That data you collect at checkout carries legal obligations.
Malaysia’s Personal Data Protection Act 2010 (PDPA) applies to every ecommerce seller who processes personal data in connection with a commercial transaction. That means you. Whether you run your own Shopify store, sell on Shopee and Lazada, or operate both, the law requires you to handle customer data by specific rules, disclose what you do with it, and respond to breaches within a defined window.
The 2024 Amendment (in force from 1 June 2025) significantly strengthened the law. Maximum fines increased to RM 1,000,000, mandatory breach notification arrived, and the terminology shifted from “data user” to “data controller.” This guide covers what changed, what it means for your store, and exactly what you need to do to comply.
What Does PDPA Cover for Ecommerce Sellers?
The PDPA 2010 (Personal Data Protection Act) is Malaysia’s primary data privacy law, administered by the Department of Personal Data Protection (JPDP) at pdp.gov.my. It governs how personal data is collected, processed, stored, and disclosed by any person carrying out a commercial transaction in Malaysia.
Personal data means any information that directly or indirectly identifies a living individual. For an ecommerce seller this includes: customer full names, delivery addresses, phone numbers, email addresses, payment card details, purchase history, and IP addresses linked to account activity.
The law distinguishes two roles:
- Data controller (formerly “data user”) — the entity that determines the purpose and means of processing personal data. If you run an online store, you are the data controller.
- Data processor — a third party that processes data on behalf of the controller. Your courier partner, payment gateway, and email marketing platform are data processors.
The PDPA applies only to commercial transactions, so purely personal data handling is excluded. But any data you collect in the course of selling, marketing, or fulfilling orders counts as commercial, which covers the full range of ecommerce activity.
For a broader view of compliance obligations for Malaysian online sellers, see our ecommerce compliance checklist.
Who Must Comply with PDPA?
Any Malaysian ecommerce seller who collects personal data in connection with a commercial transaction must comply. There is no revenue threshold, no employee count minimum, and no exemption for marketplace sellers.
That said, compliance looks different depending on your setup:
Direct Online Store Sellers
If you operate your own website or Shopify store, you are the primary data controller. You determine what data you collect at checkout, how you store it, which third-party apps access it, and how you communicate with customers after purchase. You are responsible for your privacy policy, consent mechanisms, and breach notification.
Key data touchpoints to audit: checkout form fields, email marketing opt-ins, abandoned cart tracking, analytics pixels (Google Analytics, Meta Pixel), and any retargeting tools.
Marketplace Sellers on Shopee and Lazada
If you sell exclusively through Shopee or Lazada, those platforms act as data controllers for most customer data. The marketplace sets the checkout flow, stores the customer payment details, and handles the primary data relationship.
However, you become a data controller the moment you:
- Export customer order data to your own CRM or spreadsheet
- Use customer phone numbers or emails for your own marketing
- Build a buyer contact list from marketplace order exports
- Operate a chat or messaging thread that stores customer information
Most active Shopee and Lazada sellers do at least some of these. Once you do, PDPA applies to your handling of that data, separately from what the platform does.
The Seven PDPA Principles That Apply to Your Store
The PDPA is built around seven data protection principles. Every data controller must comply with all seven. Here is what each one means in practice for an ecommerce seller:
1. General Principle
You must have a lawful basis before collecting personal data. For most ecommerce transactions, consent is the primary basis. Customers must actively consent to data collection — pre-ticked boxes do not count as valid consent under Malaysian law.
What this means: Your checkout flow must include a clear, unticked consent checkbox. Language like “I agree to the collection and use of my personal data for order processing and delivery” is the minimum. If you plan to use data for marketing, get a separate consent for that purpose.
2. Notice and Choice Principle
You must inform customers — before or at the point of collection — of the purposes for which their data will be used, their right to opt out of processing for non-essential purposes, and their rights to access and correct their data.
Notice must be provided in both English and Bahasa Malaysia under the law. A privacy policy accessible from your checkout page and footer satisfies the written notice requirement.
3. Disclosure Principle
Personal data cannot be disclosed to third parties without the customer’s consent unless required by law. If you share order data with your courier, fulfilment partner, or payment gateway, those relationships must be governed by a data processing agreement that limits what those processors can do with the data.
Standard platform integrations (Shopee connecting to your courier via API) are covered by the platform’s terms. Custom integrations or third-party marketing tools are your responsibility.
4. Security Principle
You must take practical steps to protect personal data from loss, misuse, modification, unauthorised disclosure, or access. The 2024 Amendment extended the Security Principle obligations directly to data processors for the first time — your logistics and payment partners are now directly accountable for breaches on their end.
Minimum security steps for an ecommerce store: SSL/HTTPS on all pages, strong admin account passwords with 2FA, limited staff access to customer data, and a clear process for secure deletion when data is no longer needed.
5. Retention Principle
Personal data must not be kept longer than necessary for the purpose it was collected. The law does not set a fixed period, but a common benchmark for Malaysian ecommerce sellers is 7 years, aligning with the Income Tax Act 1967’s record-keeping requirements for business transactions.
After the retention period, data must be securely deleted or irreversibly anonymised. “Archiving” data indefinitely in a backup folder does not satisfy this principle.
6. Data Integrity Principle
You must ensure personal data is accurate, complete, not misleading, and kept up-to-date. For ecommerce, this means having a process for customers to update their delivery addresses and contact details, and not continuing to market to email addresses that have bounced or accounts that have been deactivated.
7. Access Principle
Customers have the right to request access to their personal data and to request corrections to any information that is inaccurate, incomplete, or misleading. You must respond to access requests within a reasonable period (typically 21 days is considered reasonable practice in Malaysia) and either provide the data or give a written reason for refusing.
Not sure whether your current setup complies? The SellerLegal Compliance Scorecard walks you through 12 key compliance areas in under 5 minutes. Free.
What Changed Under the 2024 Amendment?
The Personal Data Protection (Amendment) Act 2024 came into full force on 1 June 2025. It introduced four major changes that directly affect ecommerce sellers:
Mandatory Data Breach Notification
This is the biggest practical change for small sellers. If a personal data breach occurs — meaning unauthorised access to, loss of, or disclosure of customer data — you must:
- Notify the Personal Data Protection Commissioner within 72 hours of becoming aware of the breach
- Notify affected customers within 7 days after the initial notification to the Commissioner, if the breach is likely to cause significant harm
Notification to the Commissioner is made via the JPDP portal at pdp.gov.my. You must describe the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
Penalty for failing to notify: A fine of up to RM 250,000 or imprisonment of up to 2 years, or both.
Increased Penalties
The maximum fine for contravening the data protection principles increased from RM 300,000 to RM 1,000,000 per offence. Responsible officers (directors, partners) can face personal fines and imprisonment of up to 3 years.
This is not a theoretical risk. JPDP has been increasing enforcement activity since 2024, particularly targeting data breaches that were not disclosed to affected customers.
Mandatory DPO for Certain Organisations
From June 2025, organisations engaged in regular and systemic monitoring of personal data, or processing sensitive personal data of 10,000 or more individuals, must appoint a Data Protection Officer (DPO). Most small and mid-size marketplace sellers fall below this threshold. However, if you run behavioral retargeting, operate an email list above 10,000 subscribers, or use personalisation algorithms, review whether the DPO requirement applies to you.
Data Portability Rights
Customers now have the right to request their personal data in a machine-readable format and to request that it be transferred directly to another data controller. This is primarily relevant for larger platforms but is worth noting if you operate a membership or subscription model.
Practical Compliance Steps for Ecommerce Sellers
Here is what a compliant Malaysian ecommerce store looks like, in concrete terms:
Step 1: Audit Your Data Collection Points
List every place your store collects personal data: checkout form, account registration, newsletter sign-up, contact form, live chat, analytics tools, payment processor, and any third-party apps. For each, confirm: is it necessary? Is there a valid consent basis? Is it disclosed in your privacy policy?
Step 2: Create a Compliant Privacy Policy
Your privacy policy must cover:
| Required Element | What to Include |
|---|---|
| Data collected | Name, address, email, phone, payment details, browsing data |
| Purpose of processing | Order fulfillment, delivery, marketing (if applicable), fraud prevention |
| Third-party sharing | Courier partners, payment gateways, marketing platforms |
| Retention period | e.g., 7 years for transaction records |
| Data subject rights | Access, correction, withdrawal of consent |
| Contact details | Email or address for privacy queries |
| Language | Must be available in English and Bahasa Malaysia |
Publish the policy on a dedicated Privacy Policy page and link to it from your footer, checkout page, and any data collection forms.
Step 3: Fix Your Consent Mechanism
Replace any pre-ticked marketing opt-in boxes with opt-in checkboxes that start unticked. Separate the consent for “order processing” (needed to complete the transaction) from “marketing communications” (requires separate explicit consent). Keep a record of when and how each customer consented.
Step 4: Set Up a Breach Response Plan
Document a simple plan: who is responsible for assessing a suspected breach, how to determine whether the breach triggers notification requirements, and the process for filing the notification with JPDP within 72 hours. If you use Shopify or a hosted platform, check your platform’s breach notification obligations — the platform may handle notification for certain infrastructure-level breaches, but breaches involving your own customer data exports remain your responsibility.
Step 5: Establish a Data Retention Schedule
Set a policy for how long you keep different data categories and how it is deleted. A practical starting point for Malaysian ecommerce sellers:
- Order and transaction records: 7 years (Income Tax Act requirement)
- Email marketing data: Until consent is withdrawn or the contact goes inactive for 3+ years
- Account data for inactive accounts: Delete after 3 years of inactivity with prior notice to the customer
- CCTV footage (if any): 30 days unless required for a specific incident
Frequently Asked Questions
Does PDPA apply to small Shopee or Lazada sellers in Malaysia?
Yes. The PDPA 2010 applies to any person who processes personal data in connection with a commercial transaction, regardless of business size or sales channel. If you collect customer names, delivery addresses, or phone numbers, you are a data controller under the law and must comply with all seven data protection principles.
What are the penalties for PDPA violations in Malaysia?
Following the 2024 Amendment (fully in force June 2025), maximum fines are up to RM 1,000,000 per offence — more than triple the previous RM 300,000 ceiling. Responsible officers can face imprisonment of up to 3 years. Failure to notify a data breach within 72 hours carries a separate fine of up to RM 250,000.
Do I need a Data Protection Officer (DPO) for my ecommerce store?
Not automatically. The June 2025 DPO requirements apply to data controllers engaged in regular and systemic monitoring of personal data (such as behavioral advertising or algorithmic recommendations) or those processing sensitive personal data of 10,000 or more individuals. Most small marketplace sellers fall below this threshold, but a DPO is recommended best practice.
How long can I keep customer data under PDPA Malaysia?
The Retention Principle requires that personal data is not held longer than necessary for the purpose it was collected. For ecommerce, a common benchmark is 7 years to align with tax record-keeping obligations under the Income Tax Act 1967. After that period, data should be securely deleted or anonymised.
What must I include in a privacy policy for my Malaysian online store?
Your privacy policy must cover: what personal data you collect, the purpose of processing, whether data is shared with third parties, how customers can access or correct their data, how long you retain it, and how to contact you with queries. It must be available in both English and Malay under the Notice and Choice Principle.
Keep Reading
- Ecommerce Tax Compliance: SST Guide for Malaysian Sellers
- SSM Registration for Online Business in Malaysia
- Ecommerce Data Privacy Hub
This guide covers general information about PDPA compliance for ecommerce sellers in Malaysia. It is not legal advice. Regulations change, and individual circumstances vary. Verify current requirements at pdp.gov.my or consult a qualified legal advisor for your specific situation. Last verified: April 2026.