Malaysian Website Legal Requirements — PDPA, SSM Registration and Compliance

Running a Business Website in Malaysia Has Legal Obligations

Malaysian business owners frequently treat website compliance as an afterthought. This is an increasingly costly mistake. The Personal Data Protection Act 2010 (PDPA), SSM registration display requirements, SST obligations, and the Consumer Protection Act 1999 collectively create a compliance framework that every Malaysian business website must address.

Non-compliance is not merely theoretical risk. The PDPA carries fines of up to RM500,000 and imprisonment of up to three years for data processors who fail to meet their obligations. Understanding what your website must do is foundational, not optional.

PDPA 2010 — The Seven Principles

Malaysia's PDPA 2010 governs any business that collects, processes, or stores personal data from Malaysian individuals. For websites, the seven principles translate into specific requirements:

• General Principle: Personal data may only be processed with the data subject's consent and for the purpose disclosed at collection.
• Notice and Choice Principle: A privacy notice must be presented before or at the time data is collected — not buried in a footer link.
• Disclosure Principle: Data cannot be disclosed to third parties without consent.
• Security Principle: Practical steps must be taken to protect data from loss, misuse, modification, and unauthorised access.
• Retention Principle: Data cannot be retained longer than necessary for its stated purpose.
• Data Integrity Principle: Data must be accurate and up to date.
• Access Principle: Data subjects have the right to access and correct their personal data.

For a typical business website with a contact form, this means your privacy notice must explicitly state what data you collect, why, how long you retain it, and how users can request access or deletion.

SSM Registration Display

The Companies Commission of Malaysia (SSM) requires businesses to display their registration number on all business correspondence — and regulators have confirmed this extends to websites. Your footer or About page should display your SSM registration number and registered business name as it appears in SSM records.

For e-commerce businesses, the Ministry of Domestic Trade and Consumer Affairs (KPDNHEP) additionally requires display of business address and contact details on the website — not merely a contact form.

SST on Digital Services

If your website sells digital services or goods to Malaysian customers, you may have SST collection obligations at 6%. Foreign businesses providing digital services to Malaysian consumers are required to register with the Royal Malaysian Customs Department (RMCD) if annual sales exceed RM500,000. For local businesses, any digital service sales should be reviewed against current RMCD guidance for SST applicability.

Consumer Protection Act 1999

The Consumer Protection Act requires that product and service descriptions on your website are accurate and not misleading. For e-commerce, price displays must include all applicable taxes, and refund/return policies must be clearly stated before purchase completion. The Malaysian Communications and Multimedia Commission (MCMC) can act on consumer complaints related to misleading online commercial content.

What a Compliant Website Needs

• A privacy notice accessible from every page (typically footer link)
• Consent mechanism on all forms collecting personal data
• SSM registration number displayed in footer or About page
• Accurate business address and contact details
• Clear refund and return policy if selling goods or services
• Secure data transmission (HTTPS — mandatory, not optional)