Published April 21, 2021.
Singapore’s Personal Data Protection Act (PDPA) took effect in 2014 but was amended in October 2020 to include, among other additions, changes to its consent framework.
In this blogpost, we break down Singapore’s PDPA – its rights, requirements, new 2020 amendments and how your website becomes compliant.
Singapore’s Personal Data Protection Act (PDPA) is one of the veteran data privacy laws of the world. Passed in 2012 and fully effective since 2014, it predates the EU’s General Data Protection Regulation (GDPR) and shares with the earlier EU ePrivacy Directive some of the same requirements behind its personal data protection and governance.
In short, Singapore’s PDPA regulates the collection, use and disclosure of personal data in Singapore by giving enforceable rights to users, placing the responsibility of lawful data processing on the shoulders of websites, companies and organizations anywhere in the world that process personal data from inside Singapore, regulating the transfer of personal data outside of Singapore, and establishing the Personal Data Protection Commission (PDPC) as main enforcement authority.
Under Singapore’s PDPA, consent from users must be obtained prior to personal data processing.
Singapore’s PDPA quick breakdown –
Under Singapore’s PDPA, consent is valid only if your website informs users of collection and purpose beforehand.
The consent obligation is a key part of Singapore’s PDPA – a crucial compliance requirement that websites anywhere in the world processing personal data from users in Singapore must be aware of.
In short, the consent obligation (spelled out in PDPA sections 13-17) means that your website is only allowed to handle personal data from users inside Singapore if users give, or is deemed to have given, their prior consent.
Under Singapore’s PDPA, consent can either be affirmative or deemed, meaning that if users have already been informed by you about your website’s intended collection and purposes for collection, but have not opted out of the processing, you are safe to deem their inaction as consent.
In general, for user consents to be valid under the PDPA –
Using cookies and trackers, especially third-party cookies from popular third-party services, means that your website collects and shares personal data, such as IP addresses, unique IDs, search and browser history and much more.
If a visitor to your website is from inside Singapore, you are required to first obtain their consent before activating any of these cookies and trackers (any but the ones strictly necessary for the function of your domain).
Users in Singapore have the right to withdraw their consent easily and at any given time.
Test to see which cookies and trackers are in use on your website, what kind of personal data they process and where in the world you send it to by using the free Cookiebot GDPR compliance test.
Simply enter the URL of your website and receive a free scan of up to five subpages, detecting all cookies in operation on these pages.
Most website owners and operators are surprised to find out that their domain hosts many more cookies, trackers and trojan horses than they thought, because –
72% of all trackers on websites are secretly loaded by third-party cookies.
18% of cookies on websites are so-called trojan horses that hide as deep as within eight other trackers, making them undetectable without a powerful scanning technology.
50% of trojan trackers will change between repeated user visits, meaning they can have changed provider, purpose and be collecting totally different kinds of personal data than what the user initially consented to.
Source: Beyond the Front Page, a 2020 research paper on website cookies.
On November 2, the Singapore Parliament passed an amendment bill to the Personal Data Protection Act (PDPA). While the amendments await royal assent to become fully effective, the changes to the PDPA come with no grace period and websites will need to comply straight away once the amended PDPA takes effect.
The new PDPA amendments include –
Under Singapore’s PDPA, processing personal data without prior consent can result in fines up to $1 million.
On November 20, following the passing of the PDPA amendments in Parliament, the Personal Data Protection Commission (PDPC) issued a set of draft advisory guidelines on key provisions of amendments that altogether clarify the changes and specify how to be in PDPA compliance going forward.
Cookiebot CMP is the world’s leading consent management platform that ensures full compliance for your website with all major data privacy laws, such as EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and Singapore’s PDPA.
Built around a powerful scanner that detects all cookies and trackers in operation on your domain, our solution automatically manages all user consents on your website through highly customizable interfaces that meet all PDPA requirements on information, notification and consent.
Cookiebot CMP consent banner meeting PDPA requirements and automatically ensuring your website’s compliance.
Using our CMP on your website gives you –
If your website has users from Singapore, Cookiebot CMP will automatically geotarget their location and present the correct consent framework in compliance with the PDPA.
Let’s take a closer look at the different aspects of Singapore’s Personal Data Protection Act (PDPA) – how personal data is defined, how consent is defined (with 2020 amendments) and how the PDPA regulations clarify compliance.
Singapore was one of the first countries to implement a data privacy law that not only protects the collection and processing of personal data inside of its territory, but also puts enforceable responsibility on “organizations” (defined in the PDPA to include individuals, websites, companies, associations and more, located anywhere in the world).
The PDPA, drafted in 2012 and in full effect since July 2014, also serves as a so-called “spam law”, establishing the Do Not Call (DNC) Registry that Singaporeans can use to opt-out of unsolicited marketing.
Even though the PDPA shares key provisions with the EU’s ePrivacy Directive and the later GDPR, Singapore is not recognized by the EU as having an adequate level of data protection and ranks as a third country in regard to the flow of data between the two territories.
Want to know more about Singapore’s PDPA vs EU’s GDPR?
Take a look at Singapore’s Personal Data Protection Commission (PDPC) handy infographic comparison of the PDPA and EU’s GDPR that details the differences between the two data privacy laws’ consent requirements and exceptions.
Personal data is defined in Singapore’s Personal Data Protection Act very broadly as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access,” including but not limited to –
Personal data is broadly defined under the PDPA, website cookies and IP addresses included.
Exempt from the PDPA is personal data entered into a business contract (defined instead as business contract information), personal data that is more than 100 years old and personal data about an individual, if the person has been dead for more than 10 years.
Unlike EU’s GDPR, Singapore’s PDPA does not create a special category of sensitive personal data.
However, the Personal Data Protection Commission (PDPC) decided in October 2017 that certain kinds of personal data are of a sensitive nature and require a higher level of protection than other kinds of personal data.
Examples of personal data of a sensitive nature includes –
If your website, company or organization processes personal data of a more sensitive nature from users inside Singapore, the PDPC requires you to implement security safeguards appropriate to the sensitivity of the information.
In November 2020, Singapore amended the PDPA to include, among other things, a more detailed set of specifications on how deemed consent works.
Deemed consent is the valid type of consent that means that the inaction of users constitutes a form of implied consent. However, users must still be able to revoke their consent at any given time, even though the consent is deemed.
In the PDPA before the 2020 amendment (section 15), deemed consent works like this –
The new and amended PDPA (section 15A) expands the consent obligations to include deemed consent by notification, meaning that –
The PDPA’s deemed consent by notification is close to the previous EU personal data protection regime under the ePrivacy Directive, which also allowed for the implied consent of EU users. This, however, has been effectively ruled out by the European Data Protection Board (EDPB) based on the newer GDPR’s requirement for valid consent to consist of an affirmative, explicit action on part of the user.
Under PDPA, consent cannot be conditional for providing a product or service, such as access to a website.
The Personal Data Protection Regulations of 2014 clarify the practical aspect of how websites and organizations are supposed to set up their PDPA compliance.
In short, the PDPA regulations –
Singapore’s Personal Data Protection Act (PDPA) is one of the world’s strong data privacy laws that requires your website, if it has visitors from inside Singapore, to comply with its obligations for obtaining user consent, giving timely user notifications and enabling users to request access to and correction of already collected personal data.
Cookiebot CMP is the world’s leading solution for cookie control and consent management, offering plug-and-play compliance with all major data privacy laws such as EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA – and Singapore’s PDPA.
Sign-up for free to Cookiebot CMP today for all-round, fully automatic data privacy compliance.
Try a free limited scan of your website to see what cookies are in operation, what kinds of personal data your website collects and where it sends data to.
Singapore’s Personal Data Protection Act (PDPA) is a national data privacy law that governs all collection, use and disclosure (e.g. sharing with third parties) of personal data in Singapore. It took effect in 2014 and was amended in 2020 to strengthen protection for users and tighten requirements for websites, companies and organizations.
Singapore’s PDPA applies to any website, company or organization anywhere in the world that collects, uses or discloses personal data from inside the territory of Singapore. If your website has visitors from Singapore, you are required to comply with its consent obligation and other key provisions. Fines for non-compliance can reach $1 million.
Singapore’s PDPA defines personal data very broadly and includes names, addresses, email addresses, telephone numbers, IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data. Data on financials and health, among others, are regarded by the Personal Data Protection Commission (PDPC) as being of a more sensitive nature, which requires additional protection.
Singapore’s PDPA requires your website to obtain the consent of users before collecting, using or disclosing their personal data. You must notify users about your intended collection and the purposes for collection and enable users to opt-out. Users need also to be able to revoke their consent at any given time, if they choose so.
Valid consent under Singapore’s PDPA means to first inform users of your website’s intended collection, including the purposes for collection, and enabling users to opt-out before any processing has begun. If users have been notified and still haven’t opted-out, you’re allowed to deem their inaction as implied consent and begin collection, use or disclosure of their personal data.
Try Cookiebot CMP free for 30 days – or always if you have a small website