Singapore's Personal Data Protection Act 2012 (PDPA) governs how private-sector organisations handle the personal data of individuals in Singapore. Passed in October 2012, fully enacted by July 2014, and significantly amended in November 2020, the PDPA forms one of Asia-Pacific's most mature data protection frameworks.
Unlike the EU's GDPR, the PDPA does not contain a dedicated "cookie law." Cookies fall under the PDPA's scope only when they collect, store, or transmit data that can identify an individual. That distinction matters: a session cookie that holds a shopping cart state may not trigger PDPA obligations, but a _ga analytics cookie tied to a unique client ID almost certainly does.
Who Must Comply with the PDPA?
The PDPA applies to every private-sector organisation that collects, uses, or discloses personal data in Singapore, regardless of where the organisation is incorporated. If a website based in Germany sets tracking cookies on a visitor browsing from Singapore, the PDPA applies. Government agencies are excluded - they operate under separate rules.
"Personal data" under the PDPA means any data about an individual who can be identified from that data alone, or from that data combined with other information the organisation has access to. This captures IP addresses, device fingerprints, unique cookie identifiers, and browsing histories when linked to an identifiable person. Business contact information used solely for business purposes is exempt.
The Ten Data Protection Obligations
The PDPA imposes ten core obligations on organisations. Each one has a direct bearing on how websites handle visitor data.
| Obligation | PDPA Section | What It Means for Your Website |
|---|---|---|
| Consent | Section 13 | Obtain consent before collecting personal data through cookies or tracking scripts |
| Purpose Limitation | Section 18 | Use collected data only for the purposes communicated to the visitor |
| Notification | Section 20 | Inform visitors what data you collect and why, before or at the point of collection |
| Access and Correction | Sections 21-22 | Allow individuals to request access to and correction of their stored data |
| Accuracy | Section 23 | Take reasonable steps to keep collected personal data accurate and complete |
| Protection | Section 24 | Implement security safeguards against unauthorised access, disclosure, or modification |
| Retention Limitation | Section 25 | Stop retaining data once it no longer serves its original purpose |
| Transfer Limitation | Section 26 | Ensure comparable protection when transferring data outside Singapore |
| Accountability | Section 11-12 | Designate a Data Protection Officer and publish your data protection policies |
| Data Breach Notification | Sections 26A-26D | Notify the PDPC and affected individuals of notifiable breaches within three days |
The tenth obligation - data breach notification - was added by the 2020 amendments and took effect on 1 February 2021.
How Consent Works Under the PDPA
Section 13 of the PDPA prohibits collecting, using, or disclosing personal data unless the individual gives or is deemed to have given consent. Before collecting data, you must notify the individual of the purpose (Section 14(1) read with Section 20). Consent cannot be bundled as a condition for providing a product or service beyond what is reasonable.
The PDPA recognises three forms of consent. Express consent is a clear, affirmative action - clicking "Accept" on a cookie consent banner, for example. Deemed consent by conduct applies when someone voluntarily provides personal data for a stated purpose and it is reasonable to expect they would do so. Deemed consent by notification (Section 15A, introduced in 2021) allows organisations to proceed if they have notified the individual, conducted an impact assessment showing no likely adverse effect, and provided a reasonable opt-out period.
Individuals can withdraw consent at any time under Section 16. Your website must provide a clear mechanism for this - a preference centre, a settings page, or an equivalent tool that lets visitors revoke their earlier choices.
The 2020 Amendments: Legitimate Interests and Business Improvement
The Personal Data Protection (Amendment) Act 2020, passed on 2 November 2020 and phased in from 1 February 2021, was the first major overhaul since the PDPA's enactment. It shifted the law away from a purely consent-centric model.
Two new exceptions to consent stand out. The legitimate interests exception (Part 3 of the First Schedule) allows organisations to collect, use, or disclose personal data without consent where a legitimate interest outweighs any adverse effect on the individual. Organisations relying on this must conduct a formal assessment, implement measures to mitigate risks, and disclose their reliance on the exception. The Personal Data Protection Commission (PDPC) applied this exception for the first time in a published enforcement decision in 2023, offering guidance on how the balancing test works in practice.
The business improvement exception permits using previously collected personal data for purposes such as improving products or understanding customer behaviour, without fresh consent.
The amendments also expanded deemed consent by contractual necessity (Section 15(3)), allowing data disclosure between organisations when reasonably necessary to perform a contract - relevant for websites sharing data with payment processors or logistics partners.
Cookies and Tracking Under the PDPA
The PDPA does not mention cookies by name. Its obligations apply whenever a cookie or tracking technology collects data that qualifies as personal data. A session cookie like PHPSESSID that maintains server state without storing identifiable information sits outside the PDPA's reach. An analytics cookie like _ga or a marketing pixel like _fbp that assigns a unique identifier and tracks browsing behaviour falls squarely within it.
The PDPC expects websites to provide clear notice about cookie usage and obtain consent before setting non-essential cookies that collect personal data. Unlike the ePrivacy Directive, the PDPA does not impose a blanket requirement to obtain consent for all non-essential cookies. The trigger is personal data collection, not the act of storing a cookie on the device.
The safest approach is to treat analytics and marketing cookies as requiring consent. Most third-party tracking scripts collect identifiers that meet the PDPA's personal data threshold. A cookie scanner will reveal exactly which cookies are active on your site.
PDPA vs GDPR: Key Differences for Website Owners
Websites already compliant with the GDPR framework will find the PDPA familiar, but several differences matter.
| Area | GDPR (EU) | PDPA (Singapore) |
|---|---|---|
| Cookie-specific rules | ePrivacy Directive requires consent for all non-essential cookies | No cookie-specific law; PDPA applies only when cookies collect personal data |
| Consent model | Opt-in required; pre-ticked boxes invalid | Express, deemed by conduct, or deemed by notification all accepted |
| Legitimate interests | Available since 1995; well-established case law | Introduced in 2021; limited enforcement guidance so far |
| Right to erasure | Explicit right under Article 17 | No direct equivalent; access and correction rights under Sections 21-22 |
| Breach notification | 72 hours to supervisory authority | 3 calendar days to PDPC and affected individuals |
| Maximum penalty | EUR 20 million or 4% of global turnover | SGD 1 million or 10% of annual turnover in Singapore |
| Data Protection Officer | Required in specific cases (Article 37) | Mandatory for all organisations under Section 11(3) |
The consent models differ most sharply. GDPR requires affirmative opt-in for cookies. The PDPA's deemed consent provisions mean that notifying visitors and providing an opt-out window can sometimes suffice, provided a documented impact assessment supports it.
Enforcement and Penalties
The PDPC enforces the PDPA through complaints-based investigations and proactive enforcement. Financial penalties were raised by the 2020 amendments. Since 1 October 2022, organisations with annual turnover exceeding SGD 10 million face fines of up to 10% of that turnover. For smaller organisations, the cap is SGD 1 million.
Enforcement activity has been steady. In May 2024, the PDPC issued three decisions totalling SGD 102,000 in fines and accepted undertakings from six additional organisations. In April 2025, Singapore Data Hub Pte Ltd received a SGD 17,500 penalty after a breach exposed personal data of 689,000 individuals. In October 2025, Marina Bay Sands was fined SGD 315,000 for a breach affecting over 665,000 patrons - a case where the PDPC explicitly referenced the organisation's high turnover when calibrating the penalty.
Beyond fines, the PDPC can direct organisations to stop collecting data, delete unlawfully collected data, or implement specific remediation measures. Individuals who suffer loss or damage from a PDPA breach also have private rights of action under civil law.
How to Make Your Website PDPA Compliant
Start by auditing what data your website collects. Run a scan to identify every cookie and tracker, categorise them by purpose - strictly necessary, functional, analytics, marketing - and document which ones process personal data.
Implement a consent mechanism that notifies visitors about data collection before or at the point of collection. The banner should let visitors accept or reject cookie categories and withdraw consent at any time through a preference button. If your site receives visitors from multiple jurisdictions, geo-detection allows you to apply PDPA-appropriate flows to Singapore visitors while serving GDPR-compliant banners to EU visitors.
Publish a privacy policy explaining what personal data you collect, for what purposes, how long you retain it, and to whom you disclose it. Designate a Data Protection Officer and make their contact details publicly available.
Keep consent logs as proof that consent was obtained. If you transfer data outside Singapore - common when using cloud-hosted analytics - ensure the receiving party offers comparable protection to the PDPA, or obtain the individual's informed consent for the transfer.
Frequently Asked Questions
Does the Singapore PDPA require a cookie consent banner?
The PDPA does not mention cookies specifically. A consent banner is required when your website uses cookies or trackers that collect personal data from individuals in Singapore. Strictly necessary cookies that do not process personal data are exempt.
What counts as personal data under the PDPA?
Any data about an individual who can be identified from that data alone or in combination with other information the organisation holds. This includes names, email addresses, IP addresses, unique cookie identifiers, and browsing histories linked to an identifiable person.
How does deemed consent by notification work for cookies?
Under Section 15A, an organisation can proceed without express consent if it notifies the individual of its data collection purposes, conducts an assessment confirming no likely adverse effect, and provides a reasonable opt-out period. If the individual does not opt out, consent is deemed given. This requires documented assessments and clear notification mechanisms.
What are the maximum fines for PDPA non-compliance?
Since 1 October 2022, organisations with annual turnover in Singapore exceeding SGD 10 million face penalties of up to 10% of that turnover. For all other organisations, the maximum fine is SGD 1 million. The PDPC may also issue directions to stop data collection or delete unlawfully held data.
Does the PDPA apply to websites outside Singapore?
Yes. The PDPA has extraterritorial reach. Any organisation - regardless of where it is located - that collects, uses, or discloses personal data of individuals in Singapore must comply with the PDPA.
How does the PDPA compare to the GDPR for cookie compliance?
The GDPR, combined with the ePrivacy Directive, requires opt-in consent for all non-essential cookies. The PDPA only applies to cookies that process personal data and accepts deemed consent in certain circumstances. GDPR-compliant websites generally exceed PDPA requirements, but the consent models and legal bases differ.
Do I need a Data Protection Officer under the PDPA?
Yes. Section 11(3) of the PDPA requires every organisation to designate at least one individual as its Data Protection Officer. This obligation applies regardless of the organisation's size, unlike the GDPR which only mandates a DPO in specific circumstances.
Get Your Website Ready for the PDPA
If your site attracts visitors from Singapore and sets cookies that collect personal data, PDPA compliance is not optional. Kukie.io scans your website for cookies, categorises them automatically, and serves geo-targeted consent banners that match Singapore's requirements.
