PDPA and Clinic Websites: What Clinic Owners Must Know Before Going Online

Under Thailand's Personal Data Protection Act B.E. 2562 (2019) (reference: Office of the Personal Data Protection Committee), which has been in full effect since 2022, the law directly impacts every business that collects personal data. For clinics and healthcare providers, the impact is significantly greater than for typical businesses because the data clinics collect is mostly classified as Sensitive Personal Data under Section 26 of the PDPA. Whether it is treatment history, blood test results, or before-and-after procedure photos, this data requires Explicit Consent from the data subject before collection. If your clinic has a website — or plans to launch one — this article covers everything you need to know about PDPA compliance for clinic websites, from the types of data clinics collect, legal requirements, a 10-point compliance checklist, to the penalties for non-compliance.

What Data Do Clinics Collect Through Websites?

Many clinic owners do not realize how much personal data their website actually collects. Here is a breakdown:

• •General Personal Data — Full name, phone number, email, LINE ID entered through appointment booking or contact forms
• •Health Data — Treatment history, symptoms described in online consultation forms, test results shared through the system. These are classified as Sensitive Data under PDPA and require Explicit Consent
• •Before-After Photos — Photos of patients' faces or bodies used on the website are considered Biometric Data + Health Data and require written consent
• •Financial Data — Credit/debit card details for online payments, bank account numbers
• •Cookie Data — Browsing behavior, pages viewed, time spent on each page, IP addresses. These are automatically collected by Google Analytics or Facebook Pixel

What Does PDPA Require for Clinic Websites?

The PDPA establishes several obligations for websites that collect personal data. For clinics with websites, the key requirements are:

1. 1.Cookie Consent Banner — Your website must display a consent banner before placing non-essential cookies (analytics, marketing). Users must be able to accept or reject each category individually
2. 2.Privacy Policy Page — You must have a privacy policy that clearly explains what data you collect, how long you retain it, what you use it for, and who you share it with. It should be written in clear, understandable Thai
3. 3.Data Subject Rights — Patients have the right to access, correct, delete, or request copies of their data. Your website must provide channels to exercise these rights, such as a request form or contact email
4. 4.Data Retention Policy — Clearly define how long you keep each type of data. For example, appointment data for 2 years, treatment records for 10 years per healthcare facility regulations. Data must be deleted when the retention period expires
5. 5.Data Protection Officer (DPO) — Clinics that process large volumes of health data may need to appoint a DPO to oversee PDPA compliance

10-Point PDPA Checklist for Clinic Websites

Use this checklist to verify whether your clinic website is PDPA-ready: (Read more: What Makes a Great Clinic Website? 15-Point Checklist)

1. 1.SSL Certificate (HTTPS) — Your website must use HTTPS to encrypt data between the user's browser and your server. If you are still on HTTP, patient data submitted through forms can be easily intercepted
2. 2.Cookie Consent Banner — Install a banner that supports granular accept/reject for each cookie category — not just a single "Accept All" button. Recommended tools include CookieYes or Cookiebot
3. 3.Privacy Policy Page in Thai — Write a clear privacy policy in Thai covering what data you collect, the purpose, retention period, and DPO or responsible person contact information
4. 4.Consent Checkbox on Forms — Every form collecting data (appointments, consultations, membership) must include a consent checkbox. The checkbox must not be pre-ticked
5. 5.Before-After Photo Consent — If you display before-after images on your website, you must have signed consent documents from patients specifically authorizing use of their images for marketing on your website
6. 6.Payment Data Encryption — If you accept online payments, use PCI DSS-compliant payment gateways. Never store credit card data in your own database — use services like Stripe or Omise instead
7. 7.Admin Access Control — Restrict who can access patient data in the backend. Not everyone in the clinic should have access to everything. Implement Role-Based Access Control (RBAC)
8. 8.Data Backup Policy — Back up data regularly, encrypt backups, store them separately from the main server, and have a tested recovery plan
9. 9.Breach Notification Plan — Prepare a response plan for data breaches. PDPA requires notifying the PDPC within 72 hours of discovery. If patient rights are at risk, affected individuals must also be notified
10. 10.Regular Annual Audit — Review PDPA policies and practices at least once a year. Verify that cookie consent works correctly, the privacy policy is up to date, and all plugins remain secure

Risks of Non-Compliance with PDPA

Some clinic owners assume PDPA is a new law with no real enforcement. In reality, the PDPC has already begun taking action against violators. The penalties include civil, criminal, and administrative sanctions:

• •Administrative Fines — Up to 5 million baht (~$140,000 USD) per violation, particularly for collecting Sensitive Data without Explicit Consent
• •Civil Liability — Data subjects can sue for damages. Courts may award actual damages plus punitive damages up to 2x the actual amount
• •Criminal Penalties — Imprisonment up to 1 year and/or fines up to 1 million baht for unauthorized disclosure of Sensitive Data
• •Reputation Damage — News of a patient data breach can devastate a clinic's reputation far beyond any fine. Current patients may leave, and potential patients will stay away
• •PDPC Complaints — A single patient can file a complaint with the PDPC at no cost, and the PDPC is obligated to investigate every case. Without evidence of consent or a privacy policy, your clinic is immediately at a disadvantage

How CherCode Builds PDPA-Ready Clinic Websites

CherCode understands that most clinic owners are not legal or IT experts. That is why we designed our clinic website service to be PDPA-ready from day one — no additional consultants needed:

• •Free SSL Certificate for Life — Every website we build uses HTTPS by default at no extra cost
• •Pre-built Cookie Consent Banner — We install cookie consent with granular category selection and consent logging
• •Thai Privacy Policy Template — We provide a privacy policy template customized for clinic businesses, covering health data and before-after photos
• •Secure Forms with Consent Checkbox — All forms include legally compliant consent checkboxes. Data is transmitted over HTTPS and encrypted before storage
• •Admin Panel with RBAC — Our backend management system lets you control which staff members can access which patient data
• •Built with Next.js, Not WordPress — Next.js websites have far fewer vulnerabilities than WordPress. No outdated plugins creating security holes

Frequently Asked Questions (FAQ)

Common questions clinic owners ask about PDPA and websites:

• •Q: Does a small clinic need to comply with PDPA? — Yes. PDPA applies to organizations of all sizes that collect personal data. There are no exemptions for small businesses
• •Q: Can I just install a PDPA plugin on WordPress? — Partially. Most plugins only handle cookie consent. Secure forms, access control, and data retention must be managed separately. You also need to keep plugins updated consistently, as outdated plugins are the number one security vulnerability on WordPress
• •Q: Do I need to remove before-after photos posted before PDPA? — If you do not have consent documents from patients, you should either remove the photos or obtain retroactive consent. If a patient files a complaint, your clinic will have no evidence of authorization
• •Q: How is PDPA different from HIPAA? — HIPAA is a US law focused specifically on health information. PDPA is a Thai law covering all types of personal data, with specific provisions for Sensitive Data including health information. While PDPA fines may not reach HIPAA levels, 5 million baht is still a significant amount for any Thai business