In 2025, Taiwan’s e-commerce industry has become even more vibrant due to intense competition between foreign and local players, as well as between local and cross-border platforms, alongside increasing M&A. This article provides a brief introduction to the regulatory environment for e-commerce in Taiwan to note in 2025 and 2026.
Amendments and guidelines
Ken-Ying Tseng
Partner
Lee and Li
Taipei
Tel: +886 2 2763 8000 (ext. 2179)
Email: kenying@leeandli.com
In Taiwan, the collection, processing and use of personal data are governed by the Personal Data Protection Act (PDPA). Among other requirements, the PDPA mandates that data controllers must inform data subjects of matters stipulated under the act prior to collecting and processing personal data, and that such collection and processing must be for specific purposes and meet any of the legal grounds stipulated therein.
The PDPA stipulates that if a data controller, due to a violation of the PDPA, causes personal data to be stolen, leaked, altered or otherwise infringed on, the data subject must be notified after the facts have been ascertained. Therefore, the notification obligation under the act is limited to leaks caused “due to a violation of the PDPA”, and notification is only required to be made to the “data subject”, not to the competent authority. Such provisions have been criticised and the act has therefore been amended.
Meanwhile, the PDPA authorises relevant sectoral regulators to formulate separate data protection guidelines for industries under their jurisdiction, which are applicable to all data controllers within those industries.
In this regard, the competent authority for the e-commerce industry, the Ministry of Digital Affairs (MODA), promulgated the Regulations for the Security Maintenance and Management of Personal Data Files for Digital Economy-related Industries in 2023. Under the regulations, the MODA requires that, in the event of a personal data breach in the digital economy industry (including e-commerce businesses), the data collector must notify not only the affected data subjects, but also the MODA in a prescribed format within 72 hours of becoming aware of the incident.
Although the above-mentioned measures provide better protection for data subjects, the PDPA does not expressly authorise a regulator to impose such obligations on the private sector, and thus their legal effect remains subject to debate. To address this, in November 2025, the Taiwan government announced amendments to the PDPA to explicitly stipulate that, in the event of a personal data breach incident, there is an obligation to notify the affected data subjects and report to the competent authority, i.e. the Personal Data Protection Commission (PDPC).
These obligations apply regardless of whether the incident is due to a violation of the PDPA. The amendments have not yet become effective but, once they do, data controllers will no longer be able to delay notifying data subjects on the grounds that the cause of the incident has yet to be determined, and will be subject to administrative fines for failure to file the required data breach incident report to the competent authority.
The PDPA amendments authorise the PDPC to separately stipulate detailed regulations regarding matters such as the content, method, and time limit of notifications of data breach incidents. However, during the six-year transition period following the establishment of the commission, the Executive Yuan (executive branch of the government) may publicly announce a list of certain sectoral regulators that shall continue to enforce and implement the act jointly with the PDPC. The authors anticipate that, for the e-commerce industry, the MODA will be on such a list, and e-commerce operators will continue to be regulated by the ministry for data privacy matters during this six-year period.
While the 2025 PDPA amendments introduce the above new requirements and involve the operation of the PDPC, the commission has not been established as of November 2025, and the amendments to the act have not become effective. It is anticipated that the amendments will become effective after the PDPC is officially formed. There is no fixed schedule for the establishment of the commission, but it is expected to be formed soon.
Operators’ responsibilities
Vick Chien
Associate Partner
Lee and Li
Taipei
Tel: +886 2 2763 8000 (ext. 2214)
Email: vickchien@leeandli.com
To curb the surge in fraud cases, the Taiwan government enacted and implemented the Fraud Crime Hazard Prevention Act (FCHPA) in 2024. The FCHPA imposes different sets of obligations regarding preventive measures on relevant industries and business operators, such as telecommunications enterprises, third-party payment service providers, online advertising platform operators and e-commerce operators.
With respect to e-commerce operators, the FCHPA stipulates that when an e-commerce operator is notified by the judicial police or the competent authority in charge of the relevant business that its services are suspected of being involved in fraudulent activities, the e-commerce operator shall co-operate with the judicial police or competent authority in handling the matter, and shall suspend the provision of services to such users whose accounts are involved in the suspected fraudulent activities within a reasonable period.
In addition, e-commerce operators are required to adopt feasible technologies to retain, within a reasonable period, electronic records, documents, images, items and data obtained from user registration and identity verification procedures, as well as connection and transaction records.
This retention of records also covers other relevant information sufficient to reconstruct users and individual transactions.
As for online advertising platform operators, the FCHPA requires that, when such operators publish or push advertisements on their platforms, certain information must be disclosed in the advertisements, such as indicating that the message is an advertisement. In addition, if the advertisement is published on behalf of a client, the information of the sponsor must also be disclosed.
Furthermore, online advertising platform operators are required to establish management measures to verify the identities of clients and sponsors through digital signatures, rapid identity verification mechanisms, or other technologies or methods with equivalent security. They are also required to publish an annual fraud prevention transparency report.
It should be noted that, considering enforcement and regulatory capacity, the online advertising platform operators subject to the FCHPA are only those that “provide online advertising services within the territory of Taiwan and reach a certain scale”. The following online advertising platform operators shall be subject to the FCHPA: Meta (Facebook, Instagram and Threads), Google (Google and YouTube), Line and TikTok. These operators meet the criteria and shall comply with the relevant requirements, including appointing a local legal representative.
Restrictions on platforms
Ban on electronic cigarettes. In 2025, the Taiwan government continues to maintain strict controls on electronic cigarettes. Since 22 March 2023, the sale of electronic cigarettes via the internet has been outright banned in Taiwan. Pursuant to the Tobacco Hazards Prevention Act (THPA), no one is permitted to manufacture, import, sell (including online or in brick-and-mortar stores), supply, display or advertise electronic cigarettes and unauthorised heated-tobacco products in Taiwan.
The Ministry of Health and Welfare (MOHW) and municipal health and welfare authorities have been strictly enforcing this ban. Any content referring to electronic cigarettes on the internet is easily regarded as an advertisement of electronic cigarettes, and the relevant authority will impose fines on the website or platform that publishes such content.
Meanwhile, to prevent electronic cigarettes from being sold online under certain code names (for example, “candy” or “milk tea”), the relevant authorities require all e-commerce websites, social media, etc., to screen for these code names and block or take down the relevant content. One famous case was that during a certain period, searching for “candy” on one of the large e-commerce platforms in Taiwan yielded no results.
In furtherance of these regulatory efforts on electronic cigarettes online, the MOHW proposed amendments to the THPA, under which all websites globally would be subject to the act, and any offshore websites would be required to appoint a legal representative in Taiwan to handle compliance matters and take down any electronic cigarette content once informed or risk administrative sanctions.
Restriction on importation of meat products. Certain meat and animal products are subject to quarantine requirements and are regulated as “quarantine items”. The Act on the Prevention and Control of Infectious Animal Diseases requires e-commerce operators to take the following measures to help prevent the spread of quarantine items:
-
- place necessary warnings for the awareness campaign of animal health inspection or quarantine;
- retain the personal data of advertisers, sellers or purchasers of animal products, or provide such information regularly to the import/export animal quarantine authorities; and
- restrict access to and browsing of related web pages, or remove such pages if there are advertisements for the sale of “quarantine items”.
Since e-commerce listings are regarded as advertisements under Taiwan law, e-commerce platforms are therefore prohibited from knowingly listing any animal products that are “quarantine items” on their platforms. Should they be notified by the authorities of any such listings, they shall remove them from their platforms.
Lee and Li, Attorneys-at-Law
8F, No. 555, Sec. 4, Zhongxiao E. Rd.,
Taipei 110055, Taiwan
Tel: +886 2 2763 8000
Email: attorneys@leeandli.com
www.leeandli.com
