You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
July 17, 2025

Thailand Introduces New Obligations for Online Marketplaces

Subscribe to Updates

On July 9, 2025, Thailand issued a notification that introduces comprehensive operational requirements for digital platform service providers operating as goods marketplaces, effective December 31, 2025 (i.e., 180 days after its publication in the Government Gazette).

The regulation’s official name is Notification of the Electronic Transactions Committee Re: Other Actions for Digital Platform Service Operators in the Category of Marketplace for Goods with Specific Characteristics under Section 18(2) of the Royal Decree on the Operation of Digital Platform Service Businesses that are Subject to Prior Notification B.E. 2565 (2022), B.E. 2568 (2025).

Scope of Application

The notification applies exclusively to goods marketplace operators formally designated by the Electronic Transactions Development Agency (ETDA), which on the same day designated 19 platforms that had previously notified the ETDA of their operations. The goods requiring enhanced oversight by these operators are limited to those regulated by the Thai Food and Drug Administration (FDA) and the Thai Industrial Standards Institute (TISI).

Development from Earlier Draft

An earlier draft of the notification had included a requirement for offshore platforms to establish a local entity, but this requirement was removed from the final notification.

Key Obligations

Despite the removal of the local entity requirement, the notification imposes a range of additional obligations on designated goods marketplace operators:

  • Transparency. Operators must implement robust transparency measures, including clear, accessible, and understandable disclosures to users in Thai. These disclosures must cover all relevant terms and conditions, comprehensive product information, and complaint management procedures. Operators must also submit an annual compliance report to the ETDA within 60 days after the end of their accounting period, including statistics on regulated goods.
  • Business user registration and identity verification. Before permitting the sale or advertisement of regulated goods, operators must collect and verify business user information, including contact details, identification documents, registration numbers, bank account details, and self-certification of legal compliance. This information must be cross-checked against government databases or other trusted sources, and verified registration details must be displayed alongside relevant product listings.
  • Product listing and compliance. Operators must establish and enforce policies requiring business users to display evidence of compliance (e.g., licenses, certificates) before listing regulated products. Product listing policies must forbid the listing of prohibited items (e.g., certain drugs, narcotics, IP-infringing goods). Operators must verify the authenticity of compliance documents with relevant government databases prior to listing and offer tools for consumers to independently verify this information. Listings must include detailed product information, such as product name, image (with Thai label), standard or FDA marks, registration or license numbers, and contact channels for the seller or manufacturer.
  • Notice-and-takedown mechanism. Operators must implement a system for users to report illegal or noncompliant products, with categories for product standards, prohibited items, and IP infringement. Reports must be processed within three days, with notifications sent to both the reporting user and the business user. Business users then have three days to dispute the report or provide supporting evidence.
  • Actions against noncompliant business users. Operators must include in their terms of service that failure by business users to provide accurate or complete documentation may result in service suspension for up to thirty days, with written notice and an opportunity to respond. For repeated or serious violations, operators must terminate services and impose the maximum penalties allowed under their terms and conditions.

In addition to the listed obligations, designated platforms are also subject to additional requirements under section 20 of the Royal Decree on Digital Platform Services, including conducting risk assessments and implementing risk mitigation measures, as well as other obligations outlined in the notification.

Operators must also cooperate with the TISI, FDA, and other relevant agencies by providing business user information upon request, particularly in cases involving legal violations.

Next Steps

To prepare for compliance with the new obligations, marketplace operators should:

  • Review the designated list issued by the ETDA to determine whether the platform is subject to the additional obligations under this notification.
  • Review and update internal policies, user terms and conditions, and business user verification systems to ensure alignment with the new regulatory obligations.
  • Establish clear communication channels to handle compliance inquiries, takedown requests, and consumer redress mechanisms.
  • Develop or enhance technical systems to support inspection, reporting, and risk management requirements.
Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 9, 2025
On June 16, 2025, the National Assembly of Vietnam adopted Law No. 75/2025/QH15 amending and supplementing a number of articles of the 2012 Advertising Law, with an effective date of January 1, 2026. The amended Advertising Law was enacted to further refine the legal framework for advertising activities in the modern era. Online Advertising Under the amended Advertising Law, “online advertising” is defined to encompass not only advertising on electronic newspapers and electronic information pages (as provided under the 2012 Advertising Law) but also advertising on other electronic venues, including social media, online applications, and digital platforms with internet connection. The amended Advertising Law also imposes new requirements for online advertising, including: Identification signs: Advertisements must have clear identifiable signs in numbers, letters, symbols, images, or sounds to distinguish them from non-advertising content. Control features: For advertisements not in fixed areas, there must be easily recognizable features and icons that allow recipients to turn off the advertisement, notify the service provider of violating advertising content, and refuse to view inappropriate advertising content. Linked content: Content in the links embedded in advertisements must comply with the law. Advertising service providers and publishers must have measures to check and monitor the linked content. Advertising on social media: Organizations and enterprises providing social media services must offer users features to distinguish advertising content from other content. Signage for sponsored content: When advertising, users of social media services must use signs to differentiate advertising or sponsored content from other content they provide. In response to the above requirements for online advertising, the amended Advertising Law sets out obligations of advertisers, advertising service providers, advertising publishers, and advertising conveyers in relation to online advertising. Among these, it is notably the responsibility of individuals and organizations engaging in online advertising to prevent and remove violating
Read More
July 1, 2025
Now halfway through 2025, Thailand continues to advance in the realm of data privacy, with the ambitious goal of achieving zero data breaches. The Personal Data Protection Committee (PDPC), an independent government body established by the Personal Data Protection Act (PDPA), is taking a more proactive approach, having published several rulings and orders to enhance data protection measures and clarify compliance expectations for businesses. Here is a look back at Thailand’s data privacy developments in the first half of the year. Strengthening Law Enforcement and New Guidance for Compliance Enforcement of existing data protection laws and regulations has taken a step forward this year. Some of the specific initiatives include: Increased enforcement by the PDPC. A key trend to watch from the first half of 2025 is the PDPC’s active enforcement of the PDPA as it intensifies oversight through compliance orders and public warnings against noncompliant organizations while ramping up efforts to prevent and halt the illegal trading of personal data by actively monitoring emerging societal issues. Call center scams and cyber fraud control. Thailand published an amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes to strengthen measures against technological crimes, particularly targeting call center scams and cyber fraud. Orders from the Expert Committee. Several orders issued by the Expert Committee under the PDPA were announced in the first half of this year. These include directives for data controllers to take corrective actions to comply with the PDPA, as well as initiatives to raise awareness of data privacy within organizations, reflecting the regulator’s focus on promoting organizational awareness and compliance. A guideline report summarizing the Expert Committee’s decisions and orders was also published to serve as a reference for compliance. Public issue monitoring. The PDPC has been taking a more proactive approach
Read More
June 27, 2025
Three American giants are actively protecting their intellectual property rights against generative AI, as two legal battles commence on both sides of the Atlantic. In the UK, Seattle-based media company Getty Images accuses UK-based Stability AI of multiple IP infringements. In the US, The Walt Disney Company and Universal Studios are teaming up against Midjourney, an AI startup, with their main ground being copyright infringement. Both cases are centered around questions legal minds have been posing since the introduction of generative AI: Is the output of generative AI an infringement? And who is ultimately responsible for the output, the platform or the user? Getty Images v. Stability AI Getty initially filed a claim in the High Court in 2023, which resulted in Stability applying for reverse summary judgment on the grounds that Getty had no real prospect of success, arguing that their operations took place outside the UK. However, the High Court judge hearing the case decided that the claims brought by Getty did have a real prospect of succeeding in court. Despite this, Stability saw a small victory when the court ruled that the representative action brought by Getty would not succeed due to the difficulties in identifying who qualified for the class. The proposed class was comprised of 50,000 rightsholders who alleged their rights were also infringed. Stability was successful in arguing that identifying these individuals would be challenging due to the unclear definition of the class. This current trial is centered around four main grounds: Copyright infringement. Getty accuses Stability of using content that Getty owns or has an exclusive license for when training their model, Stable Diffusion, resulting in the generated output containing substantial parts of that content. Getty is also alleging secondary copyright infringement, arguing that Stability is importing an article into the UK
Read More
June 26, 2025
Vietnam’s new Personal Data Protection Law (PDPL) was passed by the National Assembly on June 26, 2025, and will enter into force on January 1, 2026. The PDPL introduces several new concepts, exemptions, and obligations in comparison with the current Decree No. 13/2023/ND-CP on personal data protection (PDPD), while other contents remain essentially the same. The relationship between the PDPD and the PDPL has not been clearly addressed; however, it is expected that the government will issue a new decree providing necessary guidance on certain requirements under the PDPL, and the PDPD will remain in effect until it is replaced by this new decree. Some key points of the new PDPL include the following: Personal data will be further defined by lists of basic personal data and sensitive personal data to be issued by the government. The consent-centric approach of the PDPD remains in place, along with additional exemptions for certain data processing activities. The requirements for the data processing impact assessment (DPIA) and transfer impact assessment (TIA) remain unchanged. However, there are new exemptions for the TIA, including for the processing and storing in the cloud of employee data, and when the data subject is the person sending its own data outside of Vietnam. Consent obtained under the PDPD remains valid under the PDPL. DPIAs and TIAs submitted under the PDPD are valid under the PDPL but may need to be updated to be in line with the requirements of the PDPL. Administrative fines depend on the type of violation. The fine for sale and purchase of personal data will be 10 times the revenue from the sale or VND 3 billion (about USD 115,000), whichever is higher. The fine for cross-border transfer violations is 5% of the violator’s revenue of the preceding year or VND 3 billion,
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice