FYI!
This article is the first of a series of pieces on PDPA compliance for marketing processes in Malaysia. Continue the series by reading Part 2: Individual Rights Under the PDPA and Part 3: Managing Customer Databases for PDPA Compliance.Marketing is often one of the top business priorities, driving sales, growth, and customer engagement. At the same time, it is also one of the most common and high-risk areas of personal data processing under Malaysia’s Personal Data Protection Act 2010 (PDPA).
This article explains how businesses in Malaysia can carry out marketing activities in compliance with the PDPA, and what they can and cannot do when using personal data for marketing.
Why marketing is a high-risk area
Under Section 2(1) of the PDPA, this Act applies to the processing of personal data carried out in the context of a commercial transaction.
Marketing activities such as promotional emails, sales calls, CRM campaigns, and targeted digital advertising are clearly commercial in nature and fall within the scope of the PDPA. These activities typically involve large volumes of personal data, frequent communications, and the use of automated systems or third-party platforms, which increases compliance risk.
Personal data used in marketing may include names, contact details, email address, and customer preferences. Once personal data is involved, PDPA obligations apply regardless of whether the data is described as “marketing data”.
How businesses can meet PDPA requirements
Under Section 7 of the PDPA, a data controller must provide a written notice to data subjects before or at the point of collecting their personal data. This written notice is commonly referred to as a “privacy policy” or “personal data protection notice.”
This notice is intended to explain how a business collects, uses, and discloses personal data. Where personal data is used for marketing purposes, the notice should clearly address the marketing-related aspects of data processing and should, at a minimum, include the following information:
- the types of personal data involved;
- the purposes of marketing (e.g. newsletters and promotions);
- whether personal data will be disclosed to third parties;
- the data subject’s right to withdraw consent and opt out of marketing.
A common compliance failure occurs when businesses collect personal data for one purpose (for example, account registration only) and later use the same data for marketing without proper notice. Under the PDPA, purpose creep is not allowed without proper disclosure and consent.
Examples of providing notice
Once businesses understand their notice obligations, the next practical question is how such notice should be provided in different contexts.
| Online collection (e.g. website or digital forms) |
|
| Physical collection (e.g. booths, events, or retail stores) |
|
| Telephone or call-based collection |
|
Using customers in content
Marketing content often includes customer testimonials, photographs, or videos, such as customer feedback, social media posts, prize-giving photos, or event highlights. If an individual can be identified from the content, it constitutes personal data under the PDPA.
Even where customers voluntarily provide feedback or participate in promotions, businesses must ensure that personal data is used for marketing purposes only with proper consent and transparency.
Common examples include:
- publishing a customer’s written testimonial together with their name or photo
- sharing videos of customers giving feedback about products or service
- posting images of customers receiving prizes, rewards, or attending events
Businesses should ensure that:
- clear consent has been obtained for the use of the individual’s image or testimonial for marketing purposes
- the consent clearly covers where and how the content will be used (e.g. website, social media, advertisements)
- participation in a contest or event is not automatically treated as consent for marketing
- individuals are informed of their right to withdraw consent at any time.
Where consent is withdrawn, the business should take reasonable steps to stop further use of the testimonial or image for marketing purposes, including removing it where practicable.
Where marketing content involves children, consent must be obtained from a parent or legal guardian before the child’s personal data is used for marketing purposes.
Common PDPA breaches in marketing
In practice, many PDPA compliance issues arise not from intentional misuse of personal data, but from common misunderstandings in marketing operations. Typical mistakes include:
- using purchased, scraped, or third-party contact lists without valid consent;
- assuming existing customers have automatically consented to receive marketing communications; and
- failing to update privacy notices to reflect marketing activities.
While these practices may appear operationally convenient, they can expose businesses to significant legal, regulatory, and reputational risks under the PDPA.
Let ELP be your PDPA legal advisors
It’s vital for businesses in Malaysia to recognise that marketing activities constitute regulated personal data processing under the PDPA, and that effective compliance protects not only against regulatory penalties, but also customer trust and brand reputation.
If your organisation requires assistance reviewing marketing consent practices, updating privacy notices, or assessing PDPA compliance risks, feel free to reach out for a consultation.
