Cookie Policy (Malaysia)
COOKIE POLICY
[Website URL] | [Company Name]
Effective Date: [Effective Date] | Last Updated: [Last Updated]
This Cookie Policy explains how [Company Name] ('we', 'us', 'our') uses cookies and similar tracking technologies on [Website URL], and how you can manage them. This policy is issued in accordance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and international best practice for data transparency.
1. WHAT ARE COOKIES?
Cookies are small text files placed on your browser or device by a website when you visit it. They allow the website to remember your actions and preferences over a period of time. Cookies may be set by us (first-party cookies) or by third parties whose content or services appear on our website (third-party cookies). Similar technologies include web beacons (pixel tags), local storage objects (LSOs), and tracking scripts.
2. COOKIES WE USE
[Company Name] uses the following categories of cookies on [Website URL]:
[Cookie Categories]
Third-party cookie providers and specific cookies:
[Third Party Cookie Providers]
Cookie retention periods: [Retention Periods]
3. COOKIE CONSENT
When you visit [Website URL], we use the following consent mechanism for non-essential cookies: [Cookie Consent Mechanism].
Essential / strictly necessary cookies are set automatically as they are required for the website to function and cannot be disabled. For all other cookie categories, we seek your consent before setting those cookies on your device.
Under the Notice and Choice Principle (Section 7) of the PDPA 2010, we inform you about cookies that collect personal data before or at the time of collection. By accepting non-essential cookies, you consent to the processing of personal data collected by those cookies for the stated purposes.
4. HOW TO MANAGE COOKIES
You can manage or disable cookies at any time through the following means:
Browser settings: [Browser Opt Out Instructions]
Third-party opt-out tools: [Third Party Opt Out]
Please note that disabling essential cookies may affect the functionality of [Website URL]. Disabling analytics or marketing cookies will not affect your ability to browse the website.
5. UPDATES TO THIS COOKIE POLICY
We may update this Cookie Policy from time to time as we add new cookies, change our tracking practices, or in response to changes in Malaysian data protection law including the Personal Data Protection (Amendment) Act 2024. The updated policy will be published on [Website URL] with the revised date.
For questions about our use of cookies or to exercise your rights under the PDPA 2010, contact us at [Contact Email].
What Is a Cookie Policy (Malaysia)?
A Cookie Policy in Malaysia documents the organisation's approach and the obligations placed on those it covers.
Cookies are small text files placed on a user's device by a website server. They serve a range of functions — from maintaining user sessions and remembering preferences (essential cookies) to tracking browsing behaviour across websites for advertising purposes (targeting cookies). Other tracking technologies include web beacons (pixel tags), local storage objects (LSOs), fingerprinting scripts, and software development kits (SDKs) embedded in mobile applications.
Under the Notice and Choice Principle in Section 7 of the PDPA 2010, a data user (website operator) must inform data subjects about the purposes for which their personal data is collected and processed before or at the time of collection. Where cookies collect personal data — such as IP addresses, device identifiers, browsing histories, or user account information — the Notice and Choice Principle requires disclosure. A Cookie Policy, displayed prominently on the website and linked from the Privacy Policy and footer, satisfies this obligation.
Malaysia does not yet have a specific cookie consent regulation comparable to the EU's ePrivacy Directive or the UK ICO cookie guidance that requires prior opt-in consent for non-essential cookies. However, the proposed Personal Data Protection (Amendment) Act 2024 is expected to strengthen consent requirements for online tracking. In practice, Malaysian websites frequently adopt EU-standard cookie banners with genuine opt-in consent for analytics and marketing cookies to serve European users under the GDPR, while Malaysian-only operations may implement a simpler notice-and-opt-out model.
Cookies that collect personal data must be disclosed in the Privacy Policy as well as in the Cookie Policy. The Personal Data Protection Commissioner under the Ministry of Digital Malaysia can investigate complaints about inadequate data transparency. For e-commerce websites, the Consumer Protection (Electronic Trade Transactions) Regulations 2012 require clear disclosure of how user data collected during transactions is handled.
The legal framework governing the Cookie Policy (Malaysia) in Malaysia draws on several key statutes and regulatory bodies. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Parties executing a Cookie Policy (Malaysia) in Malaysia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2016 (Act 777) sets the foundational requirements.
When Do You Need a Cookie Policy (Malaysia)?
A Cookie Policy is required for any Malaysian website or application that uses cookies or other tracking technologies to collect data from users.
A Cookie Policy is needed for any e-commerce website that uses session cookies for shopping carts, authentication cookies for user accounts, or analytics tools such as Google Analytics, which sets cookies that may constitute personal data under Section 4 of the PDPA 2010.
A Cookie Policy is required for any website using third-party advertising networks — such as Google AdSense, Facebook Audience Network, or programmatic advertising platforms — that set targeting or retargeting cookies to track user behaviour across the web for personalised advertising.
A Cookie Policy is needed for any website serving users in the European Union alongside Malaysian users, as the EU's General Data Protection Regulation (GDPR) and the ePrivacy Directive require prior opt-in consent for non-essential cookies from EU residents, regardless of where the website operator is based.
A Cookie Policy is required for mobile applications that use third-party analytics SDKs (such as Firebase Analytics, Mixpanel, or AppsFlyer) or advertising SDKs that collect device identifiers and usage data, as these are functionally equivalent to browser cookies and attract the same PDPA 2010 transparency obligations.
A Cookie Policy is needed when a website undergoes a privacy audit or data protection review — either internally or as part of a procurement due diligence process — and the auditor identifies the absence of a Cookie Policy as a compliance gap under the PDPA 2010.
Parties in Malaysia should prepare a Cookie Policy (Malaysia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Cookie Policy (Malaysia)
A thorough Cookie Policy for a Malaysian website must include the following essential elements.
Definition of Cookies: A clear explanation of what cookies are, how they work technically, and how they differ from other tracking technologies such as web beacons, pixel tags, and local storage. Users should understand that cookies are placed on their device and may persist beyond a single browsing session.
Categories of Cookies: A structured breakdown of the cookie categories used by the website. Standard categories include: (1) Strictly necessary / essential cookies — required for the website to function (session management, security, load balancing); (2) Functional / preference cookies — remember user preferences such as language and region; (3) Analytics / performance cookies — collect anonymised data about website usage (Google Analytics, Hotjar); (4) Marketing / targeting cookies — track browsing to deliver personalised advertising (Facebook Pixel, Google Ads).
Cookie Inventory Table: A table listing specific cookies used by the website, including the cookie name, provider (first-party or third-party), purpose, type (session or persistent), and duration. This level of detail is required under GDPR and is considered best practice for PDPA 2010 compliance.
Third-Party Cookies: Disclosure of any third-party cookies set by embedded content, social sharing buttons, or advertising networks, with links to the third parties' own privacy and cookie policies. The website operator cannot control third-party cookies but must disclose their presence.
Consent Mechanism: A description of how the website obtains user consent for non-essential cookies — whether through a cookie banner with accept/reject options, a cookie preference centre, or a notice-and-opt-out model. Under PDPA 2010, disclosure before collection is required.
User Control and Opt-Out: Instructions for users to manage cookies through browser settings, third-party opt-out tools (Google Analytics opt-out, NAI opt-out), and the website's own cookie preference settings.
Updates to the Cookie Policy: A statement that the Cookie Policy may be updated as new cookies are added or tracking practices change, with the last updated date prominently displayed.
Additional compliance elements for a Cookie Policy (Malaysia) used in Malaysia include: Under Malaysian law, the Contracts Act 1950 (Act 136) governs contractual obligations. The Companies Act 2016 (Act 777) regulates corporate entities through the Companies Commission of Malaysia (SSM). The Employment Act 1955 (Act 265) and the Department of Labour govern employment matters. The Personal Data Protection Act 2010 (Act 709) and the Personal Data Protection Department protect personal data. The Inland Revenue Board of Malaysia (LHDN) administers tax obligations. The Industrial Court adjudicates employment disputes under the Industrial Relations Act 1967 (Act 177). Forms-legal.com provides this template as a starting point for Malaysia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cookie Policy (Malaysia) (Malaysia) [Legal document template]. Forms Legal. https://forms-legal.com/malaysia/business/policies/cookie-policy-malaysia
"Cookie Policy (Malaysia) (Malaysia)." Forms Legal, 2026, https://forms-legal.com/malaysia/business/policies/cookie-policy-malaysia.
@misc{formslegal-cookie-policy-malaysia,
author = {{Forms Legal}},
title = {Cookie Policy (Malaysia) (Malaysia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/malaysia/business/policies/cookie-policy-malaysia}},
note = {Free legal document template. Based on Companies Act 2016 (Act 777)}
}Also available for these jurisdictions:
Frequently Asked Questions
Malaysian websites that use cookies collecting personal data are required to disclose this under the Notice and Choice Principle in Section 7 of the Personal Data Protection Act 2010 (PDPA 2010, Act 709). The PDPA 2010 requires data users to notify data subjects of the purposes for which their personal data is collected before or at the time of collection. Since analytics cookies (such as Google Analytics cookies), advertising cookies (such as Facebook Pixel), and session cookies for logged-in users may collect personal data — including IP addresses, device identifiers, and user identifiers — a Cookie Policy or equivalent disclosure in the Privacy Policy is required. Malaysia does not yet have a specific cookie consent law requiring opt-in consent for non-essential cookies (unlike the EU's ePrivacy Directive). However, websites serving EU users must comply with the GDPR and the ePrivacy Directive, which do require prior consent. The safest approach for a Malaysian website is to publish a Cookie Policy disclosing all cookies used and provide users with the option to accept or decline non-essential cookies.
Essential cookies (also called strictly necessary cookies) are cookies that are required for a website to function properly and cannot be disabled without breaking core functionality. Examples include session cookies that keep users logged in, security cookies that prevent cross-site request forgery (CSRF), and load-balancing cookies. Essential cookies do not require user consent under most cookie frameworks, including GDPR, because they are necessary to deliver the service the user has requested. Non-essential cookies are cookies that are not required for core functionality and are instead used for analytics, personalisation, or advertising. Analytics cookies such as Google Analytics (_ga, _gid) measure website usage. Marketing cookies such as Facebook Pixel (_fbp) track users across websites for targeted advertising. Functional cookies remember preferences like language settings. Non-essential cookies require disclosure and, under the GDPR for EU users, prior opt-in consent. Under Malaysia's PDPA 2010, disclosure of non-essential cookies in a Cookie Policy or Privacy Policy is the minimum requirement, though best practice is to provide a consent mechanism.
Cookies are classified by duration as either session cookies or persistent cookies. Session cookies are temporary cookies that are deleted from the user's device when the browser session ends (when the user closes the browser tab or window). Session cookies are used for maintaining user logins during a browsing session and storing shopping cart contents. Persistent cookies remain on the user's device after the browser session ends, for a specified duration set by the website operator. Common persistent cookie durations include 30 days (for short-term analytics), 1 year (for Google Analytics _ga cookies), and 2 years (for Google Analytics default retention). Under best practice for PDPA 2010 compliance and the GDPR, persistent cookies should have the shortest duration necessary for their stated purpose — the Retention Principle under Section 10 of the PDPA 2010 prohibits keeping personal data longer than necessary. A Cookie Policy should disclose the duration of each cookie category or individual cookie.
Users visiting Malaysian websites can manage and disable cookies through several mechanisms. Browser settings: all major browsers (Chrome, Firefox, Safari, Edge) allow users to block all cookies, block third-party cookies, or clear existing cookies through the browser's Privacy or Settings menu. Disabling all cookies may break essential website functionality. Cookie consent banners: websites with a cookie preference centre allow users to accept essential cookies only and reject analytics and marketing cookies, without affecting core website functionality. Third-party opt-out tools: Google Analytics offers an opt-out browser add-on at tools.google.com/dlpage/gaoptout. The Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) provide industry-wide opt-out tools at optout.networkadvertising.org. Private browsing / incognito mode: running the browser in private or incognito mode prevents persistent cookies from being stored after the session ends, though session cookies are still active during the browsing session. A well-drafted Cookie Policy under Malaysia's PDPA 2010 should explain all these options clearly to users.
A Cookie Policy (Malaysia) does not legally require a lawyer in Malaysia, and individuals and businesses may draft and execute the document independently. The Companies Act 2016 (Act 777) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Malaysia lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Malaysia has jurisdiction over disputes arising from this type of document, and Companies Commission of Malaysia (SSM) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Malaysia)
A Privacy Policy for Malaysia that discloses how a website or business collects, uses, stores, and discloses personal data in compliance with the Personal Data Protection Act 2010 (PDPA 2010, Act 709) and its seven data protection principles. Required for all Malaysian websites and apps that collect personal data.
Terms of Service (Malaysia)
A comprehensive Terms of Service agreement for Malaysian websites, SaaS platforms, and online services, compliant with the Consumer Protection Act 1999, Electronic Commerce Act 2006, and Digital Economy Act. Covers user obligations, intellectual property, liability limitations, and governing law.
Acceptable Use Policy (Malaysia)
An Acceptable Use Policy (AUP) for Malaysian websites, SaaS platforms, and internet service providers, defining permitted and prohibited uses of the service under the Communications and Multimedia Act 1998, Computer Crimes Act 1997, and PDPA 2010.