How to Make Your Website PDPA Compliant in Malaysia (2026 Guide)

pdpa

A practical, website-focused compliance guide for Malaysian businesses and ecommerce stores. Updated for the Personal Data Protection (Amendment) Act 2024.

If your website collects a name, an email, a phone number, a delivery address or a payment detail, it is processing personal data. That puts you under Malaysia’s Personal Data Protection Act 2010 (PDPA). The 2024 amendments, phased in through 2025, raised the stakes: fines up to RM1,000,000, a mandatory data breach notification duty, and a requirement for many businesses to appoint a Data Protection Officer.

This guide is built for the website itself. You will get the seven PDPA principles in a table, a summary of what changed in the 2024 amendments, a page-by-page compliance checklist, how to write a privacy policy section by section, consent wording you can adapt, a breach response plan, and the mistakes Malaysian SMEs make most often.

This is general information, not legal advice. Data protection law changes, and how it applies depends on your specific business. Confirm your obligations with a qualified Malaysian lawyer or a licensed compliance advisor, and check the current text of the Act and guidelines published by the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDN) at pdp.gov.my before you act.

What is the PDPA and who does it apply to?

The PDPA 2010 regulates the processing of personal data in commercial transactions in Malaysia. “Personal data” is any information that can identify a living individual, directly or indirectly: names, IC numbers, emails, phone numbers, addresses, photos, and online identifiers. A subset called “sensitive personal data” covers health, religious beliefs, political opinions, and similar categories, and it gets stronger protection.

The Act applies to any organisation that processes personal data in connection with commercial activity in Malaysia, including businesses established outside Malaysia that use equipment in Malaysia to process data. In plain terms: if you run a Malaysian business website, an online store, a booking form, or a newsletter, you are almost certainly in scope. There is no small-business exemption based on headcount.

One important vocabulary change from the 2024 amendment: the Act now uses “data controller” instead of “data user,” and it places direct legal obligations on “data processors” (the third parties who process data on your behalf, such as a cloud host or an email platform). If you outsource anything that touches customer data, both you and your vendor now carry duties.

The 7 personal data protection principles

Every compliant website has to satisfy the seven principles in the PDPA. These are the backbone of the Act (Sections 5 to 12). Map each one to something concrete on your site.

Principle

What it means for your website

1. General

Do not process personal data without the individual’s consent, and only for a lawful purpose directly related to your activity.

2. Notice & Choice

Tell people, in writing, what you collect, why, who you share it with, and their rights. This is your privacy notice. It must be available in Bahasa Malaysia and English.

3. Disclosure

Do not disclose personal data for any purpose other than the one it was collected for, or to third parties you did not tell the person about, without consent.

4. Security

Take practical steps to protect data from loss, misuse, or unauthorised access: SSL/TLS, access controls, encryption, and vetted vendors.

5. Retention

Do not keep personal data longer than needed for its purpose. Delete or anonymise it when the purpose ends.

6. Data Integrity

Keep data accurate, complete, and up to date. Give users a way to correct their details.

7. Access

Let individuals access and correct the personal data you hold about them on request.

What changed: the 2024 amendments (old vs new)

The Personal Data Protection (Amendment) Act 2024 received royal assent on 9 October 2024 and was brought into force in phases across 2025, with the major operational duties (DPO and breach notification) taking effect from 1 June 2025. This is the biggest overhaul since 2010. The table below summarises the changes that affect websites and online businesses most.

Area

Before

After the 2024 amendment

Maximum penalty (breach of principles)

Fine up to RM300,000, up to 2 years’ jail

Fine up to RM1,000,000, up to 3 years’ jail

Data breach notification

No legal duty to report

Mandatory. Notify the Commissioner as soon as practicable, no later than 72 hours. Notify affected individuals within 7 days of that notice if there is significant harm.

Data Protection Officer

Not required

Mandatory above set thresholds. Register the DPO with the Commissioner within 21 days of appointment.

Data portability

No such right

Individuals can ask you to transmit their data directly to another controller, where technically feasible.

Cross-border transfer

“Whitelist” of approved countries only

Risk-based test: transfer allowed to jurisdictions with substantially similar law or adequate protection, or under stated exceptions.

Terminology

“Data user”

“Data controller”; direct duties now also fall on “data processors”.

Sensitive data / biometrics

Narrower definition

Biometric data expressly treated as sensitive personal data.

Figures, deadlines, and thresholds above reflect the 2024 amendment and the February 2025 JPDN guidelines. Confirm the current position at pdp.gov.my before relying on them.

Do you need a Data Protection Officer?

Under the JPDN Guideline on DPO appointment, you must appoint at least one DPO if you meet any one of these thresholds:

  • You process the personal data of 20,000 or more individuals; or
  • You process the sensitive personal data (including financial data) of 10,000 or more individuals; or
  • Your processing involves regular and systematic monitoring of individuals on a large scale.

The DPO can be an employee or an external appointee, must be contactable, and has to be registered with the Commissioner within 21 days of appointment. Even below these thresholds, naming someone accountable for data protection is good practice.

Website compliance checklist

This is the practical layer. Work through each item on your live site, or hand it to whoever builds and maintains it.

  • Privacy policy / notice published and linked in the footer of every page, available in Bahasa Malaysia and English.
  • Cookie consent banner that appears on first visit and lets users accept or reject non-essential cookies before those cookies load.
  • Unticked consent checkbox on every form that collects personal data (contact, signup, checkout, newsletter). No pre-ticked boxes.
  • Purpose statement next to each form: say why you collect the data and where the full policy is.
  • SSL/TLS certificate active so the whole site runs on HTTPS. See our guide on what web hosting includes.
  • Data minimisation: forms ask only for fields you genuinely need. Drop “nice to have” fields.
  • Third-party tools disclosed: Google Analytics, Meta Pixel, chat widgets, remarketing tags all named in the policy, and gated behind cookie consent.
  • Data subject request route: a clear email or form for people to access, correct, withdraw consent, or request deletion, without needing an account.
  • Retention rule decided for each data type, with a routine to delete or anonymise old records.
  • Payment security: use a reputable gateway rather than storing card data yourself. See the best payment gateways in Malaysia.
  • Vendor / processor agreements in place with hosts and SaaS tools that handle your data.
  • Breach response plan written down so you can hit the 72-hour deadline.

Building or rebuilding your site? Bake these in from day one. Our website launch checklist for Malaysia and the ecommerce launch checklist cover the technical and legal pre-flight together.

How to write a PDPA-compliant privacy policy

The privacy notice is where the Notice & Choice principle lives. Under Section 7 of the PDPA, the notice must be given in both Bahasa Malaysia and English. Build it in these sections:

  1. Who you are. Legal business name, registration number, and a contact address or email (and your DPO’s contact if you have one).
  2. What you collect. List the categories: identity data, contact data, transaction data, technical/usage data, marketing preferences.
  3. Why you collect it. State each purpose plainly: fulfilling orders, responding to enquiries, sending marketing you consented to, fraud prevention.
  4. Legal basis and consent. Explain that processing relies on consent and how it was obtained.
  5. Who you share it with. Name the categories of third parties: payment gateways, couriers, analytics providers, cloud hosts.
  6. Cross-border transfers. If data leaves Malaysia (most cloud tools do), say so and describe the safeguard.
  7. Retention. How long you keep each type of data, or the criteria you use to decide.
  8. Security. A short, honest description of the measures you take.
  9. Individual rights. Access, correction, withdrawal of consent, and the new data portability right, plus how to exercise them.
  10. Cookies. What cookies and trackers you use and how to control them (link to a cookie policy or preferences panel).
  11. Updates. A “last updated” date and how you notify people of changes.

Do not copy a foreign template wholesale. A GDPR policy pulled from a UK site will misstate your obligations and miss the Bahasa Malaysia requirement. Adapt the structure, write it for your actual data flows.

Consent best practices

Consent under the PDPA has to be informed and recordable. On a website that means:

  • Separate and specific. A checkbox for marketing emails is not the same as agreeing to your terms. Keep consent for optional processing (like marketing) separate from the transaction itself.
  • Opt-in, not opt-out. Checkboxes must be unticked by default. Silence is not consent.
  • Plain language. “I agree to receive promotional emails from [Business] and to the processing of my data as described in the Privacy Policy.”
  • Record it. Store what was consented to, when, and the policy version. This is your evidence if challenged.
  • Easy withdrawal. Every marketing email needs an unsubscribe link; the site needs a way to withdraw consent.
  • Cookies before consent. Non-essential cookies (analytics, ad pixels) should not fire until the visitor accepts them.

Cookie consent and third-party tools

Google Analytics, Meta (Facebook) Pixel, TikTok Pixel, live chat, and remarketing tags all set cookies and send data to third parties, often across borders. Each one needs to be disclosed in your privacy and cookie policy, and loaded only after the visitor consents. A consent management tool that blocks scripts until acceptance is the clean way to handle this on WordPress and most platforms. Treat “Accept all” and “Reject all” as equally easy choices, not a dark pattern that hides the reject option.

Data breach response steps

Since June 2025, ignoring a breach is itself an offence. Have this plan ready before you need it:

  1. Contain. Stop the leak: reset credentials, isolate affected systems, revoke access.
  2. Assess. What data, how many people, what harm is likely? Note whether it involves sensitive data or is large scale (the guidelines flag breaches affecting more than 1,000 individuals).
  3. Notify the Commissioner. As soon as practicable, and no later than 72 hours after becoming aware.
  4. Notify affected individuals. If the breach is likely to cause significant harm, tell them without undue delay and no later than 7 days after you notified the Commissioner.
  5. Record and remediate. Document the incident and fix the root cause so it does not recur.

Timelines and the 1,000-individual “significant scale” figure come from the February 2025 JPDN data breach notification guideline; confirm the current guideline before relying on exact numbers.

Penalties for non-compliance

The headline change is the ceiling on fines for breaching the data protection principles, now up to RM1,000,000, with imprisonment of up to three years. Separate offences carry their own penalties, and failing to appoint or register a DPO, or failing to notify a breach, can be enforced independently. Beyond the fine, the reputational damage and lost customer trust from a public breach usually cost more than the penalty itself.

Common mistakes Malaysian SMEs make

  • No privacy policy at all, or one that exists only in English.
  • Pre-ticked consent boxes, or bundling marketing consent into the checkout button.
  • Firing Google Analytics and Meta Pixel on page load, before any cookie consent.
  • Collecting more data than needed (asking for IC numbers or dates of birth with no reason).
  • No SSL, so forms submit customer data over plain HTTP.
  • Keeping every enquiry and order forever, with no retention or deletion routine.
  • Assuming the PDPA does not apply because “we are a small business”.
  • No breach plan, so the 72-hour clock runs out during the panic.
  • Never reviewing the policy after adding new tools or a new CRM.

Pre-launch PDPA checklist

  • Bilingual privacy notice live and linked in the footer.
  • Cookie banner blocks non-essential scripts until consent.
  • All forms have an unticked consent box and a purpose line.
  • HTTPS enforced across the whole site.
  • Every third-party tag named in the policy.
  • Data subject request contact published.
  • Retention periods set and a deletion routine scheduled.
  • Processor agreements with host and key SaaS vendors.
  • DPO appointed and registered if you cross the thresholds.
  • Written breach response plan with the 72-hour and 7-day steps.

Compliance is not a one-off. New plugins, a new email tool, or a new ad pixel all change what data you process, so review your policy and consent flows on a schedule. Ongoing website maintenance keeps the SSL, plugins, and consent tools current, and it is where most of these controls actually get kept up to date. For the broader picture of what a solid site needs, see what makes a good business website and our rundown of key website features.

Not sure your website is PDPA-ready?

Our team builds compliance into every site we design and every store we launch, from bilingual privacy notices to consent-gated tracking. If you want a second opinion first, we are offering a free one-time website health-check worth RM300 that flags PDPA gaps alongside speed, SEO, and security issues.

Explore our web design and development services or ecommerce development.

Request a Quote

Reminder: This article is general information for Malaysian business owners, not legal advice, and it does not create a client relationship. The PDPA and its guidelines are evolving. Verify your specific obligations with a qualified lawyer or licensed compliance professional, and check pdp.gov.my for the current law before you rely on anything here.

Share it :

Is Your Brand Invisible to AI? Find Out Now.

Grab your free AI Visibility Audit to see if AI engines are recommending your services. 100% free, zero obligations.