A missing privacy notice is fixable in an afternoon. An investigation notice from Malaysia’s Personal Data Protection Commissioner takes months to resolve.
The PDPA is not theoretical for ecommerce sellers. The 2024 Amendment tripled maximum fines, introduced mandatory breach notification, and made company directors personally liable. Understanding what triggers enforcement, what penalties actually apply, and how the investigation process works is now a basic business requirement for every Malaysian online seller.
Information verified June 2026. Regulations and enforcement guidance change; verify current requirements at pdp.gov.my .
What Does PDPA Enforcement Cover for Malaysian Ecommerce Sellers?
Malaysia’s Personal Data Protection Act 2010 (PDPA) makes every ecommerce seller who processes customer personal data legally accountable for how that data is handled. Enforcement covers seven data protection principles, breach notification obligations, and data access rights. The Personal Data Protection Commissioner is empowered to investigate, fine, and prosecute violators, with penalties reaching RM 1,000,000 per offence under the 2024 Amendment (in force 1 June 2025).
The Personal Data Protection Commissioner (PDPC) sits under the Ministry of Communications. The Commissioner is empowered by the PDPA to:
- Investigate complaints from members of the public
- Conduct audits of businesses without prior notice
- Issue compliance notices, enforcement orders, and monetary penalties
- Refer matters to the courts for criminal prosecution
This covers your online store whether you sell on Shopee, Lazada, your own Shopify site, or all three. Processing personal data — names, phone numbers, delivery addresses, order histories, email addresses — in connection with a commercial transaction brings you under the law.
The 2024 Amendment (Act A1748, in force from 1 June 2025) made enforcement significantly more consequential. Maximum fines more than tripled from RM 300,000 to RM 1,000,000. Mandatory breach notification arrived with a strict 72-hour window. And the responsibilities of company directors became personal, meaning the individual at the top of your business faces criminal liability alongside the company itself.
For a complete breakdown of what each of the seven data principles requires, see the PDPA Ecommerce Compliance Guide for Malaysian Sellers .
What Triggers a PDPA Enforcement Action Against a Malaysian Online Business?
PDPA enforcement actions start through four main routes: customer complaints submitted to the Personal Data Protection Department (PDPD), PDPC-initiated audits, referrals from other regulators such as Bank Negara or the Consumer Claims Tribunal, and mandatory breach notifications. Customer complaints remain the most common starting point for formal investigations.
Customer complaints are the most direct trigger. Any customer whose personal data was mishandled, disclosed without consent, or used beyond the stated purpose can file a complaint with the PDPD via pdp.gov.my. The PDPD is required to investigate each complaint it receives.
Situations that commonly generate customer complaints leading to enforcement:
- Customer data sold or shared with a third-party marketer without explicit consent
- Delivery address or contact details disclosed to an unauthorized third party
- Order history or purchase behaviour used for marketing the customer never agreed to
- Written requests to access or correct personal data left unanswered beyond the required period
- Promotional messages sent to customers who opted out
PDPC-initiated audits happen without prior notice. The Commissioner’s office can audit any business that processes personal data. Audit triggers include sector-wide compliance sweeps, media-reported incidents, and risk indicators gathered through the complaints process.
Data breach notifications now open a formal inquiry automatically. Under the 2024 Amendment, notifying the PDPC within the mandatory 72-hour window is legally required. That notification itself triggers an assessment of whether your breach response, containment measures, and pre-breach security posture were adequate.
Regulatory referrals happen when another regulator identifies a data handling issue during its own enforcement work. The Consumer Claims Tribunal, Bank Negara Malaysia, and the Securities Commission of Malaysia can all refer relevant matters to the PDPD.
What Are the Actual PDPA Penalties for Ecommerce Sellers in Malaysia?
Under the 2024 Amendment (in force 1 June 2025), PDPA fines for ecommerce sellers reach RM 1,000,000 per offence for violations of the seven data protection principles — a 233% increase from the previous RM 300,000 maximum. Failure to notify the PDPC of a data breach within 72 hours carries a separate fine of up to RM 250,000. Directors and officers face personal criminal liability including up to 3 years’ imprisonment.
The penalty structure across key offence categories, per the Personal Data Protection Act 2010 as amended by Act A1748 (2024):
| Offence | Maximum Fine | Maximum Imprisonment |
|---|---|---|
| Violation of any Data Protection Principle (Sections 5-11) | RM 1,000,000 | 3 years |
| Failure to notify PDPC of data breach within 72 hours | RM 250,000 | 2 years |
| Processing sensitive personal data without explicit consent | RM 1,000,000 | 3 years |
| Transferring personal data outside Malaysia without safeguards | RM 1,000,000 | 3 years |
| Failure to comply with a PDPC compliance notice | RM 100,000 | 1 year |
| Failure to register as data controller (if registration required) | RM 500,000 | 3 years |
Source: Personal Data Protection Act 2010 (Act 709), as amended by Act A1748 (Personal Data Protection (Amendment) Act 2024).
Director and officer liability is the provision most ecommerce businesses structured as Sdn Bhds overlook. If a company commits a PDPA offence and it is proved to have occurred with the consent, connivance, or neglect of a director, manager, or secretary, that individual is also guilty of the offence and liable to the same penalties. The fine does not stop at the company level.
Practical exposure for small ecommerce sellers: Most enforcement actions against small operators result in compliance notices and remediation orders rather than maximum-scale fines. However, even a fine in the RM 10,000 to RM 50,000 range (well below the statutory maximum) represents meaningful financial exposure for a seller generating RM 20,000 to RM 100,000 per month in revenue. The financial risk is real even when maximum penalties are reserved for egregious violations.
Is your store creating PDPA enforcement exposure? The free Ecommerce Seller Compliance Checklist covers the data privacy gaps most Malaysian online sellers miss — including the two most common triggers for customer complaints.
What Do PDPA Enforcement Cases in Malaysia Actually Look Like?
PDPA enforcement in Malaysia has historically been complaint-led, with the PDPD resolving most matters through compliance notices and remediation orders before escalating to criminal prosecution. Post-2024 Amendment, enforcement posture has shifted toward more formal action, particularly for breach notification failures and situations where directors are found personally complicit in violations.
Formal court prosecutions under the PDPA through most of the law’s operational history (2013-2024) were limited. The PDPD focused primarily on compliance notices, formal warnings, and directed remediation rather than immediate criminal proceedings. This is consistent with how most data protection regulators in the region operated during the initial years of their data privacy frameworks.
The patterns in investigated cases, based on published PDPD guidance and enforcement notices, show consistent violation categories:
Data disclosure without consent is the most investigated category. This typically involves sellers sharing customer email lists or delivery details with third-party marketers, fulfilment partners, or referral programs without a clear consent mechanism in place at the point of collection.
Privacy notice failures are the second most common finding. Sellers who operate without a published privacy policy, or whose policy does not address the content requirements of the Notice and Choice Principle, are consistently cited. The Notice and Choice Principle requires that customers know what data is being collected, for what purpose, and whether it will be shared with third parties — before that data is collected.
Data access request violations arise when customers submit written requests to access or correct their personal data and receive no response within the legally required period. A documented pattern of ignored access requests carries particular weight in enforcement proceedings.
The enforcement signal post-June 2025: Sellers should treat the updated law as a materially more active enforcement environment than existed before the 2024 Amendment came into force. The tripling of maximum fines, personal director liability, and mandatory breach notification requirements are structural changes to enforcement risk, not incremental adjustments.
How Does a PDPA Investigation Unfold Against an Ecommerce Business?
A PDPA investigation typically begins with a written information request from the PDPD, progresses through document gathering and a formal inquiry, and concludes with a compliance notice, monetary penalty, or prosecution referral. Based on PDPD published procedural guidance, cases commonly take between 3 and 12 months from initial notice to resolution, depending on complexity and cooperation.
Understanding the investigation process helps you respond correctly if a notice arrives — and helps you avoid the missteps that escalate a minor complaint into a major enforcement action.
Stage 1: Complaint receipt or audit initiation
The PDPD receives a complaint or initiates an audit. For complaint-based cases, the PDPD typically attempts informal resolution first: contacting your business to request a response to the complaint. How you respond at this stage meaningfully affects how the case proceeds.
Stage 2: Formal information request
If the initial response is incomplete or a violation appears probable, you receive a formal written information request. This commonly asks for:
- Your data processing policies and internal procedures
- Evidence of consent mechanisms used at collection points
- Data handling agreements with third-party processors
- Breach response procedures and any incident logs
- Evidence of staff data protection awareness
Stage 3: Formal investigation
The PDPD escalates to a formal investigation when the evidence warrants it. An investigator may request additional documents, interview relevant personnel, or assess your systems and controls directly.
Stage 4: Outcome
Investigations conclude in one of four ways:
- No further action: Complaint unsubstantiated or resolved to the PDPD’s satisfaction.
- Compliance notice: A directive to correct a specific practice within a defined timeframe. Failure to comply with the notice is itself a separate offence under Section 139 of the Act.
- Civil penalty: A monetary fine issued under the Act.
- Prosecution referral: Matter referred to the Attorney General’s Chambers for criminal proceedings.
Your most critical obligation at every stage: respond promptly and completely to information requests. Non-response or delayed response is interpreted as non-cooperation and is documented by investigators. It can transform a straightforward compliance issue into an aggravated enforcement action.
For the specific obligations that most commonly generate complaints and investigations, the PDPA Ecommerce Compliance Guide explains each of the seven data principles with practical implementation steps for Malaysian online sellers.
Frequently Asked Questions
Can I Be Fined Under PDPA Even If I Did Not Suffer a Data Breach?
Yes. PDPA enforcement covers all seven data protection principles, not only data breaches. A missing privacy notice, collecting customer data without a consent mechanism, retaining data beyond the stated purpose, or ignoring a written access request can each constitute an offence under the Act. Fines apply regardless of whether personal data was actually lost or misused.
What Is the Maximum PDPA Fine for an Ecommerce Seller in Malaysia?
Under the 2024 Amendment (in force 1 June 2025), the maximum fine is RM 1,000,000 per offence for violations of the seven data protection principles. Failure to notify the PDPC of a data breach within the mandatory 72-hour window carries a separate fine of up to RM 250,000. Directors and managers of companies also face personal criminal liability of up to 3 years’ imprisonment under the personal liability provisions introduced in the 2024 Amendment.
Does PDPA Apply to Small Shopee or Lazada Sellers?
Yes. The PDPA 2010 applies to any person who processes personal data in connection with a commercial transaction, regardless of business size or sales channel. A sole proprietor managing ten orders per day still processes customer names, phone numbers, and delivery addresses — all personal data under the Act. There is no minimum revenue threshold, no minimum order volume, and no marketplace-specific exemption.
What Triggers a PDPA Investigation Against My Online Store?
Investigations are most commonly triggered by customer complaints filed with the PDPD via pdp.gov.my, mandatory data breach notifications submitted to the PDPC, or PDPC-initiated audits. Referrals from other regulators including Bank Negara Malaysia and the Consumer Claims Tribunal are also a documented pathway. A single well-documented complaint from one customer is legally sufficient to open a formal inquiry.
How Long Does a PDPA Investigation Take in Malaysia?
Investigation timelines vary based on complexity and the level of cooperation from the business under review. Cases that resolve through an informal compliance notice can conclude within 3 to 6 months. Formal investigations involving multiple violations or prosecution referrals typically take 6 to 12 months or longer, per PDPD published guidance on its investigation procedures.