must have a security policy that details, among others –

    • who has access to personal data, including a registration system in place to monitor access
    • what measures are taken to ensure that personal data is always handled confidentially
    • what technical safeguards are in place, such as secure storage and recovery systems
    • how personal data is transferred securely

    The legal responsibility of protecting Malaysian end-users’ personal data includes, – but is not limited to – technical security measures (e.g. safe storage, encryption, safe transfer means), organizational security measures (e.g. appointed compliance personnel, access and authorizations) and safeguarding personal data from misuse and abuse (e.g. unconsented disclosure, data breaches and loss).

    Malaysia’s PDPA Principle 5 – Retention

    Once you’ve collected personal data from end-users, you’re only allowed to retain (or store) it for the amount of time necessary for the fulfilment of the purpose, which you stated in your notice and information.

    Under Malaysia’s PDPA, once personal data has been used for the purpose it was collected for, your website is legally required to delete it.

    There are no standard minimum retention periods detailed in Malaysia’s PDPA, but it is up to you to determine the minimum necessary duration for storing personal data collected on your website (with regard to the purpose for which it was initially collected, of course).

    However, there are certain additional requirements that you need to be aware of, such as –

    • to maintain records of your deletion of personal data, subject to inspection by the PDPD
    • to keep a 24-month schedule for the regular clean-up/deletion of personal data not in use
    Cookiebot CMP enables compliance with Malaysia's PDPA.

    You’re not allowed to collect more data or to keep it for longer than necessary, under Malaysia’s PDPA.

    Try Cookiebot CMP for PDPA compliance today

    Get started with Cookiebot CMP and Google Consent Mode

    Malaysia’s PDPA Principle 6 – Data Integrity

    “Data integrity” means the responsibility that – under Malaysia’s PDPA – rests on you and your website’s shoulders to always make sure that the personal data collected from end-users is completeaccurate and up to date.

    Try Cookiebot CMP for PDPA compliance today

    Learn more about website tracking and cookies

    Malaysia’s PDPA Principle 7 – Access

    It’s the right of Malaysian end-users to request access to see what personal data you’ve collected on them, e.g. through cookies and trackers on your website – and to request correction of that data, if they find it to be incomplete, inaccurate or misleading.

    Try Cookiebot CMP for PDPA compliance today

    Scan your website to see all cookies and trackers in use

    Malaysia’s PDPA vs GDPR

    Malaysia’s PDPA is very similar to the EU’s GDPR in key areas, chief among them being prior consent and rights to access and correct personal data.

    Prior consent is perhaps the most famous part of the EU’s GDPR and Malaysia’s equivalent regime puts it on the map as one of the consent-focused data privacy laws in the world, alongside Brazil’s LGPDCanada’s PIPEDASouth Africa’s POPIA and Singapore’s PDPA – and setting it apart from opt-out focused laws like California’s CCPA.

    But while Malaysia’s PDPA and the EU’s GDPR look quite similar, the two data privacy laws are different in key areas.

    Big differences between the PDPA and GDPR include –

    • Malaysia’s PDPA only applies to personal data for commercial use, while the EU’s GDPR governs all personal data, regardless of purpose of use.
    • Malaysia’s PDPA does not have a ‘right to be forgotten’ as the EU’s GDPR includes, i.e. Malaysian users cannot retrospectively request your website to delete personal data (except for data that exceeds the retention requirement in PDPA Principle 5).
    • Malaysia’s PDPA doesn’t give end-users the right to data portability as the EU’s GDPR does, empowering EU users to receive copies of their personal data in readable and easily accessible formats.
    • Malaysia’s PDPA does not have a ‘privacy by design’ clause like the EU’s GDPR, which requires data controllers to think privacy into the default settings of their processing activities.
    Compliance with the PDPA in Malaysia with Cookiebot CMP.

    Core similarities, yet big differences between the PDPA and GDPR in Malaysia and EU.

    Cookiebot CMP enables compliance with major data privacy laws
    Try Cookiebot CMP free for 30 days – or forever if you have a small website

    Summary of Malaysia’s PDPA

    Malaysia’s Personal Data Protection Act (PDPA) is one of the world’s consent-based data privacy laws, empowering Malaysian residents with enforceable rights to their personal data, and requiring websites and companies located inside Malaysia to play by fair rules so as not to abuse the data privacy of visitors and customers.

    Malaysia’s PDPA is scheduled to be updated sometime in the next couple of years.

    Try Cookiebot CMP for PDPA compliance

    Scan your website to see and control all cookies in use

    Learn more about GDPR compliance

    Get started with Cookiebot CMP and Google Consent Mode

    FAQ

    What is Malaysia’s PDPA?

    Malaysia’s Personal Data Protection Act (PDPA) is the data privacy law in effect in Malaysia, which governs the processing of personal data from Malaysian residents for commercial use. Malaysia’s PDPA took effect in 2010 and was last amended in the summer of 2016.

    Try Cookiebot CMP for PDPA compliance

    How can my website be in compliance with Malaysia’s PDPA?

    Compliance with Malaysia’s PDPA for your website means to obtain the express/explicit consent from Malaysian end-users before processing any of their personal data, and to notify them with detailed information on your website’s data processing activities, such as what kinds of data you collect, for what purposes and who you share it with.

    Scan your website to detect all cookies and trackers in use

    What is personal data under Malaysia’s PDPA?

    Malaysia’s PDPA defines personal data broadly as any information that can identify an individual either directly or indirectly. This includes data that most websites in the world process through cookies and trackers, such as IP addresses, search and browser history, device details, unique IDs and many other kinds of online data.

    Scan your website to see if you process personal data under Malaysia’s PDPA

    Who does Malaysia’s PDPA apply to?

    Websites, companies and organizations located inside Malaysia and who process personal data from Malaysian residents are liable for PDPA compliance. Malaysia’s PDPA does not currently have extraterritorial scope, meaning that it does not apply to anyone outside of Malaysia, and does not prohibit transfers of personal data outside of Malaysia either.

    Try Cookiebot CMP free for PDPA compliance

    Resources

    See the full Malaysian Personal Data Protection Act law text (in English)

    The Malaysian Personal Data Protection Regulations from 2013 (in Malay)

    The Malaysian PDPA Codes of Conduct for websites in Malaysia (in English)

    The Personal Data Protection Department of Malaysia (PDPD)

    Learn more about the EU’s GDPR and consent

    Get started with Cookiebot CMP and Google Consent Mode

    How can we help you?
    Scan your website for free or get started right away.
    You are one step away from being able to achieve compliance
    Get started right away for free with our plug and play Consent Management solution.
    Is your website privacy compliant?
    Scan your website for free and find out which cookies and tracking technologies are collecting user data.