Thailand’s Personal Data Protection Committee (PDPC) has released separate guidelines for data controllers to follow in obtaining data subjects’ consent and notifying data subjects of required information (i.e., regarding collection, use, or disclosure of their personal data). By following the guidelines, data controllers can mitigate the risk of violating the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The Guidelines on Obtaining Consent from the Data Subject according to the PDPA and the Guidelines on Notification of Purposes and Details upon the Collection of Personal Data from the Data Subject according to the PDPA were issued on September 7, 2022. Consent Guidelines The PDPC’s guidelines on obtaining consent list the requirements for consent to be considered valid. These requirements include stipulations on timing of requests, elements that need to be included in requests, and the nature of requests. For instance, consent must be obtained before or at the time of obtaining personal data, and data subjects must be informed of both the purposes and details of the personal data handling, among other specific requirements. In turn, there must be a clear affirmative act of the data subject in giving consent. Obtaining consent from minors is subject to more stringent requirements, and data controllers should implement appropriate identification and age-verification measures when collecting personal data about minors. The guidelines give two sets of requirements, depending on the age of the minor—between 10 and 20, and under 10. In general, with the older age group, parental consent is not required in all circumstances, while for the younger age group, parental consent is compulsory for giving consent on behalf of the minor. For a person deemed to be “incompetent” or “quasi-incompetent,” consent must always be given by the legal guardian. Notification Guidelines The guidelines on notifying data subjects when collecting personal data