PDPA Compliance Guide for Chatbots in Malaysia (2026)
What every Malaysian SME running a WhatsApp, Instagram, or Messenger chatbot needs to know about the Personal Data Protection Act 2010. Written for business owners, not lawyers.
Last reviewed: 10 May 2026 · By Polaris Team
What is PDPA, and why does it apply to chatbots?
The Personal Data Protection Act 2010 (Act 709) is Malaysia's primary data privacy law. It came into force in 2013 and was meaningfully amended in 2024 to strengthen breach-notification, expand data subject rights, and tighten cross-border transfer rules. The Act is administered by the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP) under the Ministry of Digital, with day-to-day enforcement by the Personal Data Protection Commissioner.
PDPA applies whenever a business handles personal data as part of a commercial transaction. A chatbot chat that captures a phone number, name, address, order details, or product preference is exactly that. The moment your bot receives a WhatsApp message, you become the data user under Section 4 of the Act, and the duties fall on you, not on the platform.
The chatbot itself is a data processor on your behalf. Whether you build it in-house, license a SaaS like Polaris, or stitch together no-code tools, you remain accountable for how customer data is handled.
The seven PDPA principles, applied to chatbot automation
Part II of the Act sets out seven principles. Every chatbot in Malaysia has to meet all of them, not just the well-known ones.
1. General Principle (Section 6)
You may only process personal data with the data subject's consent, and only for a lawful purpose directly related to your business. For a chatbot, that means: don't collect more than the conversation requires. A pizza-order bot does not need an IC number.
2. Notice and Choice Principle (Section 7)
You have to tell the person, in both English and Bahasa Malaysia, what data you're collecting, why, who will receive it, and how they can see or correct it. For a chatbot, this usually means a Privacy Notice link in the first message plus an opt-out keyword. You must give this notice as soon as you reasonably can.
3. Disclosure Principle (Section 8)
Personal data may not be disclosed for any purpose other than the one for which it was collected, or to a third party not previously identified, without the data subject's consent. If your chatbot data is used for marketing analytics, that purpose has to be in the notice.
4. Security Principle (Section 9)
You must take practical steps to protect personal data from loss, misuse, modification, unauthorised access, disclosure, alteration, or destruction. In practice: encryption at rest and in transit, role-based access, audit logs, and secure backups. The 2024 amendments also introduced a mandatory data breach notification obligation for breaches likely to cause significant harm.
5. Retention Principle (Section 10)
Personal data must not be kept longer than you need it for the purpose you collected it for. The Act doesn't set a fixed number, so you need to be able to justify how long you keep data. For chatbot transcripts, a common practice is 6 to 12 months for service quality, after which the content is deleted or stripped of identifying details.
6. Data Integrity Principle (Section 11)
Data must be accurate, complete, not misleading, and kept up to date. Chatbots that fill in customer profiles from chat have to handle corrections. When a customer says "wrong number, mine is 012-…", that change must carry through everywhere.
7. Access Principle (Section 12)
The person has the right to see their personal data and correct it. In practice you need a process, even a simple email inbox, to handle access and correction requests within the time limits the Commissioner sets out.
Business obligations: registration, notices, consent, rights
Registration as a data user
Section 14 of the Act, read together with the Personal Data Protection (Class of Data Users) Order, requires certain types of business to register with the Commissioner before handling personal data. The types that must register include communications, banking and finance, insurance, healthcare, tourism & hospitality, transportation, education, direct selling, services, real estate, and utilities. Check the latest official list at pdp.gov.my, since it's updated from time to time.
The Personal Data Protection Notice (PDPN)
Every Malaysian business that processes personal data must publish a Privacy Notice in both English and Bahasa Malaysia. For a chatbot, the practical pattern is: link to the bilingual notice in your first automated reply, and have the same notice on your website.
Consent
Consent must be something you can record and keep. For chatbots, that means saving when and how consent was given: the message that started the conversation, plus the fact that the person kept chatting after seeing the notice. Marketing consent must be collected separately.
Data subject rights
Under sections 30 to 38, people can ask to see their data, correct it, withdraw consent, and stop you using it for marketing. Your chatbot platform should make all four easy to do. The 2024 amendments also added a clear right to data portability in certain cases [VERIFY exact scope].
How Polaris meets each principle
Polaris is built for Malaysian rules. Here's how the product handles each PDPA principle in practice.
| PDPA Principle | How Polaris implements it |
|---|---|
| General | Bots are scoped to the merchant's commercial purpose. The training data, system prompt, and tool surface are all limited to what the business actually does. |
| Notice & Choice | First-touch automated notice with a link to a bilingual EN/BM Privacy Notice and an explicit STOP keyword instruction (also documented in the merchant's onboarding template). |
| Disclosure | Conversation data is not shared with third parties beyond the meta-platforms strictly required to deliver messages. No model-training on customer chats by default. |
| Security | Encrypted storage, TLS in transit, role-based access for merchant accounts, audit logging on admin actions, and isolated tenant boundaries. |
| Retention | Default 180-day retention on chat transcripts; configurable per merchant. Deletion is irreversible and includes derived embeddings. |
| Data Integrity | Customer profile fields update from the latest authenticated message. Merchants can edit or delete contact records from the dashboard. |
| Access | Data export and deletion are first-class flows: a customer can email the merchant with a verified request and receive their transcript or have it purged. |
The STOP keyword behaviour, in detail
When a contact sends STOP (English), BERHENTI (Bahasa Malaysia), or 停 (Chinese), Polaris:
- → Sends a single bilingual confirmation that the user has been opted out.
- → Blocks the contact for 30 days. During that time all incoming messages are quietly ignored, with no auto-reply, no handover to a person, and no notification ping.
- → Logs the opt-out timestamp and method against the merchant's compliance record.
- → Honours subsequent inbound messages from the same contact only if they affirmatively re-engage after 30 days.
Sources & further reading
- Personal Data Protection Act 2010 (Act 709), official text: pdp.gov.my/jpdpv2/en/akta-709/ [VERIFY URL path]
- Personal Data Protection Department (JPDP): pdp.gov.my
- Malaysian Communications and Multimedia Commission (MCMC), for direct-marketing and SMS guidance: mcmc.gov.my
- Polaris Privacy Notice: /privacy
- Polaris Security overview: /security
Frequently asked questions
Does PDPA apply to a WhatsApp chatbot used by my Malaysian business?
Yes. The Personal Data Protection Act 2010 (Act 709) applies to any commercial transaction where you process personal data of a person in Malaysia. A WhatsApp number, name, or order detail captured by your chatbot is personal data, and you are the data user under the Act.
Do I need to register with the PDP Commissioner?
Only if your business falls under one of the registrable classes of data users listed under Section 14. Communications, banking, insurance, healthcare, tourism and hospitality, transportation, education, direct selling, services, real estate, and utilities are listed classes. If your business is outside those classes you still have to follow the Act. You just don't need to register.
What counts as valid consent for chatbot conversations?
Consent has to be given freely, be informed, and be recorded so you can prove it. The best approach is a clear notice on first contact ("By replying, you agree to our Privacy Notice: link") plus a written down opt-out keyword such as STOP. Consent for marketing must be collected separately and can be withdrawn at any time.
How long can I keep chat data?
PDPA's Retention Principle requires personal data to not be kept longer than necessary for the purpose it was collected. There is no fixed number in the Act. Polaris defaults to a 180-day retention window for chat history and immediately deletes content when a user invokes their right to be forgotten.
What happens if a customer sends "STOP"?
Under the Notice and Choice Principle plus the data subject's right to withdraw consent, the business must stop processing for the original purpose. Polaris recognises STOP, BERHENTI, and 停 across English, Bahasa Malaysia, and Chinese, blocks the contact for 30 days, and silently drops further inbound messages so the user is not pinged again.
Where do I find the official PDPA text and guidance?
The Act is published by the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP) at pdp.gov.my. The Commissioner also publishes Codes of Practice for specific sectors, so check pdp.gov.my for the latest list.
Is Polaris PDPA-compliant out of the box?
Polaris is engineered around the seven PDPA principles: encrypted storage, role-based access, 180-day retention, multilingual STOP keyword honouring, consent capture on first contact, and data export/deletion on request. Your business is still the data user, but Polaris gives you the tooling to meet your obligations.
Get the PDPA Compliance Checklist
A one-page checklist mapping each PDPA obligation to a concrete action you can complete this week.