Singapore PDPA

Personal Data Protection Act 2012

Flag of SG
SingaporeOpt-outNational
Back to Regulations Guide

Key Facts

Effective Date
July 2, 2014
Enacted
October 15, 2012
Enforcing Authority
Personal Data Protection Commission (PDPC), under IMDA
Consent Model
Opt-out
Fulfillment Time
30 days
Applies To
All private sector organizations in Singapore collecting, using, or disclosing personal data

Overview

Singapore's PDPA takes a pragmatic, less prescriptive approach compared to EU-style laws — there is no specific cookie consent mandate. However, cookies collecting personal data are subject to the PDPA's consent and notification obligations. The 2021 amendments raised penalties to 10% of turnover and introduced a deemed consent framework.

What This Means for Your Website

  • No specific cookie banner mandate exists, but cookies collecting personal data require consent
  • The deemed consent framework allows organizations to infer consent in certain situations
  • DPO appointment is mandatory from June 2025
  • Breach notification to PDPC is required within 3 calendar days
  • Data portability obligations phase in from April-June 2025
  • Penalties reach 10% of annual turnover in Singapore

Key Requirements

The PDPC enforces the PDPA with penalties up to 10% of Singapore turnover (minimum SGD 1 million). Criminal penalties include SGD 5,000 and/or 2 years imprisonment for egregious mishandling. Consumer requests must be fulfilled within 30 days. The 2024 amendment adds obligations for data processors and enhanced breach notification from June 2025.

How ConsentStack Handles This

ConsentStack applies Singapore's pragmatic consent model for Singaporean visitors, supporting both explicit and deemed consent approaches as appropriate.

Penalties

Up to 10% of annual turnover in Singapore (minimum SGD 1 million). Criminal: up to SGD 5,000 and/or 2 years.

Revenue-based
10% of annual revenue

Key Requirements

  • Consent for collection, use, or disclosure of personal data (with deemed consent exceptions)
  • Notification of purposes for data collection
  • Mandatory breach notification to PDPC within 3 calendar days
  • DPO appointment mandatory
  • Data portability obligations from April-June 2025
  • Cross-border transfers with adequate safeguards

Notable Provisions

  • No specific cookie consent mandate — less prescriptive than GDPR
  • Deemed consent framework allows inferred consent in certain situations
  • 10% turnover penalties from 2021 amendments
  • Data portability and DPO obligations effective 2025

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
Indonesia PDP LawIndonesia
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Frequently Asked Questions

Does Singapore require cookie consent banners?

No. Singapore does not specifically mandate cookie consent banners. However, if cookies collect personal data, the PDPA's consent and notification obligations apply.

What is deemed consent in Singapore?

The PDPA allows organizations to infer consent in certain situations (consent by conduct or contractual necessity) without requiring explicit opt-in.

What are Singapore's data protection penalties?

Up to 10% of annual turnover in Singapore (minimum SGD 1 million). Criminal penalties of SGD 5,000 and/or 2 years for egregious cases.

Is DPO appointment mandatory in Singapore?

Yes, from June 2025. All private sector organizations must appoint a Data Protection Officer.

Stay compliant with Singapore PDPA

ConsentStack helps you implement Opt-out consent for Singapore automatically.

Get started