The Personal Data Protection Act has quietly become the most consequential law for any Singapore website. Penalties can reach SGD 1 million per breach (or 10% of annual turnover, whichever is higher), and the Personal Data Protection Commission (PDPC) has been actively enforcing since the 2021 amendments. By the end of 2026, two further changes raise the bar: NRIC numbers can no longer be used for authentication, and DPO contact details must be publicly listed on every site.
Most websites are partly compliant by accident. Few are fully compliant by design. This guide walks through what the law actually requires of a Singapore website, in the order a PDPC investigator would check it.
The 11 PDPA Obligations That Apply to Websites
PDPA defines eleven core obligations. Not all of them touch a website equally. Below is each one, ranked by how often we see it fail in Singapore website audits.
1. Consent Obligation
You must obtain consent before collecting, using, or disclosing personal data. Pre-ticked boxes, buried opt-ins inside terms-and-conditions, and dark patterns (“By browsing this site you agree to…”) all fail. Real consent in 2026 means an explicit action: a tickbox left unchecked, a clear “I agree” button, or a separate consent capture during form submission. Withdrawal must be just as easy as giving consent.
2. Notification Obligation
You must tell the user, on or before collection, what data you are collecting, why, and how it will be used. The standard Singapore implementation is a privacy policy linked from every form, plus a short “purpose statement” at the form itself. The privacy policy cannot be a 6,000-word legal essay nobody reads. PDPC has criticised opaque policies in enforcement decisions.
3. Purpose Limitation Obligation
You can only use the data for purposes the user agreed to. Collecting an email for an order confirmation and then enrolling that user in a marketing list is a breach unless a separate, explicit marketing consent was captured. Singapore brands frequently fail this when CRM tools auto-tag every contact for marketing.
4. Accuracy Obligation
You must take reasonable steps to ensure data is accurate, especially when the data will be used to make decisions about the user (eligibility, pricing, eligibility for services). For a website, this means letting users update their own details and acting on correction requests.
5. Protection Obligation
You must apply reasonable security to protect data. SSL site-wide is non-negotiable; the PDPC has fined organisations for transmitting form data in plain HTTP. Beyond TLS, you need access controls on admin panels, regular patching, encrypted backups, and signed Data Processing Agreements with every vendor.
6. Retention Limitation Obligation
Once the purpose is fulfilled, you must stop holding the data. A common Singapore failure is keeping every contact form submission for years “just in case”. Set explicit retention windows in your privacy policy (eg. “marketing leads retained for 24 months after last interaction”) and actually purge.
7. Transfer Limitation Obligation
Personal data sent outside Singapore must receive comparable protection to PDPA. Most websites use overseas vendors (HubSpot, Mailchimp, Stripe, AWS regions in the US or EU). This is allowed if the contract or vendor framework provides equivalent protection. The PDPC accepts the GDPR Standard Contractual Clauses or similar mechanisms.
8. Access and Correction Obligation
A user can ask you what data you hold about them and ask you to correct it. You must respond within 30 calendar days. The website should expose a simple request channel (email to the DPO, or a dedicated form). “Reach us via WhatsApp” is not acceptable as the only channel.
9. Accountability Obligation
You must designate a Data Protection Officer (DPO) and publish their contact details. This is required of every organisation, regardless of size (which is stricter than GDPR). The DPO can be a staff member or an outsourced service. Their email or phone must be on the website.
10. Data Breach Notification Obligation
Significant breaches (involving 500+ individuals or sensitive data such as NRIC, financial, or health information) must be notified to the PDPC and affected individuals within 72 hours of assessment. Have an incident response plan written before you need it.
11. Data Portability Obligation
Once fully in force, this requires you to transmit a user’s data to another organisation on request. Implementation has been phased; check the latest PDPC guidance for your sector.
The Two 2026 Changes Most Websites Have Missed
NRIC Cannot Be Used for Authentication After 31 December 2026
In February 2026, the PDPC announced that all private organisations must cease using NRIC numbers for authentication purposes by 31 December 2026. This affects: account login flows, customer support verification, member verification, and any “key in your NRIC to access” pattern.
NRIC may still be collected for legally required purposes (KYC under MAS, identity verification at point of contract). But it cannot be used as a password or as a primary authentication factor. Singapore websites that use NRIC + DOB as a “login” for member portals must replace this flow before the deadline.
DPO Contact Must Be Published
The DPO designation has always been required. What is now expected is that the DPO’s business contact (email or phone) is publicly findable on the website, typically in the privacy policy and footer. PDPC enforcement now treats hidden DPO contacts as a separate breach.
Cookies and Trackers: What Singapore Actually Requires
PDPA does not explicitly require a cookie banner. It requires consent for the data collection that cookies and trackers enable. The practical effect is the same in most cases: if your site uses Google Analytics 4, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, HubSpot, or any third-party tool that loads a cookie identifying the user, you need consent.
A compliant Singapore cookie banner in 2026 typically includes:
- A clear notice that the site uses cookies, with a short purpose statement.
- Three buttons: “Accept all”, “Reject all”, and “Manage preferences”. Reject must be as easy as accept.
- Granular controls in “Manage preferences” for at least: strictly necessary, functional, analytics, and marketing.
- No cookies fired beyond strictly necessary until consent is given.
- A way for the user to change their preferences later (a small “cookie settings” link in the footer).
- A log of consents kept for at least 24 months in case of audit.
Tools that handle this well in Singapore: CookieYes, Cookiebot, Iubenda, OneTrust, and WordPress plugins like Complianz. Free tiers cover most SMEs.
What Goes in the Privacy Policy
Privacy policies are not boilerplate. PDPC has explicitly criticised generic policies and has fined organisations for policies that did not match actual data practices. The policy must describe what your site actually does. A workable structure:
- Who you are (legal entity, UEN, registered address).
- What categories of data you collect (contact, transaction, behavioural, sensitive).
- How you collect it (forms, cookies, third-party platforms, offline).
- Why you collect it (specific purposes; no “for business purposes” hand-waving).
- Who you share it with, including each named overseas vendor and the country it operates from.
- How long you keep it, by category.
- How you protect it (TLS, access controls, DPA agreements, ISO/SOC 2 status if you have it).
- What rights the user has (access, correction, withdrawal of consent, complaint to PDPC).
- How to contact the DPO (email and phone).
- When the policy was last updated.
Sector-Specific Layers on Top of PDPA
Some industries face additional requirements that intersect with PDPA. A website built in those sectors must comply with both:
|
Sector |
Additional layer |
Practical impact |
|
Healthcare |
MOH advertising rules + HCSA + clinic licence |
Restricts testimonials; requires audit-trail consent |
|
Financial services |
MAS TRM + Notice 626 + FAA cross-border |
TRM-grade encryption; data residency requirements |
|
Education |
CPE / SkillsFuture rules |
Stricter consent for minors and student data |
|
Insurance |
Insurance Act + MAS regulations |
Strong recordkeeping for advisory data |
|
E-commerce |
CCCS Fair Trading Act + PDPA |
Refund/return policy must be on every storefront |
|
Telco / IoT |
IMDA Cyber Hygiene + PDPA |
Notification + breach response inside 24 hours |
If You Have a Breach: The 72-Hour Clock
Notifiable breaches must reach the PDPC within 72 hours of assessment. Singapore brands that handle this well prepare a one-page incident response plan in advance. The minimum:
- A named incident commander (often the DPO or CTO).
- A breach hotline staff are told about during onboarding.
- A pre-drafted PDPC notification template (saves 4 to 6 hours during a real incident).
- A pre-drafted user notification email (with legal review already done).
- A shortlist of forensic vendors you can call before legal sign-off.
The most common Singapore PDPA fine pattern in 2024 to 2025 was not the breach itself; it was the slow response and missed notification deadline.
A 30-Minute Self-Audit
Run this before the next time someone asks you “are we PDPA compliant”. If you cannot answer yes to all of these, you are not.
- Privacy policy on the site, clearly linked from the footer and from every form.
- DPO contact (email or phone) findable on the site.
- SSL/TLS sitewide, with HSTS header.
- Cookie banner with accept / reject / manage preferences and no pre-firing of analytics or marketing tags.
- Every web form has a purpose statement and an explicit consent action.
- No NRIC-based login flow remaining (deadline 31 Dec 2026).
- A retention schedule for marketing data, with proof of actual purges.
- Signed DPAs with every overseas vendor handling personal data.
- A documented incident response plan with named owner.
- A consent log retained for 24 months minimum.
If you want a website-level PDPA audit or help configuring cookies, consent flows, and DPO infrastructure, talk to MediaPlus web design and development. PDPC enforcement decisions are public; reading them is the cheapest legal education available, and the patterns are predictable.
