Outbound Call Regulations in Thailand

Do Not Originate (DNO): Thailand is also combatting spoofed calls through a de-facto DNO approach. Caller ID spoofing – where scammers impersonate phone numbers of government offices or banks – has been a major problem. The National Broadcasting and Telecommunications Commission (NBTC) has ordered telecom providers to block calls from certain numbers that should never originate calls (for example, police station or courthouse lines) which were exploited by call-center fraud gangs.

PDPA Compliance Obligations: Outbound call centers must handle personal data of call recipients in compliance with PDPA principles. This includes providing notice about who is calling and how the person's number was obtained, and ensuring data is used only for the stated purposes. The PDPA imposes duties to protect personal data from leaks or misuse – a relevant point for call centers, as leaked call lists have been targeted by scammers. (Notably, in 2024 the PDPC fined a company 7 million THB after a data breach allowed call-center gangs to obtain customer data.

Extraterritorial Reach: Thailand's PDPA has extraterritorial scope similar to GDPR. The law applies to any data controller or processor "outside of Thailand" if they offer goods/services to individuals in Thailand or monitor behavior of individuals in Thailand.

Direct Marketing License: Thailand regulates call center marketing activities through the Direct Sales and Direct Marketing Act B.E. 2545 (2002). Any business engaging in "direct marketing" (including outbound sales calls) must register with the Office of the Consumer Protection Board (OCPB) before commencing operations.

Call Consent and Recording: Outbound call practices must respect individual consent. If call centers use automated dialing or pre-recorded messages to contact individuals, Thai law effectively treats this as high-impact marketing requiring prior consent. (By contrast, B2B calls to a company's main business number have more leeway – prior consent is not required for marketing calls directed to a general business line.

Caller ID Requirements: Caller identification rules in Thailand require truthfulness about the originating number. Outbound calls must display a valid caller ID – call centers are generally not allowed to hide their number or misrepresent it. The NBTC (telecom regulator) has taken a hard line against caller ID spoofing due to rampant fraud. Telecom operators have been instructed to block calls that use fake caller IDs, especially those impersonating official or otherwise trusted numbers.

Telecom Rules on International Calls: There are special measures for calls that originate outside Thailand. To help the public recognize potential scam calls from abroad, the NBTC requires all mobile operators to prefix incoming international calls with a "+" sign and specific codes.

Call Content and Frequency: Thailand's Consumer Protection Act (CPA) and related regulations set standards for marketing communications. Telemarketing calls must not contain false or misleading statements about products/services.

Other Relevant Authorities

Depending on the industry involved in outbound calls, sector-specific regulators may apply additional rules. For instance, the Bank of Thailand (BoT) and finance regulators oversee debt collection calls and bank product marketing (with guidelines to ensure fair treatment of customers), and the Office of Insurance Commission (OIC) supervises insurance telemarketing. These bodies require, for example, that banks/insurers only call individuals who have provided contact info for that purpose and to keep records of consent. Additionally, Thai law enforcement agencies like the Technology Crime Suppression Division of the Royal Thai Police play a role in cracking down on illegal call center operations (especially scam call centers), often working with NBTC and the PDPC. For a legitimate business call center, the main compliance oversight will come from NBTC (telecom rules), PDPC (data protection), and OCPB (marketing conduct), as detailed above.

National "Do Not Call" List: Thailand's new PDPC-operated DNC system will effectively serve as a national opt-out database. When launched, this system (likely in app form) will compile a database of numbers or categories that consumers have blocked.

OCPB Direct Marketing Registry: All organizations engaging in direct telephone solicitation must register with the OCPB's direct marketing database prior to operation.

PDPA Compliance Resources: While not a formal "registration," organizations making outbound calls should utilize the PDPC's compliance resources and tools. The PDPC provides guidelines on consent, privacy notices, and data security which are highly relevant to call centers (e.g. how to draft a proper verbal privacy notice during a call, how to obtain consent for different purposes). The PDPC website hosts some templates and FAQs. Additionally, if a company is required to appoint a Data Protection Officer (DPO) (which is mandatory for certain large data processors under PDPA), it must notify the PDPC of the DPO's details.

Numbering and Telecom Registrations: If an outbound call center uses its own telephony systems (e.g. running a call center platform), it may need to obtain numbers from a telecom operator or even get a telecom license if providing voice services. Typically, call centers lease telephone numbers (toll-free or landline or mobile) from licensed carriers. Those carriers have to register the numbers with the NBTC. Organizations should ensure they use properly allocated numbers – using unregistered SIM cards or unauthorized VoIP lines can lead to disconnection. Thailand's strict SIM card registration laws mean that any mobile numbers used for calling must be registered to the company or an individual with ID; call operations cannot just activate hundreds of anonymous SIMs (this is a tactic of scam operations that authorities now crack down on). For large-scale operations, businesses might acquire a block of numbers or a short-code; this would involve coordinating with a Thai telecom provider and possibly informing NBTC. In summary, use official telecom channels for outbound calling – the relevant "registration" in this context is making sure your phone numbers and telecom setup are properly licensed/registered in Thailand's telecom databases via your provider.

Applicability of Thai Regulations: Foreign companies running call centers from abroad (or outsourcing calls to offshore BPOs) targeting Thai consumers are directly affected by these regulations. First, as noted, the PDPA applies to foreign entities handling Thai personal data.

Direct Marketing Act for Foreign Operators: Any foreign company establishing a call center operation in Thailand (even a branch or rep office) to target Thai consumers must register with the OCPB as a direct marketing business.

Calling into Thailand (Telecom Considerations): When a foreign call center dials Thai phone numbers, the calls will pass through international gateways. As described, Thai carriers will mark the calls with "+" prefixes and potentially block certain suspicious patterns. Foreign companies should be aware that call pickup rates may be lower due to these warnings. To improve trust and compliance, a foreign company might obtain a Thai telephone number (DID or toll-free) to display as the caller ID, so that the call appears local. This usually requires contracting with a Thai telecom operator or a global telecom service that has Thai numbers. The foreign company would then be subject to NBTC rules via that operator. In effect, using a Thai number ties the foreign caller to Thai regulations – for instance, if consumers report that number for spam, the NBTC can direct the carrier to warn or disconnect the line. Also, foreign companies should not spoof any numbers when calling Thailand; doing so could violate Thai telecom fraud laws. It's best to be transparent about who and from where you are calling.

PDPA Representation and Cooperation: Foreign companies without a physical Thai office should designate a local representative for PDPA compliance (analogous to GDPR Article 27 requirements). This representative can handle any official communications with the PDPC, such as responding to complaints or facilitating inspections. While the PDPA's exact rep requirements were not fully detailed in early regulations, having a point of contact in Thailand is recommended. Additionally, foreign companies must be prepared to provide Thai-language privacy notices or consent dialogs when calling Thai individuals, since regulators will expect communications to be in the local language for clarity. All staff (even abroad) should be trained on Thai do-not-call rules and PDPA basics – for example, if a Thai consumer says "please don't call again," that request must be logged and respected globally.

Enforcement and Jurisdiction: If a foreign entity violates these rules (for instance, by cold-calling a large list of Thai numbers without consent), it could face actions on multiple fronts. The PDPC can issue fines or publicly announce the violation, damaging the company's reputation. The NBTC can work with international telecom partners to block the offending call traffic. The OCPB could coordinate with consumer protection agencies in the foreign company's country (if agreements exist) or at minimum, blacklist the company from any future business in Thailand. In serious cases (e.g. fraud or scam calls), Thai authorities may pursue criminal charges and international cooperation to shut down the operation. While legitimate companies wouldn't fall into the scam category, it underscores that Thailand is increasingly serious about regulating outbound calls. Foreign companies should thus align their practices with Thai law just as they would with local law: obtain consent, respect the Thai DNC list, use registered channels, and be responsive to Thai regulators. By doing so, even an overseas call center can lawfully engage Thai customers without running afoul of the regulations.