Malaysia's PDPA for Cold Email and Outreach: The 2026 Guide

What Malaysia's PDPA covers, and the 2024 overhaul

The Personal Data Protection Act 2010 (Act 709) governs the processing of personal data in respect of commercial transactions, and is administered by the Personal Data Protection Commissioner under the Personal Data Protection Department. Personal data means any information about an individual who can be identified from it, so a prospect's name, work email address, and mobile number are all in scope. The Act does not apply to the federal and state governments, and the commercial transaction requirement keeps purely personal or household processing out of scope.

The Personal Data Protection (Amendment) Act 2024 is the biggest change since the law took effect, and it came into force in three phases through 2025: administrative changes from 1 January 2025, higher penalties, biometric data as sensitive data, direct obligations on data processors, and the new cross-border rules from 1 April 2025, and mandatory data protection officer appointment plus breach notification from 1 June 2025.

Two vocabulary changes matter when you read Malaysian guidance. The Act now uses data controller instead of the old term data user, aligning with international practice, and data processors now carry direct security obligations rather than being regulated only through their controllers.

The new baseline: DPOs and mandatory breach notification

From 1 June 2025, data controllers and processors must appoint a data protection officer once their processing crosses thresholds set out in the Commissioner's February 2025 guideline: personal data of more than 20,000 data subjects, sensitive personal data of more than 10,000 data subjects, or activities involving regular and systematic monitoring. The DPO must be resident in or easily contactable in Malaysia, and the appointment must be registered with the Commissioner within 21 days.

Breach notification is now mandatory. Where a breach causes or is likely to cause significant harm, the controller must notify the Commissioner as soon as practicable and no later than 72 hours, and notify affected data subjects without unnecessary delay and no later than 7 days after the Commissioner notification. Failing to notify carries a fine of up to RM250,000, imprisonment of up to two years, or both.

For an outreach team this matters in a mundane way: your prospect database is personal data. A leaked CRM export of Malaysian contacts is exactly the kind of incident the notification regime was written for, so list storage and access controls are now a compliance question, not just an IT one.

Is B2B cold email workable? The consent question

Here is the precise difference from Singapore. Singapore's PDPA contains an express carve-out in section 4(5): the data protection obligations, including consent, do not apply to business contact information such as a person's work email and job title. Malaysia's PDPA has no equivalent exception. A named individual's work email address is personal data, full stop, and the General Principle in section 6 requires the data subject's consent to process it unless a narrow exception applies, such as performance of a contract with that person. None of the exceptions cleanly covers cold marketing.

What keeps B2B outreach workable in practice is the line between personal data and company data. Information about a company is not personal data, so emailing a corporate inbox such as info@ or sales@ about that company's needs sits outside the Act. Marketing aimed at organisations rather than identifiable individuals is the safer pattern, and enforcement attention has historically gone to consumer spam, unsolicited SMS blasts, and data leaks rather than to targeted B2B email.

Territorial scope adds one more nuance. The Act applies to persons established in Malaysia, and to those not established in Malaysia only if they use equipment in Malaysia to process the data otherwise than for transit. A Singapore-based team emailing Malaysian prospects from Singapore infrastructure may fall outside the Act's strict reach, but building your programme on a jurisdictional technicality is fragile. The professional standard is to behave as if the Act applies: relevant targeting, honest identification, and instant opt-out handling.

Direct marketing and the section 43 opt-out

Section 43 of the PDPA gives every data subject the right to require an organisation, by written notice, to stop or not begin processing their personal data for direct marketing purposes. Direct marketing is defined broadly as the communication of advertising or marketing material directed to particular individuals, which captures cold email, cold calls, and SMS alike.

The opt-out has teeth through the Commissioner. If you ignore the notice, the individual can complain, the Commissioner can require you to comply, and failing to follow that requirement is an offence carrying a fine of up to RM200,000, imprisonment of up to two years, or both.

Operationally, treat any reply that says stop, unsubscribe, or remove me as a section 43 notice, regardless of format. Suppress the contact permanently and across the whole organisation, not just the campaign it arrived from. Malaysia has no equivalent of Singapore's DNC Registry for marketing messages, so your own suppression list is the control that matters.

Cross-border transfers: the whitelist regime is gone

Before the amendment, section 129 only permitted transfers of personal data out of Malaysia to places specified by the Minister, a whitelist that was consulted on in 2017 but never actually gazetted, leaving everyone relying on exceptions such as consent. The Amendment Act scrapped that mechanism. Transfers are now permitted where the destination jurisdiction has a law substantially similar to the PDPA or provides an adequate level of protection, alongside the existing exceptions.

The Commissioner issued Guidelines on Cross Border Personal Data Transfer in April 2025 to operationalise the new regime. They explain what substantially similar means, allow controllers to run a transfer impact assessment whose findings stay valid for up to three years, and require records of each transfer covering the recipient, destination, data types, purpose, and the evidence relied on.

For sales teams the practical case is your own stack: if your CRM, enrichment tools, or email platform host Malaysian prospect data outside Malaysia, that is a cross-border transfer. Most teams will rely on the substantially similar route for destinations like Singapore or the EU, or on consent and contractual necessity, but someone in the organisation should be able to say which basis applies.

Penalties after the amendment

The headline change is the ceiling for breaching the Personal Data Protection Principles, which include the consent, notice, and security requirements: the maximum fine rose from RM300,000 to RM1,000,000, and the maximum prison term from two years to three. The increase took effect on 1 April 2025.

Around that sit the specific offences already mentioned: up to RM250,000 and two years for failing to notify a breach, and up to RM200,000 and two years for defying a Commissioner's requirement to honour a direct marketing opt-out. Unlike Singapore's civil penalty regime, Malaysian PDPA offences are criminal, which raises the stakes for directors and officers.

Enforcement has historically been complaint driven and focused on consumer-facing abuse, but the 2024 amendments signal a more active posture, and the new DPO registration and breach notification duties give the regulator far better visibility into who is processing what. Assume the era of benign neglect is ending.

A practical checklist for prospecting into Malaysia

These rules compress the PDPA and the 2024 amendments into operating habits for a team running outbound into Malaysia.

• Prefer corporate role addresses and company-level messaging where you can; information about a company is outside the Act entirely.
• When emailing named individuals, keep the message strictly relevant to their role and company; relevance does not create consent, but it keeps you aligned with how the regulator prioritises enforcement.
• Identify your company honestly in every send, with a working reply route and a one-click opt-out.
• Treat every stop or unsubscribe reply as a section 43 written notice: suppress immediately, permanently, and organisation-wide.
• Never buy Malaysian consumer lists or scraped personal data; consent defects flow downstream to you as the controller.
• Record where every contact came from so you can answer provenance questions.
• Check whether your processing volumes trigger the DPO thresholds, and register the appointment within 21 days if they do.
• Know which cross-border basis covers Malaysian prospect data sitting in your offshore CRM and email tools.
• Have a breach response plan that can hit the 72-hour Commissioner notification window.