Every purchase creates a data obligation.
Singapore’s Personal Data Protection Act (PDPA) turns customer trust into enforceable law — with fines of up to S$1 million and a hard 72-hour window to report data breaches. Most ecommerce sellers in Singapore are not fully compliant, often because they assume the law is only for large corporations. It is not.
This guide explains every PDPA obligation that applies to your online store — plain language, no legalese, with the exact requirements from PDPC’s official documentation.
For the broader picture of running a compliant ecommerce business in Singapore, see our ecommerce data privacy hub.
What Is the PDPA and Who Does It Cover?
The PDPA is Singapore’s primary data privacy law.
The Personal Data Protection Act 2012 (PDPA) is a Singapore statute that governs how organisations collect, use, disclose, and protect personal data. It applies to any organisation that handles personal data in Singapore — regardless of size. The 2020 amendments, fully in force since October 2022, added mandatory breach notification, DPO requirements, and penalties of up to S$1 million or 10% of annual gross turnover (PDPC, Singapore Statutes Online).
“Personal data” means any data that identifies an individual — names, email addresses, phone numbers, shipping addresses, purchase history, IP addresses, and cookies linked to identifiable users. If your store collects any of this (every ecommerce store does), PDPA applies to you.
The law is administered by the Personal Data Protection Commission (PDPC), which investigates complaints, audits organisations, and issues financial penalties.
Image: Screenshot of PDPC’s official data protection obligations page — pdpc.gov.sg
What Obligations Apply to Ecommerce Sellers?
The PDPA sets out 11 data protection obligations. These are the ones that affect online sellers most directly.
The 11 PDPA Obligations at a Glance
| Obligation | What It Means for Your Store |
|---|---|
| Consent | Get consent before collecting or using personal data |
| Purpose Limitation | Only collect data for stated, reasonable purposes |
| Notification | Tell customers what data you collect and why |
| Access and Correction | Respond to customer data requests within 30 days |
| Accuracy | Keep customer data reasonably accurate and complete |
| Protection | Implement security measures to protect stored data |
| Retention Limitation | Delete data when no longer needed for its original purpose |
| Transfer Limitation | Follow rules when sending customer data overseas |
| Data Breach Notification | Notify PDPC and affected customers within 72 hours |
| Data Portability | Provide data in machine-readable format upon request |
| Accountability | Appoint a DPO and have a written data protection policy |
For most small ecommerce sellers, four of these obligations create the highest compliance risk: consent, breach notification, DPO appointment, and customer data rights. Those are covered in detail below.
Do You Need a Data Protection Officer?
Yes — every organisation subject to PDPA must have one.
Under Section 11 of the PDPA, all organisations that collect personal data in Singapore must designate at least one Data Protection Officer (DPO) and make the DPO’s business contact information publicly available. There is no minimum employee count or revenue threshold. As of September 30, 2024, all Singapore organisations must also register their DPO details with the PDPC (PDPC DPO Requirements, 2024).
For a sole proprietor or small team, the DPO does not need to be a dedicated hire. You can:
- Assign the DPO role to yourself (common for sole proprietors)
- Add DPO responsibilities to an existing employee’s job scope
- Outsource to an external DPO service provider (fees typically range from SGD 1,500–5,000/year for basic coverage)
What you cannot do is have no DPO at all and no publicly accessible DPO contact information.
What a DPO actually does for your store:
- Maintains an inventory of the personal data your store collects (customer records, email lists, analytics data)
- Trains staff on data handling (if you have any)
- Monitors compliance with PDPA obligations
- Manages data breach response when incidents occur
- Handles customer data access and correction requests
- Acts as the contact point for PDPC investigations
If you are a one-person store, this translates to: publish a business email on your website as the “data protection contact,” draft a simple privacy policy, and know what to do if your Shopify account or email system is ever compromised.
For growing stores with teams or significant customer databases, consider outsourcing the DPO role to services like Straits Interactive or DPO Centre before the complexity exceeds what an internal assignment can handle.
Image: Sample DPO contact section from an ecommerce website privacy policy page
What Are the Data Breach Notification Rules?
This is the obligation with the hardest deadline.
Under the PDPA 2020 amendments, organisations must notify both the PDPC and affected individuals within 72 hours (3 calendar days) of assessing that a data breach is “notifiable.” A breach is notifiable if it affects 500 or more individuals, or is likely to cause significant harm — including financial loss, identity theft, physical harm, or reputational damage to affected individuals (PDPA Notification of Data Breaches Regulations 2021).
The 72 hours runs from the moment you determine the breach is notifiable — not from when the breach occurred. This distinction matters. You have time to investigate. But once you conclude the breach meets the thresholds, the clock starts.
What triggers a notifiable breach for an ecommerce store:
- Your customer database (names, emails, addresses, order history) is accessed without authorisation
- Your email marketing platform account is compromised and subscriber lists are exported
- A third-party logistics partner exposes your customer shipping data
- A ransomware attack on your system encrypts or exfiltrates customer records
- A misconfigured Shopify app makes customer order data publicly accessible
What does not automatically trigger notification:
- Loss of an encrypted device with no indication it was accessed
- Breach affecting only internal business data (no customer personal data involved)
- Test data breaches (if no real personal data was exposed)
The two-step notification process:
- Notify the PDPC via the PDPC online portal within 72 hours of your assessment
- Notify affected individuals as soon as practicable — this means as quickly as you can after PDPC notification, not after a weeks-long internal review
Failure to notify is itself a PDPA breach — separate from the underlying data loss — and attracts its own penalties.
Keep a data breach response plan before you need it. Document who makes the notification call, what information goes into the PDPC report (nature of breach, data types, estimated number affected, steps taken), and how you will contact affected customers.
How Does PDPA Apply to Email Marketing and Consent?
Consent is the foundation of every data interaction with your customers.
Under PDPA’s consent obligation, an organisation cannot collect, use, or disclose a customer’s personal data without their express or deemed consent. For email marketing, this means customers must actively opt in. Pre-ticked checkboxes and bundled consent (e.g., agreeing to T&Cs also agreeing to marketing) are not valid under Singapore’s PDPA (PDPC Consent Obligation Guidelines).
For ecommerce sellers, consent issues arise in three main areas:
1. At checkout
Add a clearly worded, unticked opt-in checkbox for marketing communications. Example:
“I agree to receive promotional emails about new products and offers from [Store Name]. You can unsubscribe at any time.”
This is separate from the T&Cs checkbox. Bundling them together — “I agree to the terms and to receive marketing” — is not valid consent under PDPA.
2. Email list imports
If you import a customer list from another source (a previous store, a supplier partner, a trade show), you need documentation that each contact gave consent to receive marketing from you specifically. Consent given to one organisation does not transfer to another.
3. The Do Not Call (DNC) Registry
For SMS marketing, WhatsApp broadcast messages, and phone calls, Singapore operates a Do Not Call Registry. You must screen your contact list against the DNC Registry before sending marketing messages to Singapore numbers. Violation of the DNC rules carries a separate set of penalties under the PDPA.
Transactional vs marketing messages:
Order confirmations, shipping updates, and account notifications are transactional. They do not require separate marketing consent — they are necessary for fulfilling the purchase. However, do not embed promotional content inside transactional emails as a workaround to consent obligations. PDPC has issued guidance that marketing content added to transactional emails is still subject to consent requirements.
Is your store’s data compliance where it needs to be? Take the free SellerLegal Compliance Scorecard — 10 minutes to identify your highest-risk gaps across registration, tax, and data privacy. Take the free scorecard
What Rights Do Your Customers Have Under PDPA?
Customers can make formal requests about their data — and you must respond.
Under Singapore’s PDPA, individuals have three primary rights regarding their personal data: the right to access (know what data you hold), the right to correction (fix inaccurate data), and the right to data portability (receive their data in a machine-readable format for transfer to another organisation). Organisations must respond to access and correction requests as soon as reasonably practicable, with PDPC guidance indicating 30 days as the expected benchmark (PDPC Access and Correction Obligations).
Access requests — A customer emails asking: “What personal information do you have about me, and how have you used it?” You must provide a list of their personal data you hold and a summary of how it was used or disclosed in the past 12 months.
Correction requests — A customer notices their delivery address is wrong in your system. They request a correction. You must update it as soon as reasonably practicable and, if you have shared that data with a logistics partner, send the corrected data to that partner.
Portability requests — Under the PDPA 2020 amendments, organisations covered by the portability obligation must provide a customer’s data in a machine-readable format (CSV, JSON) for transfer to another organisation upon request. The portability obligation currently applies to organisations that use data portability as a competitive advantage — check PDPC’s advisory guidelines for whether your store falls within scope.
What you are not required to do:
- Provide access to data that could harm another individual
- Provide access to legal privilege data
- Comply with requests where the cost would be unreasonable relative to the nature of the data
Charge a reasonable fee (PDPC guidance suggests no more than SGD 10-20 for straightforward requests) if the cost of compliance warrants it. Document every request and your response.
Image: Example of a customer data request form embedded on an ecommerce store’s privacy policy page
What Penalties Has PDPC Enforced?
The fines are real, and PDPC has consistently enforced them against companies of all sizes.
Under the enhanced penalty framework effective October 2022, the PDPC can fine organisations the higher of S$1 million or 10% of annual gross turnover in Singapore. For organisations with turnover below S$10 million, the S$1 million cap applies. Recent enforcement actions show PDPC fining both small digital platforms and large enterprises for data breach and protection failures (PDPC Commission Decisions, 2024-2025).
Documented enforcement examples relevant to ecommerce:
| Organisation | Year | Breach Type | Fine |
|---|---|---|---|
| Eatigo (food-tech platform) | 2024 | Security failure — 2.76M users exposed | SGD 62,400 |
| ShopBack (cashback platform) | 2024 | Security failures in customer data handling | SGD 74,400 |
| Singapore Data Hub | 2025 (April) | Protection obligation breach — 689,000 records | SGD 17,500 |
| Marina Bay Sands | 2025 | API misconfiguration — 665,000 patrons exposed | SGD 315,000 |
For an ecommerce seller with annual turnover under SGD 1 million, a PDPA fine in the SGD 10,000–80,000 range would be proportionally severe. And financial penalties are not the only consequence. PDPC directions can require you to implement specific security controls, submit compliance reports, and engage external auditors — all at your cost.
The most common causes of PDPA enforcement actions against smaller organisations are: inadequate password controls on customer databases, sharing customer data with third parties without data processing agreements, and failure to notify PDPC of data breaches.
What Does a Minimum Viable PDPA Setup Look Like for a Small Store?
You do not need a full compliance department. You need to cover the basics.
A practical PDPA minimum for a small ecommerce seller in Singapore:
Publish a privacy policy — explains what data you collect, why, who you share it with, and how customers can make data requests. Shopify and WooCommerce have privacy policy generators as a starting point. Review them against Singapore-specific requirements.
Add a DPO contact to your website — a business email address labelled as your data protection contact. If you are a sole proprietor, this is your email. No separate hire needed.
Fix your email opt-in — unticked checkbox at checkout, clear statement of what subscribers will receive, and an unsubscribe link in every marketing email.
Prepare a breach response checklist — a one-page document: who assesses the breach, what counts as notifiable, the PDPC portal URL, and how you notify customers. Print it and put it somewhere you will find it during a crisis.
Document consent — keep records of when customers consented to marketing. MailChimp, Klaviyo, and most Singapore-compliant email tools store this automatically. Make sure you know how to export it.
Review third-party data sharing — if you use fulfilment partners, analytics tools, or marketing platforms that receive customer data, ensure you have basic data processing agreements in place. This is required under PDPA’s transfer limitation obligation.
For sellers at SGD 1 million revenue and above, or those operating at significant scale, a formal PDPA audit and engagement with a professional DPO service is worth the cost relative to the penalty exposure.
Frequently Asked Questions
Does PDPA apply to small ecommerce sellers in Singapore?
Yes. The PDPA applies to all organisations that collect, use, or disclose personal data in Singapore, regardless of size. Whether you run a one-person Shopee store or a growing Shopify brand, the same obligations apply — DPO appointment, consent for email marketing, data breach notification, and responding to customer data access requests.
What is the PDPA 3-day data breach notification rule?
Under Singapore’s PDPA 2020 amendments, organisations must notify the PDPC within 3 calendar days (72 hours) of assessing that a breach is notifiable. A breach is notifiable if it affects 500 or more individuals, or if it is likely to cause significant harm — including financial loss, identity theft, or reputational damage. Affected individuals must also be notified as soon as practicable.
Do I need a Data Protection Officer if I am a sole proprietor selling online?
Yes. As of September 30, 2024, every organisation subject to PDPA must appoint at least one Data Protection Officer and make their contact information publicly available. There is no size exemption. Sole proprietors can fulfil this by assigning the DPO role to themselves and listing their business email as the data protection contact on their website.
Can I add customers to my email marketing list after they buy from me?
Only if they consented. Singapore’s PDPA requires explicit opt-in for direct marketing. At checkout, use an unticked opt-in checkbox. Pre-ticked boxes and bundled T&C consent do not satisfy PDPA’s consent requirement. For SMS and call-based marketing, screen all numbers against the Do Not Call Registry before sending.
What are PDPA penalties for ecommerce sellers in Singapore?
Under the enhanced penalty regime effective October 2022, the PDPC can fine organisations up to 10% of annual gross turnover in Singapore or S$1 million — whichever is higher. For sellers with turnover below SGD 10 million, the S$1 million cap applies. Recent fines have ranged from SGD 17,500 for a data hub operator to SGD 315,000 for a major integrated resort.
Keep Reading
- ACRA Business Registration for Ecommerce in Singapore
- GST Registration for Ecommerce Companies in Singapore
- Ecommerce Data Privacy Hub — Singapore
This guide covers general information about PDPA compliance for ecommerce sellers in Singapore. Regulations may change. Verify current requirements at pdpc.gov.sg or consult a qualified data protection professional for your specific situation. Last verified: April 2026.