PDPA Compliance for Websites: What Singapore Businesses Must Do

The Personal Data Protection Act (PDPA) governs how private-sector organisations in Singapore collect, use, disclose, and store personal data. “Personal data” is broadly defined — it covers names, email addresses, phone numbers, IP addresses, and even cookie identifiers when they can be linked back to an identifiable individual. If your website touches any of this information, the PDPA applies to you.

The obligations most relevant to websites are:

• Consent Obligation — Obtain clear consent before collecting or using personal data. No pre-ticked boxes.
• Purpose Limitation — Use data only for stated purposes. An email collected for a quote cannot be added to a marketing list without separate consent.
• Notification Obligation — Tell individuals why you are collecting their data at or before the point of collection.
• Openness Obligation — Publish your data protection policies publicly — in practice, a proper privacy policy.
• Protection Obligation — Implement reasonable security to prevent unauthorised access or disclosure.
• Retention Limitation — Delete or anonymise data when no longer needed for business or legal purposes.

Since 2025, organisations must also designate a Data Protection Officer (DPO) and publish their contact details on the website. If yours does not, that alone is a compliance gap.

Every form on your website — contact, enquiry, quote request, newsletter sign-up — is a data collection point that needs proper consent.

• State the purpose clearly. Include a line near the submit button: “By submitting this form, you consent to our collection and use of your personal data to respond to your enquiry.”
• Separate consent for marketing. If you plan to add someone to a mailing list, use a separate, unticked checkbox. Pre-ticked boxes are not valid consent under the PDPA.
• Link to your privacy policy so users can review it before submitting.
• Collect only what you need. Do not ask for NRIC numbers, dates of birth, or home addresses unless genuinely necessary.

Important for 2026: the PDPC has announced that organisations must stop using NRIC numbers for authentication by 31 December 2026. If your website collects NRIC numbers in forms or membership portals, move to alternative methods before that deadline.

When we build websites for Singapore businesses, consent mechanisms are part of the standard implementation — baked into the form architecture from day one.

The PDPA does not explicitly mention “cookies,” which confuses many website owners. But the practical answer is yes, you almost certainly need a cookie consent banner.

Analytics, advertising, and tracking cookies collect data that can identify individuals. Google Analytics, Facebook Pixel, remarketing tags, and session identifiers all fall under the PDPA when linked to a specific visitor.

• Essential cookies (session management, security) can operate under “deemed consent” — users reasonably expect them.
• Analytics cookies (Google Analytics, Hotjar) require explicit consent before they fire.
• Marketing cookies (Facebook Pixel, retargeting pixels) absolutely require opt-in consent.

A compliant cookie banner must appear before non-essential cookies are set, explain what categories you use, provide granular accept/reject controls, and offer an easy way to withdraw consent later. The “Reject All” button should be as prominent as “Accept All” — no dark patterns.

Consent management platforms like CookieYes, Cookiebot, and CookieHub handle the technical blocking of scripts until consent is given. They generate audit-ready records of consent and integrate with most websites in a few hours. If your site runs on a modern framework like Astro or Next.js, implementation is particularly straightforward.

The Openness Obligation requires a dedicated, easy-to-find privacy policy in Singapore — linked in your footer and referenced in forms. It should cover:

• What personal data you collect — list specific categories, not vague generalities
• How and why you collect it — forms, cookies, third-party integrations, and each purpose
• Who you share it with — payment gateways, email providers, analytics tools, hosting providers; note any overseas transfers
• Retention periods — how long you keep data and the criteria for deletion
• Security measures — encryption, access controls, secure hosting
• Individual rights — how users can access, correct, or withdraw consent
• DPO contact details — name or designation, email, and Singapore phone number

Avoid generic template language. The PDPC has enforced against organisations with privacy policies that were too broad or unclear. For sensitive sectors like healthcare, additional safeguards and more granular consent are expected.

The PDPA’s consent requirements apply to email marketing just as they do to other data collection:

• Opt-in, not opt-out. Pre-ticked checkboxes do not count. The box must be unticked by default.
• Unsubscribe within 10 business days. Every marketing email needs a working unsubscribe mechanism. Best practice: make it instant.
• Identify yourself. Messages must clearly state who you are and how to contact you.
• Do Not Call Registry. While the DNC Registry covers phone and SMS rather than email, check it if your marketing spans multiple channels.

A common mistake: collecting email addresses through a contact form and automatically adding them to a newsletter. Under the PDPA, consent for a quote response does not extend to marketing communications. Add a separate, unticked checkbox for marketing opt-in.

When a data breach occurs, the PDPA mandates a clear response:

• Assess promptly. Determine whether it is a “notifiable data breach” — one likely to cause significant harm or affecting 500+ individuals.
• Notify the PDPC within 3 calendar days of determining the breach is notifiable. The PDPC expects assessments to be completed within roughly 30 days of discovery.
• Notify affected individuals if significant harm is likely, so they can take protective measures.

Common website breach scenarios include compromised contact form databases, hacked CMS platforms with stored customer records, insecure third-party plugins leaking user information, and misconfigured cloud storage exposing uploaded files.

Prevention matters more than response. At minimum, your website should use HTTPS encryption, keep all software and plugins updated, enforce strong access controls, and run regular security audits. If your site runs on WordPress, patching plugins promptly is an obligation under the PDPA’s Protection Obligation, not a nice-to-have.

Work through this checklist to cover the fundamentals every data protection website in Singapore needs.

Data collection and consent

• Every form includes a clear consent statement
• Marketing consent uses a separate, unticked checkbox
• Forms collect only data necessary for the stated purpose
• NRIC numbers are not used for authentication (deadline: 31 Dec 2026)

Cookies and tracking

• Cookie consent banner appears before non-essential cookies are set
• Users can accept or reject categories individually
• Scripts are blocked until consent is given

Privacy policy

• Published and linked from the footer
• Covers what, why, who, how long, and how you protect data
• Includes DPO contact details

Email marketing

• Only sent to individuals who explicitly opted in
• Working unsubscribe link in every email
• DNC Registry checked for phone/SMS campaigns

Security and breach readiness

• HTTPS with valid SSL certificate
• CMS, plugins, and dependencies kept current
• Two-factor authentication on admin access
• Documented breach response plan with 3-day notification process