A clean modern Asian office with a laptop showing a PDPA privacy notice on screen

Websites & SEO

PDPA, PIPL and APPI: privacy-compliant websites for APAC

mekyn Editorial

A practical privacy compliance checklist for websites serving Singapore, Hong Kong, China, Japan, Korea, India and the wider APAC region.

A website that serves customers in Singapore, Hong Kong, Tokyo, Seoul, Shanghai, Mumbai and Bangkok simultaneously is operating under at least seven different privacy regimes. None of them is identical to the GDPR, and the differences between them matter. Getting this wrong is not a theoretical risk — enforcement has become routine across the region, and the fines are no longer symbolic.

This guide is a practical starting point for teams that want to ship a privacy-compliant APAC website without turning the legal review into a six-month project.

The regulatory map in 2026

The headline frameworks that matter for most APAC websites:

  • Singapore PDPA (Personal Data Protection Act, in force since 2014, substantively amended in 2021)
  • Hong Kong PDPO (Personal Data (Privacy) Ordinance, in force since 1996, amended in 2021 to criminalise doxxing)
  • Japan APPI (Act on the Protection of Personal Information, last substantively amended 2022)
  • South Korea PIPA (Personal Information Protection Act, last substantively amended 2023, plus sector-specific add-ons)
  • Mainland China PIPL (Personal Information Protection Law, in force November 2021)
  • Taiwan PDPA (Personal Data Protection Act, amended 2023)
  • India DPDP Act 2023 (Digital Personal Data Protection Act, in force phased through 2025)
  • Thailand PDPA (Personal Data Protection Act, in force June 2022)
  • Philippines DPA (Data Privacy Act of 2012, with the National Privacy Commission’s ongoing guidance)
  • Vietnam PDPD (Personal Data Protection Decree 13/2023, in force July 2023)
  • Malaysia PDPA 2010 (Personal Data Protection Act, with amendments in progress)
  • Indonesia PDP Law (Law No. 27 of 2022 on Personal Data Protection, in force October 2024)
  • ASEAN MCC (ASEAN Model Contractual Clauses for cross-border data flows, in force since 2021)

There is no single “APAC GDPR equivalent”. Each country has its own definitions, consent rules, data-subject rights, breach-notification timelines, and cross-border transfer mechanisms.

The shared foundations

Despite the differences, most APAC frameworks require the same baseline on a website:

  1. A clear privacy notice. What data is collected, for what purpose, with whom it is shared, how long it is retained, and how the user can exercise rights.
  2. Consent for non-essential processing. Cookies for analytics, marketing pixels, chat widgets that record conversations — these need an active opt-in in most jurisdictions. The exception is strictly necessary cookies.
  3. Data minimisation. Collect only what is needed for the stated purpose.
  4. A data-subject access mechanism. An email address or form where users can request access, correction or deletion.
  5. Security safeguards. Encryption in transit, reasonable access controls, breach response plan.
  6. Data breach notification. Timelines vary: Singapore requires notification to the PDPC “as soon as practicable” and to affected individuals if there is significant harm; Korea requires notification within 24 hours in some cases; India requires notification to the Data Protection Board.

A website that implements these well is in good shape for most APAC markets.

The genuine differences

The details that catch teams out:

  • Consent is stricter in some jurisdictions. Korea’s PIPA and China’s PIPL both require explicit, informed consent for most processing — including analytics. Bundled consent in a single “I agree” checkbox is increasingly treated as non-compliant.
  • Cross-border transfers need explicit mechanisms. Singapore uses the ASEAN MCCs or PDPC-approved contractual terms. China requires a security assessment or standard contract for transfers out of mainland China. India requires the same for transfers outside India. Korea requires explicit consent for cross-border transfers in many cases.
  • Data localisation rules. China, Indonesia and Vietnam have localisation requirements for certain categories of data. Vietnam’s PDPD is the most prescriptive: a copy of certain data must remain in-country.
  • Children’s data. Korea, China, Thailand and the Philippines have heightened protections for minors. Age-gating is not optional in those jurisdictions for products aimed at general audiences.
  • DPIA thresholds. South Korea requires a Data Impact Assessment for any processing of large volumes of sensitive data. India has similar requirements for Significant Data Fiduciaries.
  • Do-Not-Track and global opt-outs. Japan recognises a partial “Do Not Call” framework for marketing. Korea has restrictions on marketing communications that go beyond what most Western teams expect.

A privacy notice written for GDPR compliance is a decent starting point but is not sufficient for APAC. The cross-border section in particular needs to be jurisdiction-specific.

Practical implementation on the website

The technical work is more straightforward than it looks:

  • Cookie banner with per-category opt-in. Necessary, analytics, marketing — three categories, each independently togglable. Default state: all off except necessary.
  • Consent log. Record what the user consented to, when, and which version of the policy they saw. This is what auditors in Korea and Singapore will ask for first.
  • Privacy notice page with the elements listed above, written in plain language, in the language of the market. A privacy notice only in English on a Korean-language website is a red flag.
  • Data subject request form. An email or form where users can request their data, ask for corrections, or request deletion. Internal SLA: 30 days for most jurisdictions, faster where required.
  • Sub-processor list. Disclose every third-party service that processes personal data: hosting, analytics, email, payments, customer support tools. Most APAC frameworks require this disclosure.
  • Data retention rules. Document how long each category of data is kept. Analytics cookies: 13 months is a common pattern; form submissions: 12 to 24 months; account data: until the user deletes their account.
  • Breach response playbook. Who is notified, in what order, within what timeline. Practice the playbook once a year.

Cross-border architecture decisions

For teams that operate across borders, the architecture questions come early:

  • Where is the data stored? Singapore and Hong Kong are common regional hubs. Tokyo and Seoul are common for North Asia. Sydney for Oceania. Choose once, then disclose it accurately.
  • Are there backup copies in other jurisdictions? Disclose them. Backup in a third country without disclosure has been a common enforcement trigger.
  • Is there a single sign-on that crosses borders? Each jurisdiction’s data flows need to be documented separately.

The honest approach is to design the privacy disclosure around the actual architecture, not to invent an architecture that sounds compliant.

The honest baseline

For most APAC SMEs, getting to a defensible baseline requires:

  1. A well-written, jurisdiction-aware privacy notice in the local language
  2. A cookie consent banner that respects opt-in
  3. A documented sub-processor list and data flow
  4. A breach response plan with named owners
  5. A data-subject request workflow with a real human responding

These are not expensive. They are the difference between a website that survives an audit and one that makes the news for the wrong reasons.

← Alle Artikel