If your website collects any personal data, Singapore's PDPA applies. At a minimum, a PDPA-compliant website must publish a clear privacy policy, obtain valid consent before collecting personal data (no pre-ticked boxes), display your Data Protection Officer's contact, secure data with HTTPS and reasonable safeguards, collect only what is necessary, and give visitors a way to access, correct, or withdraw their data. This guide turns that into a practical checklist.
Almost certainly, yes. The PDPA governs how organisations handle the personal data of individuals in Singapore. Your website collects personal data the moment someone submits a contact form, joins a newsletter, creates an account, makes a booking or purchase, or is tracked by analytics and cookies that can identify them. If any of these apply, the PDPA's obligations apply to your site.
You must tell people what personal data you collect, why, and how you handle it. A privacy policy linked in your footer (and beside forms) is the standard way to meet the PDPA's Notification Obligation. Write it in plain language, not legalese.
Under the Consent Obligation, consent must be clear, specific, and freely given. In practice that means opt-in checkboxes that are not pre-ticked, separate consent for separate purposes (for example, service updates vs marketing), and no consent bundled into your terms by default.
Every organisation must appoint a Data Protection Officer and make their business contact publicly available. Show a role-based email such as dpo@yourcompany.com in your privacy policy or contact page.
If cookies or tracking tools collect data that can identify a person, notify users and obtain consent. Anonymous analytics may rely on deemed consent, but you should still disclose your cookie use.
The Protection Obligation requires reasonable security. For a website that means HTTPS encryption, secure form handling, a protected database, and access controls so only the right people can see submitted data.
The Purpose Limitation Obligation means you should only collect personal data that is necessary for a clear purpose. Trim long forms — every extra field is extra data you must protect and justify.
Visitors have the right to ask what data you hold, correct it, and withdraw consent. Provide an easy channel (an email or a form) and a working unsubscribe link in marketing messages.
Under the Retention Limitation Obligation, stop keeping personal data once the purpose is fulfilled and there is no legal need to retain it. Set a retention period and actually delete old data.
| Website feature | What the PDPA expects |
|---|---|
| Contact / enquiry form | Consent, purpose notice, secure handling, minimal fields |
| Newsletter sign-up | Clear opt-in, separate marketing consent, easy unsubscribe |
| User accounts / login | HTTPS, password protection, access controls, retention limits |
| Analytics & cookies | Disclosure, and consent where personal data is collected |
| Footer & contact page | Privacy policy link and published DPO contact |
For a simple brochure site, you can cover the basics yourself: add a proper privacy policy, fix your form consent, publish your DPO contact, and switch to HTTPS. For sites with accounts, payments, or significant data collection, it is worth having the work reviewed so nothing is missed.
At DataCare, our website design service builds sites PDPA-compliant from the start, and our PDPA compliance service can audit and fix an existing site.
We audit your forms, privacy policy, consent, and security against the PDPA, then fix the gaps, so your site collects data the right way.
Get a PDPA Website CheckYes, in practice. If your website collects any personal data, such as through contact forms, newsletter sign-ups, accounts, or analytics, the PDPA requires you to notify individuals of the purposes for collection, use, and disclosure. A clear, accessible privacy policy is the standard way to meet this notification obligation.
It depends on what the cookies do. If cookies or tracking tools collect personal data that can identify an individual, you should notify users and obtain consent. Purely functional cookies, or anonymous analytics that do not identify a person, can generally rely on deemed consent, but you should still disclose your cookie use in your privacy policy.
The PDPA does not name HTTPS specifically, but it requires organisations to make reasonable security arrangements to protect personal data. For a website that collects data through forms or logins, HTTPS encryption is considered a baseline expectation, alongside secure forms and a protected database.
Yes. The PDPA requires every organisation to appoint a Data Protection Officer and make their business contact information publicly available. A website is the most common place to do this, usually in the privacy policy or on a contact page, often as a role-based email such as dpo@yourcompany.com.
A non-compliant website can lead to complaints and enforcement action by the Personal Data Protection Commission (PDPC), including directions to comply and financial penalties of up to 10% of annual turnover in Singapore or S$1 million, whichever is higher. It also increases the risk of a data breach and the loss of customer trust.
Disclaimer: This article is for general information only and does not constitute legal advice. For the current requirements and your specific obligations, refer to the Personal Data Protection Commission (PDPC) and seek qualified advice.