Thailand Advertiser Identity Verification Rules 2026: New Compliance Framework for Social Media Platforms

Thailand advertiser identity verification has moved from policy debate to enforceable law. On 5 May 2026, the Electronic Transactions Commission (ETC) published Notification No. 2 on Measures for the Prevention of Technology Crime for Online Social Media in the Royal Gazette, with mandatory compliance arriving on 1 November 2026. The rules force every online social media service provider operating in Thailand to verify the identity of every paying advertiser before publishing an ad, retain detailed advertiser records, and align those processes with the Personal Data Protection Act (PDPA). For international platforms, agencies, and brands marketing to Thai consumers, the 180-day clock has already started.

Why Thailand Introduced Advertiser Identity Verification

Thailand has spent the past three years tightening controls on online fraud, call-centre scams, and impersonation advertising. Despite criminal-law amendments and joint enforcement task forces, regulators concluded that ad-funded fraud continued because platforms knew very little about who was actually paying for the ads reaching Thai users. The new ETC notification closes that gap by reframing advertiser onboarding as a financial-grade compliance process.

The notification operationalises the Royal Decree on Measures for the Prevention and Suppression of Technological Crimes B.E. 2566 (2023), which empowered the ETC to issue binding measures against intermediaries that facilitate technology-enabled crime. The 2026 notification is the second in this series and represents the most consequential know-your-advertiser (KYA) regime in Southeast Asia to date.

Key Takeaway: Thailand’s advertiser identity verification rule is not a guideline; it is an enforceable measure under the 2023 anti-technology-crime decree. Platforms that ignore it expose themselves to administrative orders, fines, and potential secondary liability for hosting fraudulent ads after 1 November 2026.

What the ETC Notification Requires

The core obligation is simple in concept but operationally demanding: a social media platform may not publish a paid advertisement directed at users in Thailand unless it has first verified the identity of the advertiser, recorded that verification, and stored the underlying data for a defined retention period. Verification remains valid for up to one year from the most recent successful check.

The Two Permitted Verification Methods

Platforms must choose between two pathways, both of which must produce evidence sufficient to satisfy an ETC audit:

  • Document-based verification. The platform reviews a government-issued identity document — a Thai national ID, foreign passport, or juristic person registration certificate — and cross-checks the human or entity behind the account against that document. For natural persons this typically means a facial-comparison step against the photo ID. The platform must also be able to verify the document itself against a reliable source.
  • Digital identity verification. The platform integrates with an identity verification system whose level of assurance is no lower than the standard prescribed by the ETC. In practice this means alignment with Thailand’s National Digital ID (NDID) framework or an equivalent service offering authoritative attribute checks.

Both methods must be auditable. Platforms cannot rely on self-attested information, social profile verification badges, or payment-card matching alone, even where those signals are strong.

Mandatory Data Collection and Retention

Before publishing an advertisement, the platform must collect and retain at minimum the advertiser’s name, identification number, and contact details. These records must be retained from the start of the advertising relationship and for at least 90 days after the relationship ends. Where a third party (such as a media-buying agency, payment intermediary, or holding company) is paying for the ad, the platform must verify and retain records for that paying party as well.

Key Takeaway: The notification is structured as a compliance pipeline, not a one-off check. Platforms must build identity capture, document review, periodic re-verification, retention, and deletion workflows that can survive a regulatory audit at any point in the advertising lifecycle.

Who Counts as an “Online Social Media Service Provider”

The notification applies to “online social media service providers,” a term that captures a broad set of platforms operating in Thailand, including:

  • Mainstream social networks and short-video platforms used by Thai consumers.
  • Messaging and community apps that allow users to publish public or semi-public content.
  • Marketplaces and content platforms with embedded social functionality where advertisers can run sponsored placements.
  • Specialist platforms (live-streaming, gaming, classifieds) where user-generated content is funded or amplified by paid promotions.

The scope assessment is functional rather than form-based. Even where a platform does not market itself as “social media,” the inclusion of advertiser-funded amplification and user content will typically bring it within scope. International platforms without a registered Thai entity are not exempt — the ETC has explicitly signalled that the regime applies extraterritorially to services targeting Thai users.

PDPA Implications: Identity Data Is Sensitive Data

The verification regime cannot be implemented in a PDPA vacuum. National ID numbers, passport copies, juristic person registration certificates, and facial images are all “personal data” under Thai law, with several elements likely to be treated as sensitive or quasi-sensitive. Platforms must therefore design their KYA flow to satisfy three parallel sets of obligations.

Lawful Basis and Purpose Limitation

Collection for ETC-mandated verification can be justified under the “legal obligation” lawful basis in section 24(6) of the PDPA. However, secondary uses — for example, repurposing facial images for fraud-risk machine learning models or sharing identity data with advertising partners — fall outside the legal obligation and require a separate lawful basis, in most cases explicit consent.

Data Security and Retention

The 90-day post-relationship retention floor is a minimum, not a maximum. Storing verification records longer than necessary increases breach exposure and creates a deletion liability under the PDPA’s storage limitation principle. Platforms should set documented retention ceilings and audit deletion at least quarterly.

Cross-Border Data Transfer

Most global platforms process verification data outside Thailand. The PDPA’s cross-border transfer rules require either an adequacy finding, binding corporate rules, contractual safeguards meeting standards set by the Personal Data Protection Committee (PDPC), or one of the limited derogations. Storing copies of Thai national IDs and passports in jurisdictions without adequate protection is a high-visibility compliance risk that regulators are already focused on. For a deeper breakdown of cross-border transfer mechanics, see our PDPA compliance services overview.

Key Takeaway: PDPA risk often exceeds ETC risk in real-world enforcement. A platform may satisfy advertiser identity verification on paper yet face seven-figure PDPA fines if the supporting data flows have not been re-engineered. Treat the two regimes as a single compliance project.

Operational Impact on International Advertisers and Brands

Although the rule is addressed to platforms, the practical burden flows to anyone paying for ads in Thailand. Brands, agencies, and in-house marketing teams should expect material changes to onboarding and campaign launch:

  • Account verification at the legal entity level. Multinational brands will be asked to provide juristic person registration certificates of the contracting entity, not just the local marketing team or a regional procurement vehicle.
  • Authorised representative documentation. Each person granted ad-account access may need to evidence authority through corporate resolutions, powers of attorney, or company-secretary letters.
  • Agency disclosure. Where media is bought via an agency, both the agency and the underlying brand may need to be verified, particularly for high-budget or sensitive verticals.
  • Higher campaign go-live latency. Verification can take 24–72 hours for natural persons and longer for juristic persons. Last-minute campaign launches that were possible in 2025 will not be possible after November 2026.
  • Re-verification cycles. Because verification expires after one year, brands must build re-verification into their annual marketing operations calendar.

For regulated verticals — financial services, supplements, online gambling-adjacent products, and consumer credit — additional sectoral approvals already apply, and the ETC regime will be layered on top rather than replacing them.

Compliance Roadmap Before 1 November 2026

With 180 days between gazetting and effective date, a realistic compliance programme should follow a phased timeline.

Phase 1: Scoping and Gap Analysis (May–June 2026)

Confirm whether the platform falls within the definition of “online social media service provider.” Map every advertiser onboarding flow, including dormant or self-serve channels. Document the current state of identity capture, retention, and deletion. Identify which data flows leave Thailand and under which transfer mechanism.

Phase 2: Technical and Policy Build (June–September 2026)

Select between document-based and digital identity verification, or implement both for redundancy. Build verification UI flows that satisfy both the ETC notification and PDPA transparency obligations (privacy notice, lawful basis statement, retention disclosure). Update standard advertiser terms of service to reflect verification rights and refusal scenarios. Negotiate or update data processing agreements with verification vendors.

Phase 3: Operational Readiness (September–October 2026)

Train support teams on verification rejection scenarios and PDPA data subject rights. Stand up internal escalation paths for suspected fraud, identity spoofing, and law-enforcement requests. Run a tabletop exercise simulating an ETC inspection and a PDPA breach notification on the same day.

Phase 4: Go-Live and Continuous Monitoring (1 November 2026 onward)

Move every advertiser through verification before ad publication. Lock down the publishing pipeline so unverified accounts cannot bypass the gate, even in beta or A/B test environments. Audit a sample of verifications monthly. Re-verify annually and document the rationale for any exceptions.

Enforcement Risk and Liability Exposure

The ETC has progressively built up enforcement teeth since the 2023 royal decree. Sanctions for failing to comply with technology-crime measures range from administrative orders and corrective action plans to financial penalties and, in the most serious cases, referral to criminal authorities where platforms are deemed to have facilitated fraud. Secondary civil exposure is also realistic: a fraud victim whose loss is traceable to a platform that knowingly hosted an unverified scam advertiser may have grounds for civil action.

For directors of platforms operating in Thailand, personal liability is not automatic but can crystallise where the company fails to put in place reasonable compliance measures despite a clear regulatory deadline. Board-level documentation of the compliance roadmap is a prudent risk mitigation step. International authoritative guidance on technology-crime prevention is available through the Electronic Transactions Development Agency (ETDA), and broader PDPA materials are published by the Personal Data Protection Committee Office.

Key Takeaway: The cheapest path to compliance is to start now. Verification vendor procurement, PDPA cross-border transfer documentation, and internal training cannot realistically be compressed into the final 30 days before 1 November 2026 without significant operational risk.

Strategic Considerations for Foreign Investors

The advertiser identity verification regime is part of a broader Thai regulatory pivot toward platform accountability. In the same window, regulators have introduced digital platform fee transparency rules, draft data subject access request criteria, and tightened oversight of AI-driven content. Foreign investors evaluating new entry into the Thai digital economy should treat compliance infrastructure — not just product–market fit — as a board-level diligence item. For an adjacent regulatory development that often affects the same campaigns, see our analysis of Thailand’s AI advertising regulations for 2026, and follow ongoing coverage on the Lex Bangkok legal news hub.

Done well, the verification regime is also a competitive moat. Platforms that build robust KYA infrastructure can confidently court regulated-vertical advertisers (financial services, healthcare, education) and command premium ad rates. The compliance cost, viewed correctly, is a market-positioning investment.

Frequently Asked Questions

When do the Thailand advertiser identity verification rules take effect?
The ETC Notification No. 2 on Measures for the Prevention of Technology Crime for Online Social Media was published in the Royal Gazette on 5 May 2026 and takes effect 180 days later, on 1 November 2026. Platforms have until that date to put working verification, retention, and re-verification processes in place. Verification, once completed, remains valid for up to one year.
Do the rules apply to foreign-operated social media platforms?
Yes. The notification applies extraterritorially to any online social media service provider whose services reach paying advertisers and users in Thailand. Platforms without a Thai legal entity are still expected to comply, and many will need to revisit how they document compliance for cross-border ETC and PDPA inspections.
What identity documents must advertisers provide?
For natural persons, a government-issued ID such as a Thai national ID card or foreign passport, together with a facial-match step against the photograph on the document. For juristic persons, a company registration certificate or equivalent corporate document. Self-attested information and social-media account verification badges are not sufficient.
How long must verification data be retained?
Platforms must retain advertiser identity data from the start of the advertising service relationship and for a minimum of 90 days after that relationship ends. Many platforms will need longer retention to satisfy tax, anti-money-laundering, and dispute-resolution obligations, but they must document a defensible retention ceiling under the PDPA’s storage-limitation principle.
How does the regime interact with Thailand’s PDPA?
The PDPA applies in full to identity verification data. Platforms must identify a lawful basis (typically legal obligation under section 24(6)), respect purpose limitation, secure the data, and comply with cross-border transfer rules where verification data is processed outside Thailand. PDPA enforcement is increasingly active, and the financial exposure for cross-border or breach failings can exceed the ETC-side penalties.
What happens if a platform publishes an advertisement without verifying the advertiser?
The platform risks administrative orders, financial penalties under the 2023 anti-technology-crime decree, reputational damage, and potential secondary civil liability if the ad facilitates fraud. In serious or repeated cases, executives can be referred to criminal authorities. Boards should document compliance progress to mitigate personal-liability risk.
Do advertising agencies and media buyers also need to be verified?
Where a third party such as an agency, payment intermediary, or holding entity pays for the advertisment, the platform must verify and retain records for that paying party as well as the underlying brand. Multinational brands should expect both their local entity and any media-buying intermediary to be in scope.

Need Help With Thailand Advertiser Identity Verification?

Lex Bangkok advises international platforms, agencies, and brands on every step of Thailand’s evolving digital regulatory regime — from ETC compliance design and PDPA cross-border transfer documentation to vendor contracts, board reporting, and incident response. Speak with our team before the 1 November 2026 deadline.

Schedule a Consultation