Does my small business website legally need a privacy policy in Malaysia?

In practice, yes. The moment your site collects a name, email, or phone number through a form, you process personal data and the PDPA applies, with no SME exemption. The Notice and Choice Principle (Section 7) requires a written privacy notice in both Bahasa Malaysia and English, given when you first collect the data. A privacy page is the standard way to meet it.

Do I need to appoint a Data Protection Officer (DPO) for my Malaysian business?

Only if you cross a threshold. Per the Commissioner's guidelines summarised by DLA Piper, a DPO is mandatory if you process personal data of more than 20,000 individuals, sensitive or financial data of more than 10,000, or carry out regular and systematic monitoring. Below all three, a DPO is good practice but not required. If required, notify the Commissioner within 21 days.

Must I publish a DPO email on my website?

Yes, if your business is required to appoint a DPO. Per DLA Piper and Donovan & Ho, you must publish the DPO's business contact information through your website, your privacy notice, or your security policies. The guidance specifies a dedicated, actively monitored DPO email account, separate from personal or general inboxes. Businesses below the DPO thresholds do not need this.

What is the penalty for breaking the PDPA in Malaysia now?

Heavier than before. Per Mayer Brown, the maximum fine for breaching the data protection principles rose from RM300,000 to RM1,000,000, and the maximum jail term from two to three years, under the Amendment Act in force from 2025. Separately, a data breach must be reported to the Commissioner within 72 hours and to affected individuals within 7 days where significant harm is likely.

Does my privacy policy have to be in Bahasa Malaysia as well as English?

Yes. Section 7 of the PDPA, the Notice and Choice Principle, requires the written privacy notice to be issued in both Bahasa Malaysia and English at the point you first collect personal data. A privacy page in English only does not meet the requirement. This has applied since the original 2010 Act, not just the 2025 amendment.

StrategyThe Wiz Journal

Does your Malaysian business website need a privacy policy under the PDPA 2025 rules?

Malaysia's PDPA amendment took full force on 1 June 2025, and it changed what your website must show. Here is the plain-language answer for SME owners: when you need a privacy notice, when you must publish a DPO email, and what the RM 1 million penalty actually applies to.

Dan Duar12 June 20269 min readFounder, Wiz Studio Labs

If you run a Malaysian business with a website, the data-protection rules you were quietly ignoring changed in 2025. The Personal Data Protection (Amendment) Act 2024 came into force in stages and reached its most demanding phase on 1 June 2025. Most SME owners never got the memo.

This is not a legal lecture. It is the practical version: what your website actually has to show now, what is optional, and where the real risk sits. I build websites for Malaysian SMEs for a living, so this is written from the point of view of the page, not the courtroom.

Above: the compliance layer of a Malaysian SME website is mostly text, a bilingual privacy notice and a reachable data contact, not a costly add-on. Last updated: 12 June 2026.

The short answer

Yes, almost every Malaysian business website should carry a privacy notice, because the moment your site collects a name, an email, or a phone number through a contact form, you are processing personal data and the PDPA applies. A separate, stricter rule then decides whether you must also appoint a Data Protection Officer and publish their email on your site.

Key takeaways

A privacy notice has been required since the original PDPA 2010, under the Notice and Choice Principle (Section 7), and it must be written in both Bahasa Malaysia and English.
From 1 June 2025, you must appoint a Data Protection Officer if you process the data of more than 20,000 individuals, sensitive or financial data of more than 10,000, or run regular and systematic monitoring (DLA Piper).
If a DPO is required, you must publish their business contact details, including a dedicated email, on your website and in your privacy notice (Donovan & Ho; DLA Piper).
The maximum fine for breaching the data protection principles rose from RM300,000 to RM1,000,000, and jail from two to three years (Mayer Brown).
A data breach now must be reported to the Commissioner within 72 hours and to affected individuals within 7 days where it risks significant harm (Ecovis; DLA Piper).

"The maximum fine for breaches of the data protection principles has been increased from RM300,000 (~USD70,000) to RM1,000,000 (~USD236,000), and the maximum imprisonment term from two to three years." Source: Mayer Brown, Key Amendments to Malaysia's PDPA (July 2025)

What is the PDPA, and does it apply to a small business?

The PDPA is Malaysia's Personal Data Protection Act 2010, and it applies to any business that processes personal data in commercial transactions, including small ones. There is no headcount or revenue floor that exempts an SME. If you collect customer details to sell or deliver something, you are a data controller under the Act and its obligations apply to you.

This matters because Malaysia is now almost fully online. DataReportal's Digital 2026 report counted 35.4 million internet users in the country in October 2025, an internet penetration rate of 98.0 percent. Your customers reach you through a web form, a WhatsApp link, or a booking field, and every one of those is a point where you collect personal data the law now watches more closely.

Does my website legally need a privacy policy?

In practice, yes. The PDPA's Notice and Choice Principle, Section 7, requires a data user to give the individual a written notice describing what data is collected, why, who it is shared with, and how to contact you, at the point you first collect it. A privacy notice on your website is the standard way to satisfy this, and it has been a requirement since the original 2010 Act, not a 2025 invention.

One detail that trips up most SME sites: the notice must be issued in both the national language and English. A privacy page in English only does not meet Section 7. If you are still deciding how many languages your whole site needs, our guide on a multilingual website in Malaysia walks through that separately.

"Under the Notice and Choice Principle, a data user must notify the data subject in writing, in both Malay and English, when the data subject's personal data is being processed, along with a description of that data, the purpose, the source, the contact information of the data user, and the means to limit processing." Source: Lexology, Malaysia PDPA 2010: 7 Key Principles (summary of Section 7)

So the privacy policy is not the new part. The new part is the Data Protection Officer rule that sits on top of it.

What changed on 1 June 2025?

The Amendment Act introduced three obligations that bite directly on businesses: a mandatory Data Protection Officer for organisations above set thresholds, a hard data-breach notification timeline, and far heavier penalties. The Act rolled out in phases through 2025, and these three landed on 1 June 2025, per ASEAN Briefing and the law-firm guidance that followed.

The amendment also renamed "data user" to "data controller" and, for the first time, placed direct security obligations on data processors (per Mayer Brown). In plain terms, if you outsource your mailing list or your CRM, that vendor now carries its own legal duty, not just you.

Do I need to appoint a Data Protection Officer?

You must appoint a DPO if your business crosses any one of three thresholds. Below all of them, a DPO is good practice but not mandatory. The thresholds, as set out in the Commissioner's guidelines and summarised by DLA Piper, are:

Trigger	Threshold	Typical example
Volume of personal data	More than 20,000 data subjects	A retailer or clinic with a large customer database
Sensitive or financial data	More than 10,000 data subjects	A clinic, insurer, or lender holding health or financial records
Monitoring	Regular and systematic monitoring	Loyalty tracking, behavioural ad retargeting, location tracking

If you cross a line, two things follow. First, you must notify the Commissioner of the appointment within 21 days (DLA Piper). Second, you must make the DPO reachable.

"An organisation must publish the business contact information of its DPO through its website and other official media, its personal data protection notices, or its security policies and guidelines." Source: DLA Piper, Malaysia: Guidelines on Data Breach Notification and DPO Appointment (March 2025), paraphrasing the Commissioner's guidelines

What must my website actually display now?

At minimum, a compliant Malaysian business website carries a privacy notice in Bahasa Malaysia and English, and a clear way to contact the person responsible for data. If you are a DPO-required business, that contact is a dedicated DPO email published on the site. The guidance is specific that the DPO email should be a dedicated, monitored account, not a personal or general inbox (Donovan & Ho).

Here is the honest sorting for an SME:

Every site with a contact or enquiry form: a privacy notice (BM and English), stating what you collect and why, with a contact point for data questions.
Sites under all three DPO thresholds: the notice is enough, no DPO email required, but naming a contact is good hygiene.
Sites over a threshold (large databases, sensitive or financial data, tracking): add a published DPO email and register the DPO with the Commissioner within 21 days.

This is cheap to get right and expensive to get wrong, which is the whole point of the next section.

What is the real penalty risk?

The maximum fine for breaching the data protection principles is now RM1,000,000, up from RM300,000, with up to three years' jail (Mayer Brown). On top of that, a data breach carries its own clock: notify the Commissioner within 72 hours and affected individuals within seven days where significant harm is likely (Ecovis; DLA Piper).

For a small business, the realistic exposure is not a million-ringgit fine on day one. It is a complaint or a breach that turns a missing privacy notice and an unreachable data contact into evidence that you were never compliant. A proper bilingual privacy notice and a named contact are the difference between a fixable lapse and an indefensible one.

How much does a compliant business website cost in Malaysia?

A compliant site does not need to cost thousands of ringgit, because the essentials are cheap: a bilingual privacy notice, a clear data-contact path, and clean pages a regulator and a search engine can both read. The cost sits in building the site well, not in the compliance layer, which is mostly text. If you want the full pricing picture, we broke down real Malaysian vendor prices in how much a website should cost in 2026.

How does a Wiz site handle this?

Every Wiz Studio Labs site ships with a privacy notice page in Bahasa Malaysia and English, a clearly labelled data-contact field you can point at your DPO email, and clean, crawlable HTML so the page is readable by both regulators and search engines. If your obligations change, the notice is the kind of thing you update in minutes.

We are a website studio, not a law firm, so treat this article as a practical map and confirm your specific thresholds with a qualified adviser. What we can promise is that the website side is handled: the notice exists, it is bilingual, and the contact path is real. Wiz builds and hosts a complete Malaysian SME website for RM 399 a year, one edit included, and you pay only if you keep it. See the templates or start a brief.

A privacy notice is one of those things that costs almost nothing to add and looks negligent to omit. Since 2025, the law agrees.

Sources

Donovan & Ho: Mandatory Appointment of Data Protection Officer (DPO), Effective 1 June 2025
DLA Piper Privacy Matters: Malaysia: Guidelines on Data Breach Notification and DPO Appointment
Mayer Brown: Key Amendments to Malaysia's PDPA
Ecovis Malaysia: Malaysia's New Personal Data Protection Act Obligations
ASEAN Briefing: Malaysia Tightens Data Protection from June 2025
Lexology: Malaysia PDPA 2010: 7 Key Principles
DataReportal: Digital 2026: Malaysia

Common questions

Frequently asked questions

Does my small business website legally need a privacy policy in Malaysia?: In practice, yes. The moment your site collects a name, email, or phone number through a form, you process personal data and the PDPA applies, with no SME exemption. The Notice and Choice Principle (Section 7) requires a written privacy notice in both Bahasa Malaysia and English, given when you first collect the data. A privacy page is the standard way to meet it.
Do I need to appoint a Data Protection Officer (DPO) for my Malaysian business?: Only if you cross a threshold. Per the Commissioner's guidelines summarised by DLA Piper, a DPO is mandatory if you process personal data of more than 20,000 individuals, sensitive or financial data of more than 10,000, or carry out regular and systematic monitoring. Below all three, a DPO is good practice but not required. If required, notify the Commissioner within 21 days.
Must I publish a DPO email on my website?: Yes, if your business is required to appoint a DPO. Per DLA Piper and Donovan & Ho, you must publish the DPO's business contact information through your website, your privacy notice, or your security policies. The guidance specifies a dedicated, actively monitored DPO email account, separate from personal or general inboxes. Businesses below the DPO thresholds do not need this.
What is the penalty for breaking the PDPA in Malaysia now?: Heavier than before. Per Mayer Brown, the maximum fine for breaching the data protection principles rose from RM300,000 to RM1,000,000, and the maximum jail term from two to three years, under the Amendment Act in force from 2025. Separately, a data breach must be reported to the Commissioner within 72 hours and to affected individuals within 7 days where significant harm is likely.
Does my privacy policy have to be in Bahasa Malaysia as well as English?: Yes. Section 7 of the PDPA, the Notice and Choice Principle, requires the written privacy notice to be issued in both Bahasa Malaysia and English at the point you first collect personal data. A privacy page in English only does not meet the requirement. This has applied since the original 2010 Act, not just the 2025 amendment.
How much does a compliant business website cost in Malaysia?: A compliant site does not need to cost thousands of ringgit. The essentials are a bilingual privacy notice, a clear data-contact path, and clean, crawlable pages. Wiz Studio Labs builds and hosts a complete Malaysian SME website, with a bilingual privacy notice and a data-contact field, for RM 399 per year, one edit included, and you pay only if you keep it.

About the author

Dan Duar

Founder, Wiz Studio Labs · Director, DNE Forwarding

Writes The Wiz Journal on websites, SEO, and digital growth for Malaysian SME owners. Previously a senior data analyst at Grab and a tech consultant at EY. BNI Integrity Shah Alam member.

Full bio →LinkedIn DNE Forwarding

Like what you read

Get a Wiz site for RM 399/year.

We build it free in 2-3 days. You see it live before you spend a ringgit. Keep it if it works for your business.

Start free

No card · No sales call