The Personal Data Protection Act (PDPA) is Singapore’s primary data protection law, first enacted in 2012 and enforced by the Personal Data Protection Commission (PDPC). It governs the collection, use, disclosure, and care of personal data by organizations, aiming to protect individuals’ personal data while enabling legitimate business use.
If your website uses cookies that track users' behavior, preferences, or identity (such as analytics or marketing cookies), you must obtain clear and informed consent before activating those cookies. This aligns with the PDPA’s emphasis on notifying individuals and obtaining their permission before collecting personal data.
Your business must inform individuals of the purposes for collecting personal data, obtain their consent, and ensure that data is properly protected. You are also responsible for safeguarding personal data from unauthorized access, use, or disclosure. Any third-party services you use (e.g., for marketing or analytics) that handle personal data must also comply with PDPA standards. Website cookies and tracking technologies are included in this scope.
To be in compliance, businesses operating in or serving users in Singapore must:
Implement consent management:
Obtain proper consent for collecting and processing personal data
Audit:
Audit all data collection practices, including consent mechanisms, data security, third-party data sharing, across customer touchpoints
Update privacy policy:
Implement and keep up-to-date privacy policies
Check partner compliance:
Ensure that third parties used also comply with PDPA
Data protection:
Secure data against breaches and unauthorized access
All private sector organizations, including businesses, associations, and non-profit entities operating in Singapore or collecting personal data from individuals in Singapore, are required to comply with the PDPA. This includes online businesses, e-commerce platforms, and mobile app developers.
Singapore’s law grants consumers various data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Request data in a structured, commonly used format
Cookies that store or track personal data fall under the PDPA. While functional cookies may not require explicit consent, cookies used for analytics, advertising, or profiling generally do. You must clearly disclose the use of such cookies in a cookie policy and give users the ability to accept or reject them before they are set.
Non-compliance with the PDPA can result in significant penalties. The PDPC may impose financial penalties of up to 1 million SGD or 10% of an organization’s annual turnover in Singapore, whichever is higher, depending on the severity of the breach. The commission may also issue directions to stop data collection, delete personal data, or take corrective actions.
To check your compliance with the PDPA Singapore, businesses should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Consent management:
Ensure consent banners are implemented correctly, enable users to withdraw consent, and maintain consent logs
Check partners:
Review third-party data-sharing practices
Train staff:
Ensure that employees have training to understand and comply with PDPA
The PDPA governs the collection, use, disclosure, and protection of personal data by organizations in Singapore. It applies to all private sector organizations and sets rules on how personal data must be handled to protect individuals’ privacy rights.
Personal data refers to any information, whether true or not, about an individual who can be identified from that data alone or together with other information held by the organization. This includes details such as name, identification number, contact information, and more.
Sensitive data is a subset of personal data that includes information about an individual’s race, ethnic origin, political opinions, religious beliefs, health, sexual orientation, or biometric data. It requires a higher level of protection due to its sensitive nature.
The Personal Data Protection Commission (PDPC) is the regulatory authority responsible for enforcing and overseeing compliance with the PDPA in Singapore.
The PDPA does not apply to public agencies, political parties, and individuals acting in a personal or domestic capacity. Some specific activities and data types are also exempt, as outlined in the PDPA.
More information is available on the official website of the Personal Data Protection Commission (PDPC). The website offers detailed guidance, resources, and updates on the PDPA.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
