Logo Logo

Singapore's PDPA affect how you as a website owner may use cookies and online tracking of visitors from inside Singapore.

Try our free website scan to find all cookies, to see what data your website collects and which third parties it shares them with.

PDPA compliance in Singapore with Cookiebot CMP.

Published April 21, 2021.

Singapore’s Personal Data Protection Act (PDPA) took effect in 2014 but was amended in October 2020 to include, among other additions, changes to its consent framework.

In this blogpost, we break down Singapore’s PDPA – its rights, requirements, new 2020 amendments and how your website becomes compliant.

Quick summary

PDPA – Singapore’s data protection law, in brief

Singapore’s Personal Data Protection Act (PDPA) is one of the veteran data privacy laws of the world. Passed in 2012 and fully effective since 2014, it predates the EU’s General Data Protection Regulation (GDPR) and shares with the earlier EU ePrivacy Directive some of the same requirements behind its personal data protection and governance.

In short, Singapore’s PDPA regulates the collection, use and disclosure of personal data in Singapore by giving enforceable rights to users, placing the responsibility of lawful data processing on the shoulders of websites, companies and organizations anywhere in the world that process personal data from inside Singapore, regulating the transfer of personal data outside of Singapore, and establishing the Personal Data Protection Commission (PDPC) as main enforcement authority.

PDPA in Singapore requires consent for personal data collection.

Under Singapore’s PDPA, consent from users must be obtained prior to personal data processing.

Singapore’s PDPA quick breakdown –

PDPA in Singapore protects individuals' personal data inside the territory of Singapore.

Under Singapore’s PDPA, consent is valid only if your website informs users of collection and purpose beforehand.

Singapore’s PDPA and Consent Obligation

The consent obligation is a key part of Singapore’s PDPA – a crucial compliance requirement that websites anywhere in the world processing personal data from users in Singapore must be aware of.

In short, the consent obligation (spelled out in PDPA sections 13-17) means that your website is only allowed to handle personal data from users inside Singapore if users give, or is deemed to have given, their prior consent.

Under Singapore’s PDPA, consent can either be affirmative or deemed, meaning that if users have already been informed by you about your website’s intended collection and purposes for collection, but have not opted out of the processing, you are safe to deem their inaction as consent.

In general, for user consents to be valid under the PDPA –

Read the PDPC Advisory Guidelines on PDPA consent and other key concepts (PDF)

Let’s say that your website uses cookies and trackers in order to receive analytics insights and statistics about its performance, or to show online advertisement. Most websites in the world do so, and usually through popular platforms like Google Analytics and HubSpot.

Using cookies and trackers, especially third-party cookies from popular third-party services, means that your website collects and shares personal data, such as IP addresses, unique IDs, search and browser history and much more.

If a visitor to your website is from inside Singapore, you are required to first obtain their consent before activating any of these cookies and trackers (any but the ones strictly necessary for the function of your domain).

Singapore PDPA compliance with Cookiebot CMP for free today.

Users in Singapore have the right to withdraw their consent easily and at any given time.

Scan your website for free with Cookiebot CMP

Test to see which cookies and trackers are in use on your website, what kind of personal data they process and where in the world you send it to by using the free Cookiebot GDPR compliance test.

Simply enter the URL of your website and receive a free scan of up to five subpages, detecting all cookies in operation on these pages.

Most website owners and operators are surprised to find out that their domain hosts many more cookies, trackers and trojan horses than they thought, because –

72% of all trackers on websites are secretly loaded by third-party cookies.

18% of cookies on websites are so-called trojan horses that hide as deep as within eight other trackers, making them undetectable without a powerful scanning technology.

50% of trojan trackers will change between repeated user visits, meaning they can have changed provider, purpose and be collecting totally different kinds of personal data than what the user initially consented to.

Source: Beyond the Front Page, a 2020 research paper on website cookies.

Using HubSpot? Get started with the Cookiebot CMP app for PDPA compliance

Get started with Google Consent Mode and Cookiebot CMP

Singapore’s PDPA amended in 2020

On November 2, the Singapore Parliament passed an amendment bill to the Personal Data Protection Act (PDPA). While the amendments await royal assent to become fully effective, the changes to the PDPA come with no grace period and websites will need to comply straight away once the amended PDPA takes effect.

The new PDPA amendments include –

Read the Personal Data Protection (Amendment) Bill 2020

PDPA in Singapore empowers users with enforceable rights over their personal data.

Under Singapore’s PDPA, processing personal data without prior consent can result in fines up to $1 million.

On November 20, following the passing of the PDPA amendments in Parliament, the Personal Data Protection Commission (PDPC) issued a set of draft advisory guidelines on key provisions of amendments that altogether clarify the changes and specify how to be in PDPA compliance going forward.

Read the PDPC’s Draft Advisory Guidelines here (PDF)

PDPA compliance with Cookiebot CMP

Cookiebot CMP automatically controls all user consent on your website

Cookiebot CMP is the world’s leading consent management platform that ensures full compliance for your website with all major data privacy laws, such as EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and Singapore’s PDPA.

Built around a powerful scanner that detects all cookies and trackers in operation on your domain, our solution automatically manages all user consents on your website through highly customizable interfaces that meet all PDPA requirements on information, notification and consent.

Compliance with Singapore's PDPA with Cookiebot CMP.Logo banner powered by Cookiebot by Usercentrics

Cookiebot CMP consent banner meeting PDPA requirements and automatically ensuring your website’s compliance.

Using our CMP on your website gives you –

If your website has users from Singapore, Cookiebot CMP will automatically geotarget their location and present the correct consent framework in compliance with the PDPA.

With just a few lines of JavaScript on your website and installed directly from the cloud, Cookiebot CMP gives you plug-and-play compliance with all major data privacy laws, including Singapore’s PDPA.

Use Cookiebot CMP to be in compliance with the PDPA in Singapore

Singapore’s PDPA, in detail

Let’s take a closer look at the different aspects of Singapore’s Personal Data Protection Act (PDPA) – how personal data is defined, how consent is defined (with 2020 amendments) and how the PDPA regulations clarify compliance.

Singapore’s PDPA and data privacy regime

Singapore was one of the first countries to implement a data privacy law that not only protects the collection and processing of personal data inside of its territory, but also puts enforceable responsibility on “organizations” (defined in the PDPA to include individuals, websites, companies, associations and more, located anywhere in the world).

The PDPA, drafted in 2012 and in full effect since July 2014, also serves as a so-called “spam law”, establishing the Do Not Call (DNC) Registry that Singaporeans can use to opt-out of unsolicited marketing.

Learn more about the scope and objectives of the PDPA

Even though the PDPA shares key provisions with the EU’s ePrivacy Directive and the later GDPR, Singapore is not recognized by the EU as having an adequate level of data protection and ranks as a third country in regard to the flow of data between the two territories.

Want to know more about Singapore’s PDPA vs EU’s GDPR?

Take a look at Singapore’s Personal Data Protection Commission (PDPC) handy infographic comparison of the PDPA and EU’s GDPR that details the differences between the two data privacy laws’ consent requirements and exceptions.

Personal data under Singapore’s PDPA

Personal data is defined in Singapore’s Personal Data Protection Act very broadly as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access,” including but not limited to –

PDPA in Singapore protects personal data from unwanted collection and sharing.

Personal data is broadly defined under the PDPA, website cookies and IP addresses included.

Exempt from the PDPA is personal data entered into a business contract (defined instead as business contract information), personal data that is more than 100 years old and personal data about an individual, if the person has been dead for more than 10 years.

Unlike EU’s GDPR, Singapore’s PDPA does not create a special category of sensitive personal data.

However, the Personal Data Protection Commission (PDPC) decided in October 2017 that certain kinds of personal data are of a sensitive nature and require a higher level of protection than other kinds of personal data.

Examples of personal data of a sensitive nature includes –

If your website, company or organization processes personal data of a more sensitive nature from users inside Singapore, the PDPC requires you to implement security safeguards appropriate to the sensitivity of the information.

Read the PDPC’s October 2017 decision on sensitive personal data (PDF)

Singapore’s PDPA consent obligations and its 2020 amendments

In November 2020, Singapore amended the PDPA to include, among other things, a more detailed set of specifications on how deemed consent works.

Deemed consent is the valid type of consent that means that the inaction of users constitutes a form of implied consent. However, users must still be able to revoke their consent at any given time, even though the consent is deemed.

In the PDPA before the 2020 amendment (section 15), deemed consent works like this –

The new and amended PDPA (section 15A) expands the consent obligations to include deemed consent by notification, meaning that –

The PDPA’s deemed consent by notification is close to the previous EU personal data protection regime under the ePrivacy Directive, which also allowed for the implied consent of EU users. This, however, has been effectively ruled out by the European Data Protection Board (EDPB) based on the newer GDPR’s requirement for valid consent to consist of an affirmative, explicit action on part of the user.

Learn more about GDPR compliance with Cookiebot CMP

PDPA in Singapore, compliance with Cookiebot CMP.

Under PDPA, consent cannot be conditional for providing a product or service, such as access to a website.

Singapore’s PDPA regulations

The Personal Data Protection Regulations of 2014 clarify the practical aspect of how websites and organizations are supposed to set up their PDPA compliance.

In short, the PDPA regulations –

Read the Personal Data Protection Regulations 2014

Summary: Singapore’s PDPA


PDPA compliance with Cookiebot CMP

Singapore’s Personal Data Protection Act (PDPA) is one of the world’s strong data privacy laws that requires your website, if it has visitors from inside Singapore, to comply with its obligations for obtaining user consent, giving timely user notifications and enabling users to request access to and correction of already collected personal data.

Cookiebot CMP is the world’s leading solution for cookie control and consent management, offering plug-and-play compliance with all major data privacy laws such as EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA – and Singapore’s PDPA.

Sign-up for free to Cookiebot CMP today for all-round, fully automatic data privacy compliance.

Try a free limited scan of your website to see what cookies are in operation, what kinds of personal data your website collects and where it sends data to.


What is Singapore’s PDPA?

Singapore’s Personal Data Protection Act (PDPA) is a national data privacy law that governs all collection, use and disclosure (e.g. sharing with third parties) of personal data in Singapore. It took effect in 2014 and was amended in 2020 to strengthen protection for users and tighten requirements for websites, companies and organizations.

Who does Singapore’s PDPA apply to?

Singapore’s PDPA applies to any website, company or organization anywhere in the world that collects, uses or discloses personal data from inside the territory of Singapore. If your website has visitors from Singapore, you are required to comply with its consent obligation and other key provisions. Fines for non-compliance can reach $1 million.

What is personal data under Singapore’s PDPA?

Singapore’s PDPA defines personal data very broadly and includes names, addresses, email addresses, telephone numbers, IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data. Data on financials and health, among others, are regarded by the Personal Data Protection Commission (PDPC) as being of a more sensitive nature, which requires additional protection.

How can my website be PDPA compliant?

Singapore’s PDPA requires your website to obtain the consent of users before collecting, using or disclosing their personal data. You must notify users about your intended collection and the purposes for collection and enable users to opt-out. Users need also to be able to revoke their consent at any given time, if they choose so.

What is valid consent under Singapore’s PDPA?

Valid consent under Singapore’s PDPA means to first inform users of your website’s intended collection, including the purposes for collection, and enabling users to opt-out before any processing has begun. If users have been notified and still haven’t opted-out, you’re allowed to deem their inaction as implied consent and begin collection, use or disclosure of their personal data.


Try Cookiebot CMP free for 30 days – or always if you have a small website

Singapore’s Personal Data Protection Act, official law text

PDPC Advisory Guidelines on consent and other key concepts (pdf)

Singapore Personal Data Protection Commission's Guide on Active Enforcement (pdf)

Singapore Personal Data Protection Commission's Guide on Active Enforcement (pdf)

Personal Data Protection (Amendment) Bill 2020

PDPC Draft Advisory Guidelines on the PDPA Amendments 2020 (pdf)

Visit the Personal Data Protection Commission (PDPC)

IAPP on the 2020 PDPA amendments

Beyond the Front Page – 2020 research paper on website cookies

Cookiebot™ & Usercentrics 

Usercentrics & Cookiebot™ unite

Make your website’s use of cookies and online tracking compliant today

Try for free