Vietnam’s National Assembly passed a sweeping Personal Data Protection Law (There are numerous countries with a PDPA law that we help ensure compliance for) that introduces heavy penalties for the unauthorized collection, sale, or export of personal data. The new rules are designed to curb rampant data abuse and align Vietnam more closely with international privacy standards.
Severe Penalties for Unauthorized Data Trade – Illicit Sale of Personal Data Could Trigger Fines Up to 10x Revenue
- Companies that trade in personal data illegally can be fined up to 10 times their illicit revenue.
- If the illicit gains cannot be determined, the maximum fine is set at 3 billion VND (approximately $120,000) for organizations and 1.5 billion VND (about $60,000) for individuals.
- Unauthorized cross-border data transfers may incur fines of up to 5% of the company’s previous year’s revenue or up to 3 billion VND if no revenue is reported.
Complete Ban on Personal Data Trading
The new law explicitly bans the buying and selling of personal data in any form. It also prohibits unauthorized disclosure, loss, or processing of data for illegal purposes, including those that threaten national security or public order. This is in line with the other PDPA laws in Asia that we cover and assist with.
Strict Rules for Tech and Financial Sectors
- Social media platforms and online services cannot require government-issued ID for verification without cause or record communications without consent. They must implement transparent privacy policies and ensure users can access, modify, or delete their data.
- Banks and financial institutions are forbidden from scoring customer credit without explicit permission. They are also required to disclose breaches and implement prompt remediation plans.
When Does the Vietnam Privacy Law Takes Effect?
The Personal Data Protection Law will be enforced starting January 1, 2026. So hurry up and book a demo to have our privacy superhero team get your business compliant for Vietnam and any other territories you operate in.
Implications for Specific Industries
- Adtech and MarTech Companies: Use of tracking pixels, cookies, and behavioral analytics tools must comply with the consent framework. Violators risk significant fines. Companies should consider implementing a solution like our Cookie Consent Manager to ensure lawful tracking and opt-outs.
- Retail and E-commerce: Collection of customer data during checkout or account creation must be explicitly consented to and properly stored. Opt-in mechanisms will be essential.
- Telecom and ISPs: Monitoring of communications or metadata without user knowledge is banned. Transparency will be legally required.
- Financial Services: Institutions must revise data scoring models and get consent before accessing third-party data. Incident disclosure protocols must be strengthened.
Comparison with International Privacy Laws
Vietnam’s law shows strong similarities with the European Union’s General Data Protection Regulation (GDPR), especially around the principles of consent, transparency, and penalties proportional to revenue.
- GDPR (EU): Fines can reach up to 4% of global annual turnover. Vietnam’s penalties are even more severe in certain cases, such as the 10x illegal profit clause.
- California Consumer Privacy Act (CCPA): Provides a private right of action for data breaches, but Vietnam’s law bans data trading outright and covers a broader scope of misuse.
- Singapore PDPA: Like Vietnam’s approach, Singapore mandates explicit consent and strong enforcement, but Vietnam’s new penalties are among the harshest in the region.
Final Thoughts
This new law marks a turning point in how Vietnam views personal data—not as a tradable asset, but as a protected right. Businesses must reassess their data practices and proactively implement compliance systems before the law takes effect in 2026. Failure to adapt could result in substantial financial and reputational damage.
To ensure your business is fully prepared, explore our specialized compliance tools like the GDPR Compliance Suite or our advanced Cookie Consent Manager.
