In short, Singapore\u2019s PDPA<\/strong> regulates the collection, use and disclosure of personal data in Singapore by giving enforceable rights to users<\/strong>, placing the responsibility of lawful data processing<\/strong> on the shoulders of websites, companies and organizations anywhere in the world that process personal data from inside Singapore, regulating the transfer of personal data outside of Singapore<\/strong>, and establishing the Personal Data Protection Commission (PDPC)<\/strong> as main enforcement authority.<\/p>\n\n\n\n Singapore\u2019s PDPA quick breakdown \u2013<\/strong><\/p>\n\n\n\n The consent obligation<\/strong> is a key part of Singapore\u2019s PDPA \u2013 a crucial compliance requirement that websites anywhere in the world processing personal data from users in Singapore must be aware of.<\/p>\n\n\n\n In short, the consent obligation (spelled out in PDPA sections 13-17) means that your website is only allowed to handle personal data from users inside Singapore if users give, or is deemed to have given, their prior consent<\/strong>.<\/p>\n\n\n\n Under Singapore\u2019s PDPA, consent can either be affirmative<\/strong> or deemed<\/strong>, meaning that if users have already been informed<\/strong> by you about your website\u2019s intended collection and purposes for collection, but have not opted out<\/strong> of the processing, you are safe to deem their inaction as consent<\/strong>.<\/p>\n\n\n\n In general, for user consents to be valid under the PDPA \u2013<\/p>\n\n\n\n Read the PDPC Advisory Guidelines on PDPA consent and other key concepts (PDF)<\/a><\/p>\n\n\n\n Let\u2019s say that your website uses cookies and trackers in order to receive analytics insights and statistics about its performance, or to show online advertisement. Most websites in the world do so, and usually through popular platforms like\u00a0Google Analytics\u00a0<\/a>and\u00a0HubSpot<\/a>.<\/p>\n\n\n\n Using cookies and trackers, especially third-party cookies<\/strong> from popular third-party services, means that your website collects and shares personal data, such as IP addresses<\/strong>, unique IDs<\/strong>, search<\/strong> and browser history<\/strong> and much more.<\/p>\n\n\n\n If a visitor to your website is from inside Singapore, you are required to first obtain their consent before activating any of these cookies and trackers (any but the ones strictly necessary for the function of your domain).<\/p>\n\n\n\n Test to see which cookies and trackers are in use on your website, what kind of personal data they process and where in the world you send it to by using the free Cookiebot GDPR compliance test<\/a>.<\/p>\n\n\n\n Simply enter the URL of your website and receive a free scan of up to five subpages, detecting all cookies in operation on these pages.<\/p>\n\n\n\n Most website owners and operators are surprised to find out that their domain hosts many more cookies, trackers and trojan horses than they thought, because \u2013<\/p>\n\n\n\n 72% of all trackers<\/strong> on websites are secretly loaded by third-party cookies.<\/p>\n\n\n\n 18% of cookies<\/strong> on websites are so-called trojan horses that hide as deep as within eight other trackers, making them undetectable without a powerful scanning technology.<\/p>\n\n\n\n 50% of trojan trackers<\/strong> will change between repeated user visits, meaning they can have changed provider, purpose and be collecting totally different kinds of personal data than what the user initially consented to.<\/p>\n\n\n\n Source: Beyond the Front Page<\/em><\/a>, a 2020 research paper on website cookies.<\/p>\n\n\n\n Using HubSpot? Get started with the Cookiebot CMP app for PDPA compliance<\/a><\/p>\n\n\n\n Get started with Google Consent Mode and Cookiebot CMP<\/a><\/p>\n\n\n\n On November 2, the Singapore Parliament passed an amendment bill<\/a> to the Personal Data Protection Act (PDPA). While the amendments await royal assent to become fully effective, the changes to the PDPA come with no grace period<\/strong> and websites will need to comply straight away once the amended PDPA takes effect.<\/p>\n\n\n\n The new PDPA amendments include \u2013<\/p>\n\n\n\n Read the Personal Data Protection (Amendment) Bill 2020<\/a><\/p>\n\n\n\n On November 20, following the passing of the PDPA amendments in Parliament, the Personal Data Protection Commission (PDPC) issued a set of draft advisory guidelines<\/a> on key provisions of amendments that altogether clarify the changes and specify how to be in PDPA compliance going forward.<\/p>\n\n\n\n Read the PDPC\u2019s Draft Advisory Guidelines here (PDF)<\/a><\/p>\n\n\n\n Cookiebot CMP<\/a> is the world\u2019s leading consent management platform that ensures full compliance for your website with all major data privacy laws, such as EU\u2019s GDPR<\/a>, California\u2019s CCPA<\/a>, Brazil\u2019s LGPD<\/a>, South Africa\u2019s POPIA<\/a> and Singapore\u2019s PDPA.<\/p>\n\n\n\n Built around a powerful scanner that detects all cookies and trackers in operation on your domain, our solution automatically manages all user consents on your website through highly customizable interfaces that meet all PDPA requirements on information, notification and consent.<\/p>\n\n\n\n Using our CMP on your website gives you \u2013<\/p>\n\n\n\n If your website has users from Singapore, Cookiebot CMP will automatically geotarget their location and present the correct consent framework in compliance with the PDPA.<\/p>\n\n\n\n With just a few lines of JavaScript on your website and installed directly from the cloud, Cookiebot CMP<\/a> gives you plug-and-play compliance with all major data privacy laws, including Singapore\u2019s PDPA.<\/p>\n\n\n\n Use Cookiebot CMP to be in compliance with the PDPA in Singapore<\/a><\/p>\n\n\n\n Let\u2019s take a closer look at the different aspects of Singapore\u2019s Personal Data Protection Act (PDPA)<\/strong> \u2013 how personal data is defined, how consent is defined (with 2020 amendments) and how the PDPA regulations clarify compliance.<\/p>\n\n\n\n Singapore was one of the first countries to implement a data privacy law that not only protects the collection and processing of personal data inside of its territory, but also puts enforceable responsibility on \u201corganizations\u201d (defined in the PDPA to include individuals, websites, companies, associations and more, located anywhere in the world).<\/p>\n\n\n\n The PDPA, drafted in 2012 and in full effect since July 2014, also serves as a so-called \u201cspam law\u201d, establishing the Do Not Call (DNC) Registry<\/strong> that Singaporeans can use to opt-out of unsolicited marketing.<\/p>\n\n\n\n Learn more about the scope and objectives of the PDPA<\/a><\/p>\n\n\n\n Even though the PDPA shares key provisions with the EU\u2019s ePrivacy Directive <\/a>and the later GDPR<\/a>, Singapore is not recognized by the EU as having an adequate level of data protection <\/a>and ranks as a third country in regard to the flow of data between the two territories.<\/p>\n\n\n\n Want to know more about Singapore\u2019s PDPA vs EU\u2019s GDPR?<\/p>\n\n\n\n Take a look at Singapore\u2019s Personal Data Protection Commission (PDPC) handy infographic comparison of the PDPA and EU\u2019s GDPR<\/a> that details the differences between the two data privacy laws\u2019 consent requirements and exceptions.<\/p>\n\n\n\n Personal data<\/strong> is defined in Singapore\u2019s Personal Data Protection Act very broadly as \u201cdata, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access,\u201d<\/em> including but not limited to \u2013<\/p>\n\n\n\n Exempt from the PDPA<\/strong> is personal data entered into a business contract (defined instead as business contract information), personal data that is more than 100 years old and personal data about an individual, if the person has been dead for more than 10 years.<\/p>\n\n\n\n Unlike EU\u2019s GDPR, Singapore\u2019s PDPA does not create a special category of sensitive personal data.<\/p>\n\n\n\n However, the Personal Data Protection Commission (PDPC) decided in October 2017<\/a> that certain kinds of personal data are of a sensitive nature<\/strong> and require a higher level of protection<\/strong> than other kinds of personal data.<\/p>\n\n\n\n Examples of personal data of a sensitive nature includes \u2013<\/p>\n\n\n\n If your website, company or organization processes personal data of a more sensitive nature from users inside Singapore, the PDPC requires you to implement security safeguards appropriate to the sensitivity of the information<\/strong>.<\/p>\n\n\n\n Read the PDPC\u2019s October 2017 decision on sensitive personal data (PDF)<\/a><\/p>\n\n\n\n In November 2020, Singapore amended the PDPA to include, among other things, a more detailed set of specifications on how deemed consent<\/strong> works.<\/p>\n\n\n\n Deemed consent<\/strong> is the valid type of consent that means that the inaction of users constitutes a form of implied consent<\/strong>. However, users must still be able to revoke their consent at any given time, even though the consent is deemed.<\/p>\n\n\n\n In the PDPA before the 2020 amendment<\/strong> (section 15), deemed consent works like this \u2013<\/p>\n\n\n\n The new and amended PDPA<\/strong> (section 15A) expands the consent obligations to include deemed consent by notification<\/strong>, meaning that \u2013<\/p>\n\n\n\n The PDPA\u2019s deemed consent by notification<\/strong> is close to the previous EU personal data protection regime under the ePrivacy Directive<\/a>, which also allowed for the implied consent of EU users. This, however, has been effectively ruled out by the European Data Protection Board (EDPB)<\/a> based on the newer GDPR\u2019s requirement for valid consent<\/a> to consist of an affirmative, explicit action on part of the user.<\/p>\n\n\n\n![\"Aerial](\"\/media\/4016\/kirill-petropavlov-vmgwpt9gpv0-unsplash.jpg?width=362&\")
\n
![\"PDPA](\"\/media\/4018\/mike-enerio-4hvcsdog0qi-unsplash.jpg?width=351&\")
Singapore\u2019s PDPA and Consent Obligation<\/h3>\n\n\n\n
\n
![\"Gardens](\"\/media\/4019\/sven-scheuermeier-axsjbbyg4ic-unsplash.jpg?width=369&\")
Scan your website for free with Cookiebot CMP<\/h3>\n\n\n\n
Singapore\u2019s PDPA amended in 2020<\/h3>\n\n\n\n
\n
![\"Person](\"\/media\/4020\/bna-ignacio-c8gvt2lmx94-unsplash.jpg?width=363&\")
PDPA compliance with Cookiebot CMP<\/h2>\n\n\n\n
Cookiebot CMP automatically controls all user consent on your website<\/h3>\n\n\n\n
![\"Cookie](\"\/media\/4188\/new-banner-example-en.png\")
\n
Singapore\u2019s PDPA, in detail<\/h2>\n\n\n\n
Singapore\u2019s PDPA and data privacy regime<\/h3>\n\n\n\n
Personal data under Singapore\u2019s PDPA<\/h3>\n\n\n\n
\n
![\"Man](\"\/media\/4021\/sonnie-hiles-x2kkuahh64u-unsplash.jpg?width=366&\")
\n
Singapore\u2019s PDPA consent obligations and its 2020 amendments<\/h3>\n\n\n\n
\n
\n
![\"Singapore](\"\/media\/4022\/lily-banse-mjxf6po0tws-unsplash.jpg?width=366&\")