Skip to main content
Talk to a human
AI Assistant

What Are the PDPA Requirements for a Website in Singapore?

If your website collects any personal data, Singapore's PDPA applies. At a minimum, a PDPA-compliant website must publish a clear privacy policy, obtain valid consent before collecting personal data (no pre-ticked boxes), display your Data Protection Officer's contact, secure data with HTTPS and reasonable safeguards, collect only what is necessary, and give visitors a way to access, correct, or withdraw their data. This guide turns that into a practical checklist.

PDPA website checklist at a glance

  • Privacy policy explaining what you collect and why
  • Valid consent on every form (clear, unbundled, opt-in)
  • DPO contact published and reachable
  • Cookie notice for tracking that collects personal data
  • HTTPS and secure forms to protect data in transit
  • Data minimisation — only ask for what you need
  • Access & correction channel for visitors
  • Retention limits — don't keep data forever

Does the PDPA apply to my website?

Almost certainly, yes. The PDPA governs how organisations handle the personal data of individuals in Singapore. Your website collects personal data the moment someone submits a contact form, joins a newsletter, creates an account, makes a booking or purchase, or is tracked by analytics and cookies that can identify them. If any of these apply, the PDPA's obligations apply to your site.

The core PDPA requirements for a website

1. A clear privacy policy

You must tell people what personal data you collect, why, and how you handle it. A privacy policy linked in your footer (and beside forms) is the standard way to meet the PDPA's Notification Obligation. Write it in plain language, not legalese.

2. Valid consent on forms

Under the Consent Obligation, consent must be clear, specific, and freely given. In practice that means opt-in checkboxes that are not pre-ticked, separate consent for separate purposes (for example, service updates vs marketing), and no consent bundled into your terms by default.

3. Your DPO's contact details

Every organisation must appoint a Data Protection Officer and make their business contact publicly available. Show a role-based email such as dpo@yourcompany.com in your privacy policy or contact page.

4. Cookie and tracking disclosure

If cookies or tracking tools collect data that can identify a person, notify users and obtain consent. Anonymous analytics may rely on deemed consent, but you should still disclose your cookie use.

5. Secure data handling

The Protection Obligation requires reasonable security. For a website that means HTTPS encryption, secure form handling, a protected database, and access controls so only the right people can see submitted data.

6. Collect only what you need

The Purpose Limitation Obligation means you should only collect personal data that is necessary for a clear purpose. Trim long forms — every extra field is extra data you must protect and justify.

7. Access, correction, and withdrawal

Visitors have the right to ask what data you hold, correct it, and withdraw consent. Provide an easy channel (an email or a form) and a working unsubscribe link in marketing messages.

8. Sensible data retention

Under the Retention Limitation Obligation, stop keeping personal data once the purpose is fulfilled and there is no legal need to retain it. Set a retention period and actually delete old data.

Quick reference: website feature to PDPA obligation

Website feature What the PDPA expects
Contact / enquiry form Consent, purpose notice, secure handling, minimal fields
Newsletter sign-up Clear opt-in, separate marketing consent, easy unsubscribe
User accounts / login HTTPS, password protection, access controls, retention limits
Analytics & cookies Disclosure, and consent where personal data is collected
Footer & contact page Privacy policy link and published DPO contact

Common PDPA website mistakes

How to make your website PDPA-compliant

For a simple brochure site, you can cover the basics yourself: add a proper privacy policy, fix your form consent, publish your DPO contact, and switch to HTTPS. For sites with accounts, payments, or significant data collection, it is worth having the work reviewed so nothing is missed.

At DataCare, our website design service builds sites PDPA-compliant from the start, and our PDPA compliance service can audit and fix an existing site.

Is your website PDPA-compliant?

We audit your forms, privacy policy, consent, and security against the PDPA, then fix the gaps, so your site collects data the right way.

Get a PDPA Website Check

Frequently asked questions

Does my website need a privacy policy under the PDPA?

Yes, in practice. If your website collects any personal data, such as through contact forms, newsletter sign-ups, accounts, or analytics, the PDPA requires you to notify individuals of the purposes for collection, use, and disclosure. A clear, accessible privacy policy is the standard way to meet this notification obligation.

Do I need cookie consent on a Singapore website?

It depends on what the cookies do. If cookies or tracking tools collect personal data that can identify an individual, you should notify users and obtain consent. Purely functional cookies, or anonymous analytics that do not identify a person, can generally rely on deemed consent, but you should still disclose your cookie use in your privacy policy.

Is HTTPS required for PDPA compliance?

The PDPA does not name HTTPS specifically, but it requires organisations to make reasonable security arrangements to protect personal data. For a website that collects data through forms or logins, HTTPS encryption is considered a baseline expectation, alongside secure forms and a protected database.

Do I need to show a DPO contact on my website?

Yes. The PDPA requires every organisation to appoint a Data Protection Officer and make their business contact information publicly available. A website is the most common place to do this, usually in the privacy policy or on a contact page, often as a role-based email such as dpo@yourcompany.com.

What happens if my website is not PDPA compliant?

A non-compliant website can lead to complaints and enforcement action by the Personal Data Protection Commission (PDPC), including directions to comply and financial penalties of up to 10% of annual turnover in Singapore or S$1 million, whichever is higher. It also increases the risk of a data breach and the loss of customer trust.

Useful resources

Disclaimer: This article is for general information only and does not constitute legal advice. For the current requirements and your specific obligations, refer to the Personal Data Protection Commission (PDPC) and seek qualified advice.