PDPA Malaysia 2024: What Your Business Website Must Do Now

The Personal Data Protection (Amendment) Act 2024 came into force in late 2024, updating Malaysia’s original PDPA 2010 with new obligations, higher penalties, and a stronger enforcement mandate for the Personal Data Protection Commissioner (PDPC). For Malaysian SMEs, the most immediate impact is on websites — specifically, how you collect personal data, what you tell users, and how you handle consent.

The amendment received Royal Assent and was gazetted on 17 October 2024. It rolled out in three phases: 1 January 2025, 1 April 2025, and 1 June 2025. If your website has a contact form, an analytics pixel, or a newsletter signup, you are already in scope — and the compliance window has passed.

This guide covers what changed, what a compliant Malaysian website must include, and the practical steps to fix the most common gaps without rebuilding your entire site.

What Changed in the 2024 Amendment

The 2024 amendment is the most significant update to Malaysian data protection law since the PDPA was first enacted in 2010. Several changes directly affect how Malaysian businesses operate their websites.

Significantly higher penalties. Maximum fines increased from RM 300,000 to RM 1 million per offence, with imprisonment terms extended to three years. Directors and senior officers can be held personally liable unless they can demonstrate they had no knowledge of the breach and took all reasonable precautions to prevent it.

Mandatory data breach notification. Organisations must notify the PDP Commissioner within 72 hours of discovering a personal data breach. If the breach causes “significant harm” — defined as affecting 1,000 or more individuals, causing financial loss, or enabling identity fraud — affected data subjects must also be notified as soon as practicable. Previously, there was no mandatory notification obligation at all.

Data Protection Officer (DPO) requirements. Organisations that process personal data of more than 20,000 individuals, or sensitive/financial data of more than 10,000 individuals, must appoint a formally qualified DPO. The DPO must be Malaysia-resident and fluent in both Malay and English. For most small business websites, mandatory DPO appointment does not apply — but nominating a responsible person internally is strongly recommended.

Expanded sensitive personal data. Biometric data, genetic data, and certain location data are now explicitly classified as sensitive personal data requiring heightened protection. If your website collects any of these (for example, through facial recognition login), additional safeguards apply.

Direct processor accountability. Third-party service providers — including website hosting companies, CRM platforms, and email marketing tools — now face direct liability under the PDPA’s Security Principle, not just your organisation. You remain responsible for ensuring the vendors you use are also compliant.

Enhanced data subject rights. Users now have a right to data portability — the ability to request their personal data in a machine-readable format for transfer to another service provider. Combined with the existing rights to access and correction, your website needs a clear process for handling such requests.

For current penalty figures and the latest guidelines, verify at pdp.com.my.

Does Your Website Need to Comply?

The short answer is yes — almost certainly. The PDPA applies to any commercial organisation that processes personal data in the course of a transaction in Malaysia. Your website needs to comply if it does any of the following:

• Has a contact form that collects name, email address, or phone number
• Uses Google Analytics, Facebook Pixel, or any other tracking or analytics tool
• Has a newsletter signup or email marketing opt-in
• Sells products or services online and collects customer billing or shipping data
• Has a WhatsApp chat widget (these often collect device information)
• Has a login system, user accounts, or membership portal
• Runs retargeting ads based on website visitor behaviour

If your website interacts with any Malaysian user and collects any information about them — even passively through analytics — the PDPA applies. The 2024 amendments did not narrow the scope; they expanded it and raised the consequences for non-compliance.

If you are uncertain, assume you are in scope. The cost of a compliance audit is far lower than the cost of an enforcement action.

The Mandatory Website Requirements Under PDPA

A PDPA-compliant Malaysian website must have several specific elements in place. These are not optional best practices — they are legal requirements.

1. Privacy Notice

A privacy notice is mandatory, not optional. It must be accessible from every page of your website — the standard approach is a link in the footer. Your privacy notice must include:

• What personal data you collect — list the specific types (name, email, phone, device identifiers, browsing behaviour, etc.)
• Why you collect it — the purpose for each category of data
• Who you share it with — list all third parties, including Google Analytics, Facebook, email marketing platforms, payment processors, and any other service that receives user data
• How long you keep it — your data retention period for each category
• User rights — users’ rights to access their data, request corrections, withdraw consent, request portability, and lodge complaints with the PDPC
• How to exercise those rights — a contact email or process for submitting requests
• Contact details — of the person or team responsible for data protection in your organisation

The notice should be written in plain language. The PDPA requires notices to be provided in both Bahasa Malaysia and English. The PDPC has sample templates available at pdp.gov.my.

2. Informed Consent Mechanism

For data collection that goes beyond what is strictly necessary to deliver your service, you must obtain informed consent. This means:

• Consent must be given actively — pre-ticked boxes do not constitute valid consent
• Users must be informed of what they are consenting to before they consent
• Consent must be as easy to withdraw as it was to give

A checkbox at the bottom of your contact form that says “I agree to the privacy policy” — linked to an actual, readable policy — is the minimum. Implied consent (“by using this website you agree to our terms”) does not satisfy the PDPA’s consent requirement for non-essential data processing.

3. Data Subject Rights Notice and Process

Users must be told they can request access to their personal data, request corrections, or withdraw consent at any time. Your website must have a working process for handling these requests. In practice:

• Include a dedicated email address (e.g., [email protected]) for data requests
• Respond to access or correction requests within a reasonable time — the PDPA requires responses within 21 days
• Document how you handle and track incoming requests

4. Retention and Deletion Policy

You must have a documented policy for how long you keep personal data and how you delete it when that period expires. This does not need to be published on the website in full, but your privacy notice must reference your retention periods, and internally you must have a process to enforce them.

Cookies and Analytics: What You Must Disclose

This is the area where most Malaysian business websites fall short — and where the gap between current practice and PDPA compliance is widest.

Google Analytics places cookies on every visitor’s device and collects data including IP addresses, device type, browser, pages visited, and time spent on site. Under the PDPA, this constitutes personal data processing. You must disclose it in your privacy notice.

Facebook Pixel does the same, and additionally links website behaviour to Facebook user profiles for ad targeting purposes. If you run Facebook or Instagram ads and use the Pixel, this is particularly sensitive data processing that must be disclosed explicitly.

LinkedIn Insight Tag, TikTok Pixel, and similar tools operate identically — if you use them, each must be listed in your privacy notice with a description of what data they collect and why.

Retargeting. If you show ads to people who previously visited your website, you are processing behavioural data to deliver those ads. This processing chain — from initial site visit to retargeted ad — must be disclosed.

Cookie consent banner. Best practice, and increasingly the expectation of regulators, is to inform users of non-essential cookies before they are set and to give users the ability to accept or reject them. At minimum, your privacy notice must clearly explain the cookies you use. For sites that want to meet a higher standard, a consent management tool that blocks tracking scripts until the user accepts is the right approach.

Your privacy policy must name every third-party service that processes user data from your website, what data each service collects, and what it is used for. A generic “we use third-party analytics” statement is not sufficient.

Five Changes to Make to Your Website This Week

Most PDPA compliance gaps on Malaysian business websites can be addressed without a full redesign. Here are the five highest-priority changes, in order of importance:

1. Check your privacy policy. Does one exist? Is it linked from the footer of every page? Does it cover all the mandatory elements described above — data types, purposes, third-party sharing, retention periods, user rights, and contact details? If the answer to any of those is no, rewriting or updating your privacy policy is the first task. ETD Digital can provide a Malaysian PDPA-compliant privacy policy template on request.

2. Add a cookie consent banner. If your site uses Google Analytics, Facebook Pixel, or any other tracking cookies, you need to inform users before those scripts are activated. On WordPress, plugins like Complianz or CookieYes handle this automatically. On custom-built websites, implementation requires a developer — the banner must actually delay loading tracking scripts until consent is given, not just appear as a decorative notice.

3. Review your contact forms. Each form that collects personal data should include a one-line explanation of why you are collecting it. For example: “We collect this information to respond to your enquiry. We do not share your details with third parties without your consent. Read our Privacy Policy.” This single addition brings your forms into basic compliance with the Notice and Choice Principle.

4. Add a data subject rights process. Create a dedicated email address — [email protected] or [email protected] — where users can submit data access, correction, or deletion requests. Add this address to your privacy policy. If your website has user accounts, consider whether you need a self-service “delete my account” feature.

5. Document your data retention policy. Decide how long you keep different categories of data: contact form submissions, customer purchase records, newsletter subscriber lists, analytics data. Write it down. Delete data that has exceeded its retention period. This internal document does not need to be public-facing, but it must exist — and if the PDPC ever investigates, you will need to produce it.

When You Need a Developer’s Help

Some PDPA compliance requirements are content changes you can make yourself. Others require technical implementation — and doing them incorrectly is worse than not doing them at all, because it creates the appearance of compliance without the reality.

Cookie consent that actually works. A banner that appears but does not block tracking scripts is not compliant. Implementing a proper consent management platform requires a developer to modify how scripts are loaded, conditionally triggering them only after user consent is recorded.

Form redesigns. Adding proper consent checkboxes, purpose statements, and conditional logic to forms — particularly multi-step or dynamic forms — typically requires developer involvement, especially on custom-built websites.

“Delete my data” flows. If your website has user accounts or a customer portal, users now have the right to request deletion of their data. Building a functional workflow for this — one that actually removes data from your database, CRM, email platform, and any backups — requires careful technical planning.

Checkout and e-commerce consent. If you sell online, your checkout process may need updates to ensure data collection at point of sale meets PDPA consent requirements, including for payment processing and order fulfilment.

SSL and security. All pages of your website — not just the checkout — should be served over HTTPS. If any page is still on HTTP, this is both a security risk and a compliance gap. A developer can ensure SSL is correctly configured site-wide.

Audit trails. If your business sector requires proof of consent or documented data handling, you may need a technical system for recording and retrieving consent events and data processing logs.

ETD Digital can audit your existing website for PDPA compliance gaps and implement the technical changes required — without rebuilding your site from scratch.

Frequently Asked Questions

What are the penalties for non-compliance with PDPA Malaysia 2024?

The 2024 amendment significantly increased penalties. Organisations found guilty of breaching the PDPA now face fines of up to RM 1 million and/or up to three years imprisonment per offence — up from the previous maximum of RM 300,000 and two years. Directors, managers, and senior officers can be held personally liable in addition to the organisation. For current and authoritative penalty figures, refer to pdp.gov.my or consult a Malaysian legal practitioner.

Does PDPA apply to Malaysian businesses that collect data from foreign customers?

The PDPA applies to personal data processing carried out in Malaysia. If your website is hosted and operated in Malaysia and collects data from foreign visitors — whether from Singapore, Australia, the UK, or elsewhere — the PDPA applies to that processing. For businesses that specifically target EU customers, GDPR may also apply as a separate and additional compliance obligation. GDPR is extraterritorial in scope and applies regardless of where your business is based if you are targeting EU residents.

Is a privacy policy the same as a cookie policy?

No. A privacy policy covers all personal data processing by your organisation — how you collect, use, store, share, and delete personal data. A cookie policy (or cookie notice) specifically addresses the cookies your website sets: what types are used, their purpose, how long they last, and how users can manage or opt out of them. You can combine both in a single document or maintain them separately. Most Malaysian SMEs combine them for simplicity under a single “Privacy & Cookie Policy” page. Either approach is acceptable, provided the content covers both areas fully.

Do we need to hire a Data Protection Officer (DPO)?

The 2024 amendment introduced mandatory DPO requirements for certain categories of organisations — specifically those processing personal data of more than 20,000 individuals, or sensitive or financial personal data of more than 10,000 individuals, or conducting systematic large-scale monitoring of individuals. For most Malaysian SMEs operating standard business websites, mandatory DPO appointment does not apply. However, nominating a responsible person internally to own privacy matters, respond to data subject requests, and oversee compliance is strongly recommended regardless of size. For definitive guidance on whether your organisation is required to appoint a DPO, verify at pdp.gov.my.

Our website was built in 2019 — do we need to rebuild it to be compliant?

Not necessarily. The majority of PDPA compliance work on a business website involves content changes — rewriting or adding a privacy policy, updating form wording, adding consent notices — and adding tools like a cookie consent manager. A full website rebuild is rarely required for compliance purposes alone. What is more common is a targeted compliance audit that identifies the specific gaps on your existing site, followed by focused fixes. If your site is also outdated in terms of design, performance, or mobile responsiveness, a redesign project might address both compliance and broader website quality at the same time — but it is not a compliance requirement on its own.

If you are unsure whether your website meets PDPA 2024 requirements, contact us for a compliance audit. We will review your website, identify the gaps, and implement the fixes. WhatsApp Edwin: +60174377640