# [PDPA - Personal Data Protection Act Singapore](https://www.cookiebot.com/en/singapore-pdpa/) **Enable compliance with the Personal Data Protection Act (PDPA) in Singapore with Cookiebot's easy-to-use CMP solution. Get started today!** · [Web CMP](https://usercentrics.com/website-consent-management/) · [App CMP](https://usercentrics.com/in-app-sdk/) · [CTV CMP](https://usercentrics.com/usercentrics-ctv-cmp/) · [Privacy Policy Generator](https://usercentrics.com/privacy-policy-generator/) · [Server Google Tag Manager](https://usercentrics.com/server-side-tracking-solution/) · [Meta Signals GatewayNew](https://usercentrics.com/meta-signals-gateway/) · [MCP ManagerNew](https://usercentrics.com/ai-model-context-protocol-manager/) · [Preference Manager](https://usercentrics.com/preference-management/) --- ## Quick summary ### PDPA – Singapore’s data protection law, in brief Singapore’s Personal Data Protection Act (PDPA) is one of the veteran data privacy laws of the world. Passed in 2012 and fully effective since 2014, it predates the [EU’s General Data Protection Regulation (GDPR)](https://www.cookiebot.com/en/gdpr/) and shares with the earlier [EU ePrivacy Directive](https://www.cookiebot.com/en/eu-privacy-laws/) some of the same requirements behind its personal data protection and governance. In short, Singapore’s **PDPA** regulates the collection, use and disclosure of personal data in Singapore by **giving enforceable rights to users**, placing the **responsibility of lawful data processing** on the shoulders of websites, companies and organizations anywhere in the world that process personal data from inside Singapore, **regulating the transfer of personal data outside of Singapore**, and **establishing the Personal Data Protection Commission (PDPC)** as main enforcement authority. **Singapore’s PDPA quick breakdown –** - **Singapore's PDPA** took full effect on July 2, 2014. - **Singapore's PDPA** governs all collection, use and disclosure (e.g. sharing with third parties) of personal data from inside Singapore. It applies to any organization located anywhere in the world (websites, companies, associations etc.) that handle personal data from users located inside the territory of Singapore. - **Singapore's PDPA** empowers users in Singapore with the right to give and revoke consent to the processing of their personal data, the right to access personal data already collected, and the right to correct inaccurate personal data. - **Singapore's PDPA** defines consent as an informed action on part of the user, either affirmatively or deemed (implied). - **Singapore's PDPA** defines personal data broadly as data about an individual who can be identified from that data or from other information that is accessible to an organization. However, the PDPC has decided that certain types of personal data are more sensitive in nature and requires a higher standard of protection. - **Singapore's PDPA** establishes the Personal Data Protection Commission (PDPC) as its main authority, with responsibilities of enforcement, supervision, data privacy consultancy and government advisory. - **Singapore's PDPA** prohibits transfers of personal data outside Singapore, unless the place of transfer is able to ensure the same level of data protection as under the Singapore PDPA. - **Singapore's PDPA** was amended in 2020 to include mandatory data breach notifications, an expanded deemed consent framework, exceptions to consent for legitimate interests, increased financial penalties for non-compliance and a new right to data portability for users inside Singapore. Under Singapore’s PDPA, consent from users must be obtained prior to personal data processing. The **consent obligation** is a key part of Singapore’s PDPA – a crucial compliance requirement that websites anywhere in the world processing personal data from users in Singapore must be aware of. In short, the consent obligation (spelled out in PDPA sections 13-17) means that **your website is only allowed to handle personal data from users inside Singapore if users give, or is deemed to have given, their prior consent**. Under Singapore’s PDPA, consent can either be **affirmative** or **deemed**, meaning that **if users have already been informed** by you about your website’s intended collection and purposes for collection, **but have not opted out** of the processing, you are safe to **deem their inaction as consent**. In general, for user consents to be valid under the PDPA – - you must first **inform users about your website’s intended processing** (collection, use or disclosure of their personal data), - you must **inform users about the purposes of processing**, including any other purpose that the users haven’t been informed about in the initial collection notification, - you must **notify users at or before the time of collection**, - users must be able to withdraw their consent at any given time, - and you are not allowed to make consent conditional for providing a product or service. Let’s say that your website uses cookies and trackers in order to receive analytics insights and statistics about its performance, or to show online advertisement. Most websites in the world do so, and usually through popular platforms like [Google Analytics](https://www.cookiebot.com/en/google-analytics-gdpr/) and [HubSpot](https://www.cookiebot.com/en/hubspot-and-gdpr/). Using cookies and trackers, **especially third-party cookies** from popular third-party services, means that your website collects and shares personal data, such as **IP addresses**, **unique IDs**, **search** and **browser history** and much more. If a visitor to your website is from inside Singapore, you are required to first obtain their consent before activating any of these cookies and trackers (any but the ones strictly necessary for the function of your domain). Test to see which cookies and trackers are in use on your website, what kind of personal data they process and where in the world you send it to by using the [free Cookiebot GDPR compliance test](https://www.cookiebot.com/en/cookie-checker/). ### Singapore’s PDPA amended in 2020 On November 2, the Singapore Parliament [passed an amendment bill](https://iapp.org/news/a/singapores-parliament-passes-pdpa-amendments/) to the Personal Data Protection Act (PDPA). While the amendments await royal assent to become fully effective, the changes to the PDPA come with **no grace period** and websites will need to comply straight away once the amended PDPA takes effect. The new PDPA amendments include – - **Deemed consent by notification** – expanding the framework around deemed consent to include a requirement to notify users of new purposes for collection and enable users to opt out. - **Mandatory data breach notification** – requiring websites, companies and organizations to notify users and the PDPC of data breaches within three days. - **Exception to consent for legitimate interests** – organizations can rely on the exception provided by legitimate interests to collect, use or disclose personal data, but must follow the PDPC’s advisory guidelines to do so. - **Increased financial penalties** – increasing the fine of non-compliance with PDPA to 10% of the annual turnover of the organization with an annual turnover exceeding $10 million, or $1 million, whichever is highest. - **New data portability right** – users in Singapore will be able to have collected data made portable and transferable to other organizations upon request. [Cookiebot CMP](https://www.cookiebot.com/) is the world’s leading consent management platform that ensures full compliance for your website with all major data privacy laws, such as [EU’s GDPR](https://www.cookiebot.com/en/gdpr-cookies/), [California’s CCPA](https://www.cookiebot.com/en/ccpa/), [Brazil’s LGPD](https://www.cookiebot.com/en/lgpd/), [South Africa’s POPIA](https://www.cookiebot.com/en/popia/) and Singapore’s PDPA. Built around a powerful scanner that detects all cookies and trackers in operation on your domain, our solution automatically manages all user consents on your website through highly customizable interfaces that meet all PDPA requirements on information, notification and consent. Using our CMP on your website gives you – - auto-blocking of all cookies and trackers for true prior consent for users in Singapore - granular consent interface for easy user consent to cookies - cookie declaration for PDPA notification requirements, including provider, purpose, duration and type of each cookie - automatic renewal of user consents If your website has users from Singapore, [Cookiebot CMP](https://www.cookiebot.com/) will automatically geotarget their location and present the correct consent framework in compliance with the PDPA. --- ## Singapore’s PDPA, in detail Let’s take a closer look at the different aspects of **Singapore’s Personal Data Protection Act (PDPA)** – how personal data is defined, how consent is defined (with 2020 amendments) and how the PDPA regulations clarify compliance. ### Singapore’s PDPA and data privacy regime Singapore was one of the first countries to implement a data privacy law that not only protects the collection and processing of personal data inside of its territory, but also puts enforceable responsibility on “organizations” (defined in the PDPA to include individuals, websites, companies, associations and more, located anywhere in the world). The PDPA, drafted in 2012 and in full effect since July 2014, also serves as a so-called “spam law”, establishing the **Do Not Call (DNC) Registry** that Singaporeans can use to opt-out of unsolicited marketing. [Learn more about the scope and objectives of the PDPA](https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act/) Even though the PDPA shares key provisions with the [EU’s ePrivacy Directive](https://www.cookiebot.com/en/eu-privacy-laws/) and the later [GDPR](https://www.cookiebot.com/en/gdpr/), Singapore is not recognized by the EU as having [an adequate level of data protection](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en/) and ranks as a third country in regard to the flow of data between the two territories. ### Personal data under Singapore’s PDPA **Personal data** is defined in Singapore’s Personal Data Protection Act very broadly as *“data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access,”* including but not limited to – - Names, addresses, email addresses, telephone numbers, - IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data, - Information about age, gender, race, health, sexual orientation, appearance, political and religious convictions. **Exempt from the PDPA** is personal data entered into a business contract (defined instead as business contract information), personal data that is more than 100 years old and personal data about an individual, if the person has been dead for more than 10 years. Unlike EU’s GDPR, Singapore’s PDPA does not create a special category of sensitive personal data. However, the Personal Data Protection Commission (PDPC) [decided in October 2017](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/grounds-of-decision---aviva-ltd---111017.pdf) that certain kinds of personal data are of **a sensitive nature** and require **a higher level of protection** than other kinds of personal data. Examples of personal data of a sensitive nature includes – - Any kind of personal data about minors (individuals under the age of 21), - Identification data (e.g. from passports and National Registration Identity Cards), - Financial data (e.g. credit cards, bank accounts, payments and transactions), - Insurance data (e.g. policy, sums, premiums), - Certain sensitive medical data, - Certain criminal data on prior drug use. If your website, company or organization processes personal data of a more sensitive nature from users inside Singapore, the PDPC requires you to **implement security safeguards appropriate to the sensitivity of the information**. ### Singapore’s PDPA consent obligations and its 2020 amendments **Deemed consent** is the valid type of consent that means that the **inaction of users constitutes a form of implied consent**. However, users must still be able to revoke their consent at any given time, even though the consent is deemed. In the PDPA **before the 2020 amendment** (section 15), deemed consent works like this – - A website must, before any collection, use or disclosure of personal data, determine whether their collection, use or disclosure is likely to have an adverse effect on the individual. - A website must then inform the individual about its intention to collect, use or disclose their personal data, the purpose for which the personal data will be collected, used or disclosed, as well as enable the individual to not give their consent and in so doing opt-out of having their personal data collected, used or disclosed. The **new and amended PDPA** (section 15A) expands the consent obligations to include **deemed consent by notification**, meaning that – - Websites, companies and organizations can collect, use or disclose personal data if the individual does not make clear that they don’t consent. However, it is now required that some form of notification is shown to the individual about the collection of their personal data and given an opportunity to **not** give their consent. - If users don’t express their dissent towards their personal data being collected, used or disclosed by a website, the website is allowed to start collection, use and disclosure (e.g. transferring data to Google or Facebook) based on **deemed consent**, i.e. that the website can deem that the user – by not explicitly dissenting or opting out of the collection – is okay with the collection. The PDPA’s **deemed consent by notification** is close to the previous EU personal data protection regime under the [ePrivacy Directive](https://www.cookiebot.com/en/eu-privacy-laws/), which also allowed for the implied consent of EU users. This, however, has been effectively ruled out by the [European Data Protection Board (EDPB)](https://edpb.europa.eu/) based on the newer [GDPR’s requirement for valid consent](https://www.cookiebot.com/en/gdpr-cookies/) to consist of an affirmative, explicit action on part of the user. ### Singapore’s PDPA regulations The Personal Data Protection Regulations of 2014 clarify the practical aspect of how websites and organizations are supposed to set up their PDPA compliance. In short, the PDPA regulations – - specify that **requests** (to gain access or to correct or to dissent from further personal data collection) **must be made by users in writing** - clarify that websites, companies and organizations receiving requests from users must **respond within 30 days** - make it clear that organizations may charge **a fee in exchange** for processing requests from users - explain the rules around **international transfers** of personal data outside of Singapore --- ## Summary: Singapore’s PDPA Singapore’s Personal Data Protection Act (PDPA) is one of the world’s strong data privacy laws that requires your website, if it has visitors from inside Singapore, to comply with its obligations for obtaining user consent, giving timely user notifications and enabling users to request access to and correction of already collected personal data. *Used by: various organizations* --- ## Frequently asked questions What is Singapore’s PDPA? Singapore’s Personal Data Protection Act (PDPA) is a national data privacy law that governs all collection, use and disclosure (e.g. sharing with third parties) of personal data in Singapore. It took effect in 2014 and was amended in 2020 to strengthen protection for users and tighten requirements for websites, companies and organizations. Who does Singapore’s PDPA apply to? Singapore’s PDPA applies to any website, company or organization anywhere in the world that collects, uses or discloses personal data from inside the territory of Singapore. If your website has visitors from Singapore, you are required to comply with its consent obligation and other key provisions. Fines for non-compliance can reach $1 million. What is personal data under Singapore’s PDPA? Singapore’s PDPA defines personal data very broadly and includes names, addresses, email addresses, telephone numbers, IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data. Data on financials and health, among others, are regarded by the Personal Data Protection Commission (PDPC) as being of a more sensitive nature, which requires additional protection. How can my website be PDPA compliant? Singapore’s PDPA requires your website to obtain the consent of users before collecting, using or disclosing their personal data. You must notify users about your intended collection and the purposes for collection and enable users to opt-out. Users need also to be able to revoke their consent at any given time, if they choose so. --- ## Resources [Try Cookiebot CMP free for 14 days](https://admin.cookiebot.com/signup) – or always if you have a small website [Singapore’s Personal Data Protection Act, official law text](https://sso.agc.gov.sg/Act/PDPA2012/) [PDPC Advisory Guidelines on consent and other key concepts (pdf)](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-(2-June-2020).pdf?la=en) [Singapore Personal Data Protection Commission's Guide on Active Enforcement (pdf)](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-on-Active-Enforcement-15-Mar-2021.pdf?la=en) [Personal Data Protection (Amendment) Bill 2020](https://sso.agc.gov.sg/Bills-Supp/37-2020/Published/20201005/?DocDate=20201005) [PDPC Draft Advisory Guidelines on the PDPA Amendments 2020 (pdf)](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en) [Visit the Personal Data Protection Commission (PDPC)](https://www.pdpc.gov.sg/) [IAPP on the 2020 PDPA amendments](https://iapp.org/news/a/singapores-parliament-passes-pdpa-amendments/) [Beyond the Front Page – 2020 research paper on website cookies](https://arxiv.org/pdf/2001.10248.pdf) --- ## Product [Cookiebot™ Consent Solution](https://www.cookiebot.com/en/cookie-consent-solution/) · [Usercentrics for Wix](https://www.cookiebot.com/en/cookiebot-for-wix-by-usercentrics-app/) · [WordPress Plugin](https://www.cookiebot.com/en/new-wp-cookie-plugin/) · [Pricing](https://www.cookiebot.com/en/pricing/) ## Regulations [DMA (EU)](https://www.cookiebot.com/en/digital-markets-act-dma/) · [GDPR (EU)](https://www.cookiebot.com/en/gdpr/) · [CCPA (California)](https://www.cookiebot.com/en/what-is-ccpa/) · [VCDPA (Virginia)](https://www.cookiebot.com/en/virginia-vcdpa/) · [LGPD (Brazil)](https://www.cookiebot.com/en/lgpd/) · [TCF v2.3 (IAB)](https://www.cookiebot.com/en/tcf/) · [Google Consent Mode](https://www.cookiebot.com/en/cookiebot-cmp-google-consent-mode/) · [Microsoft UET Consent Mode](https://www.cookiebot.com/en/microsoft-consent-mode-cmp/) ## Partners [Become an affiliate](https://www.cookiebot.com/en/affiliates/) · [Become a partner](https://www.cookiebot.com/en/resellers/) · [Find a partner](https://www.cookiebot.com/en/cookiebot-reseller/) ## Resources [Blog](https://www.cookiebot.com/en/blog/) · [Digital Markets Act Hub](https://www.cookiebot.com/en/digital-markets-act-dma-resources/) · [Google Consent Mode Hub](https://www.cookiebot.com/en/google-consent-mode-resources/) · [Google Consent Mode V2 Certification](https://courses.usercentrics.com/course/google-consent-mode-v2) · [Google Consent Audit Fixes](https://www.cookiebot.com/en/google-consent-audit-fixes/) · [Developer documentation](https://www.cookiebot.com/en/developer/) · [Cookiebot vs CookieYes](https://www.cookiebot.com/en/cookiebot-best-cookieyes-alternative/) · [Cookiebot vs OneTrust](https://www.cookiebot.com/en/onetrust-alternative/) · [Cookie Banner Cost Calculator](https://www.cookiebot.com/en/cookie-banner-pricing-calculator/) ## Company [About us](https://www.cookiebot.com/en/about/) · [Careers](https://usercentrics.com/career/) · [Support](https://support.cookiebot.com/hc/en-us/) --- [Privacy Policy](https://www.cookiebot.com/en/privacy-policy/) · [Terms of Service](https://www.cookiebot.com/en/terms-of-service/) · [Cookie Declaration](https://www.cookiebot.com/en/cookie-declaration/) · [Data Processing Agreement](https://www.cookiebot.com/en/data-processing-agreement/) ©2026 Cookiebot™ by [Usercentrics](https://usercentrics.com/)