On July 23, 2025, Cambodia introduced a draft law focused on protecting personal data. The announcement took place at a public consultation event at the Sokha Phnom Penh Hotel. Once officially approved, the law will take two years to come into full effect.
Main Purpose of the Law
The law, created by the Ministry of Post and Telecommunications, aims to protect people’s personal data while encouraging business growth in Cambodia’s digital economy. It lays down rules and ethical standards for how personal information should be handled, ensuring transparency and responsibility.
Based on Global Privacy Models
Cambodia’s new law takes inspiration from Europe’s GDPR but adds rules specific to the country. Personal data must only be collected and used for clear, legal, and fair reasons. The law sets six legal grounds for using data, such as consent, fulfilling a contract, legal obligations, or protecting public interest.
Handling sensitive personal data is restricted and only allowed under special conditions—like with the person’s clear approval or when it’s in the public’s interest.
Foreign companies dealing with Cambodian users will also need to follow the law. They must appoint local representatives and inform the ministry. Sending data across borders will need approval or legal reasons such as written consent or public interest.
Rights for Individuals
Cambodian residents will gain many rights under this law. They can request copies of their personal data, ask for corrections, and even ask for data deletion in some cases. People also have the right to move their data between companies when processing is automated and based on consent or contracts.
In cases where decisions are made by machines (like automatic loan approvals or targeted ads), people can request human involvement if those decisions significantly affect them.
Who Will Enforce the Law?
The Ministry of Post and Telecommunications will oversee the law’s enforcement. It can review how companies handle personal data, carry out audits, and resolve complaints.
Companies must assess privacy risks before carrying out certain types of data processing. These risk reports must be submitted to the ministry and include security measures being used to protect the data.
Some organizations will need to appoint data protection officers. These officers must be qualified and officially registered with the ministry within 30 days of appointment.
Safety and Technology Rules
The law requires businesses to use proper security systems from the start, ensuring that only necessary personal data is processed. Businesses must protect the data against hacking, leaks, or misuse, and regularly check the strength of their security systems.
If a data breach happens, companies must report it to the ministry within 72 hours. If the breach poses serious risk to individuals, they must also inform the affected people—unless encryption or other protections reduce the risk.
Fines and Punishments
If someone breaks the law, they could face heavy penalties. Individuals may be fined up to 60 million riels (around $14,500) and face jail time from six days to two years. Companies can be fined up to 600 million riels (around $145,000) or 10% of their yearly income.
The law also sets up a special inspection unit with the power to investigate cases and handle complaints. Disputes can be resolved through a fast-track, ministry-supervised process.
Impact on Marketing and Advertising
Digital marketing companies working in Cambodia will now have to get user consent, protect personal data, and follow cross-border data rules. This law also applies to foreign companies that offer online services or track Cambodian users.
Marketing platforms must now be more transparent, especially in areas like targeted ads and automated decision-making. People can demand explanations and human review of automated marketing decisions.
A Regional Move Toward Privacy
With this law, Cambodia joins other Southeast Asian countries that are moving toward stronger personal data protection. Though companies have two years to prepare, they should start reviewing their practices now. Businesses operating across the region must also stay updated on how Cambodia enforces this new law in the future.
