PDPA Compliance

1. Consent Obligation

Organizations must obtain an individual's consent before collecting, using, or disclosing their personal data. Consent must be:

• •Informed: Individuals must know what they're consenting to and the purposes for collection
• •Voluntary: Consent must be freely given without coercion
• •Express or Implied: Express consent (opt-in) is required for sensitive data or non-obvious uses; implied consent may be acceptable for obvious purposes when reasonable
• •Specific: Consent must be for specific, identified purposes

Deemed Consent (2021 Amendment)

The 2021 PDPA amendments introduced "deemed consent" - a new form of consent where organizations may collect, use, or disclose personal data without express consent IF:

• •The individual is notified of the purposes
• •The individual is given a reasonable opportunity to opt out
• •The individual does not opt out within a reasonable time
• •It is reasonable to expect the individual to voluntarily provide the consent

However, deemed consent is NOT appropriate for sensitive personal data or uses that individuals would not reasonably expect.

2. Purpose Limitation Obligation

Organizations may collect, use, or disclose personal data only for purposes that:

• •A reasonable person would consider appropriate in the circumstances
• •Have been notified to the individual

For cookies, this means you must identify specific, legitimate purposes (e.g., "to analyze website traffic and improve user experience") and not use cookie data for other purposes without obtaining new consent.

3. Notification Obligation

Organizations must notify individuals of the purposes for collection, use, or disclosure of personal data. This notification must be made:

• •On or before collecting personal data
• •In a manner that is reasonable

Your cookie banner and privacy policy serve this notification function. They must clearly explain what cookies you use and why.

4. Access and Correction Obligation

Organizations must, upon request:

• •Provide individuals with access to their personal data held by the organization
• •Information about how the data has been or may have been used or disclosed within the past year
• •Correct errors or omissions in personal data

Response timeframe: Within 30 days (can be extended by another 30 days with notification and reasons).

5. Accuracy Obligation

Organizations must make reasonable efforts to ensure personal data is accurate and complete, especially if:

• •The data is likely to be used to make decisions affecting the individual
• •The data is likely to be disclosed to another organization

6. Protection Obligation

Organizations must protect personal data in their possession or control by making reasonable security arrangements to prevent:

• •Unauthorized access, collection, use, disclosure, copying, modification, or disposal
• •Loss of storage medium or devices containing personal data

For cookies and online tracking, this means:

• •Using HTTPS to encrypt data in transit
• •Implementing secure storage for databases containing personal data
• •Ensuring third-party processors have adequate security
• •Regular security audits and updates

7. Retention Limitation Obligation

Organizations must cease to retain personal data, or remove the means by which the data can be associated with particular individuals, as soon as:

• •The purpose for retention is no longer being served by retaining the data
• •Retention is no longer necessary for business or legal purposes

This means setting appropriate expiration dates for cookies and regularly deleting or anonymizing cookie data that's no longer needed.

8. Transfer Limitation Obligation

Organizations must not transfer personal data outside Singapore except in accordance with requirements to ensure the receiving organization provides a standard of protection comparable to PDPA. This can be done through:

• •Obtaining individual's consent
• •Using contracts with data protection clauses
• •Binding corporate rules for intra-group transfers

Important for cookies: If you use third-party services (Google Analytics, Facebook Pixel, etc.) that transfer data outside Singapore, you need appropriate safeguards and should disclose this in your privacy policy.

9. Openness Obligation

Organizations must develop and implement policies and practices necessary for meeting the PDPA obligations, and make information about these policies and practices available upon request. This includes:

• •Publishing a privacy policy
• •Providing information about data protection practices
• •Designating a Data Protection Officer (DPO) and publishing contact details

When Do Cookies Involve Personal Data?

Under PDPA, "personal data" means data about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access. Cookies involve personal data when:

• •The cookie contains or is linked to identifiable information (e.g., logged-in user ID, email address)
• •The cookie is used in combination with other data to identify or profile individuals
• •The cookie tracks behavior across websites or over time in a way that creates identifiable profiles

Most analytics and marketing cookies qualify as processing personal data under PDPA.

PDPC Guidance on Cookie Consent

Essential/Strictly Necessary Cookies (No Consent Required)

Cookies that are strictly necessary for the website to function or to provide a service explicitly requested by the user typically don't require consent. Examples include:

• •Session cookies for logged-in users
• •Shopping cart cookies for e-commerce
• •Load balancing cookies
• •Security and fraud prevention cookies

These can rely on the "legitimate interests" exception or implied consent, as they're necessary for the service the user is requesting.

Functional Cookies (Deemed or Implied Consent)

Cookies that enhance functionality but aren't strictly necessary may use deemed consent or implied consent IF:

• •The purpose is clearly disclosed
• •The use is reasonably expected by users
• •Users can easily opt out

Examples: language preferences, volume settings, UI customization preferences

Analytics Cookies (Express Consent Recommended)

Analytics cookies typically require express (opt-in) consent or, in limited cases, deemed consent with clear opt-out, because:

• •They collect detailed behavioral data
• •They create profiles of individual users
• •Data is often shared with third parties (e.g., Google)
• •Users may not reasonably expect this level of tracking

PDPC Guidance: If using deemed consent for analytics, organizations must provide clear notice and a prominent, easy opt-out mechanism.

Marketing/Advertising Cookies (Express Consent Required)

Marketing and advertising cookies always require express (opt-in) consent because:

• •They collect sensitive behavioral information
• •They're used for targeted advertising and profiling
• •They often involve cross-site tracking
• •Data is shared with multiple third parties
• •Users would not reasonably expect or want this use

PDPC's "Do Not Call" Registry Analogy

PDPC has indicated that organizations should approach cookies similarly to marketing communications:

• •Provide clear, upfront notice
• •Obtain appropriate consent (express or deemed, depending on use)
• •Provide easy opt-out mechanisms
• •Honor opt-out requests promptly

Consent Obligation

• ✓Express Consent Options: Users can actively opt in to analytics and marketing cookies
• ✓Deemed Consent Support: Can be configured to use deemed consent with clear opt-out for certain categories
• ✓Granular Control: Separate categories for Necessary, Functional, Analytics, and Marketing cookies
• ✓Voluntary Consent: No forced acceptance (no cookie walls)
• ✓Withdrawable Consent: Users can change preferences at any time

Notification Obligation

• ✓Clear Banner: Prominent notification of cookie usage before data collection
• ✓Purpose Disclosure: Each cookie category clearly explains its purpose
• ✓Privacy Policy Link: Direct link from banner to detailed privacy policy
• ✓Customizable Text: You can specify exactly what cookies you use and why

Purpose Limitation Obligation

• ✓Category-Based Control: Cookies are categorized by purpose, preventing use for undisclosed purposes
• ✓Script Blocking: Only cookies/scripts for consented purposes are loaded
• ✓Granular Consent: Users can accept some purposes while rejecting others

Access and Correction Obligation

• ✓Consent History Access: Users can view their consent decisions
• ✓Easy Modification: Users can change their preferences at any time
• ✓Data Export: Consent records can be exported for access requests

Protection Obligation

• ✓Secure Logging: Consent data is securely stored with encryption
• ✓Access Controls: Only authorized users can access consent logs
• ✓Audit Trail: Complete logging of all data processing activities

Retention Limitation Obligation

• ✓Configurable Retention: Set appropriate cookie expiration dates
• ✓Consent Record Management: Manage and delete old consent records
• ✓Purpose-Based Retention: Different retention periods for different cookie types

Openness Obligation

• ✓Transparent Practices: Clear disclosure of cookie usage in banner and policy
• ✓Public Accessibility: Cookie information is easily accessible to all users
• ✓Compliance Documentation: Audit reports demonstrate compliance practices

What Constitutes a Notifiable Data Breach?

A data breach is notifiable if it:

• •Results in, or is likely to result in, significant harm to affected individuals; OR
• •Is, or is likely to be, of a significant scale (affecting 500 or more individuals)

Notification Requirements

For notifiable breaches, you must:

• •Notify PDPC: As soon as practicable, but no later than 3 calendar days after assessment
• •Notify Affected Individuals: As soon as practicable after determining the breach is notifiable

What to Include in Notification

• •Description of the data breach
• •Types of personal data affected
• •Number of affected individuals (or estimate)
• •Steps taken or to be taken to mitigate harm
• •Contact information for inquiries

Enforcement Powers

PDPC can:

• •Investigate complaints and conduct audits
• •Issue directions to cease violations
• •Impose financial penalties
• •Publicly name organizations that breach PDPA

Financial Penalties (Enhanced in 2021)

The 2021 PDPA amendments significantly increased maximum penalties:

• •General Violations: Up to S$1 million or 10% of annual turnover in Singapore (whichever is higher)
• •Data Breach Notification Violations: Up to S$1 million
• •Egregious Violations: PDPC can impose higher penalties for serious or repeated violations

Factors Affecting Penalties

PDPC considers various factors when determining penalties:

• •Nature and gravity of the breach
• •Whether the breach was intentional or negligent
• •Size and resources of the organization
• •Whether this is a repeat violation
• •Cooperation with PDPC during investigation
• •Steps taken to prevent recurrence
• •Harm caused to individuals

Recent Enforcement Actions

• •Grab (2022): Fined S$500,000 for failing to notify PDPC of data breach affecting 21 million users within required timeframe
• •Singhealth (2019): Fined S$250,000 for massive healthcare data breach affecting 1.5 million patients - inadequate security measures
• •AXA Insurance (2022): Fined S$52,000 for inadequate consent practices and failure to implement reasonable security
• •Various Online Retailers: Fined for inadequate consent mechanisms for marketing cookies and tracking

1. No Cookie Notice or Consent Mechanism

Mistake: Placing cookies without any notice or consent mechanism, assuming cookies don't qualify as personal data.

Why It's Wrong: Most analytics and marketing cookies involve personal data under PDPA. Even if data isn't immediately identifiable, profiling and behavioral tracking qualify.

Solution: Implement a clear cookie notice and appropriate consent mechanism for all non-essential cookies.

2. Inadequate Privacy Policy

Mistake: Having a generic, template privacy policy that doesn't accurately describe actual cookie usage or data practices.

Why It's Wrong: Violates PDPA's Notification and Openness obligations.

Solution: Create a detailed, accurate privacy policy that specifically describes all cookies used, their purposes, third-party sharing, and international transfers.

3. Bundling Consent

Mistake: Bundling cookie consent with acceptance of terms of service or making website access conditional on accepting all cookies.

Why It's Wrong: Consent must be voluntary and freely given under PDPA. Bundled or forced consent is not valid consent.

Solution: Provide genuine choice. Allow users to reject non-essential cookies and still access your website.

4. No DPO or Contact Information

Mistake: Not appointing a DPO or not publishing contact information for privacy inquiries.

Why It's Wrong: Violates PDPA's Openness obligation and makes it difficult for individuals to exercise their rights.

Solution: Appoint a DPO and clearly publish contact information (email, phone, address) in your privacy policy.

5. Using Personal Data Beyond Stated Purpose

Mistake: Collecting data with cookies for one purpose (e.g., "website analytics") but using it for another (e.g., targeted advertising) without new consent.

Why It's Wrong: Violates PDPA's Purpose Limitation obligation.

Solution: Only use cookie data for disclosed purposes. If you want to use data for new purposes, obtain new consent.

6. Inadequate Security for Cookie Data

Mistake: Not using HTTPS, storing cookie data insecurely, or failing to vet third-party processor security.

Why It's Wrong: Violates PDPA's Protection obligation.

Solution: Implement appropriate security safeguards including encryption, access controls, and vendor security requirements.

7. Indefinite Data Retention

Mistake: Keeping cookie data indefinitely without defined retention periods or deletion procedures.

Why It's Wrong: Violates PDPA's Retention Limitation obligation.

Solution: Set appropriate cookie expiration dates. Regularly delete or anonymize data that's no longer needed for the stated purpose.

8. Ignoring International Data Transfers

Mistake: Not disclosing that third-party services (Google Analytics, Facebook, etc.) transfer data outside Singapore, or failing to implement transfer safeguards.

Why It's Wrong: Violates PDPA's Transfer Limitation and Notification obligations.

Solution: Identify all international transfers, implement appropriate safeguards (contracts, consent), and disclose in privacy policy.

9. Slow Response to Access Requests

Mistake: Taking more than 30 days to respond to access requests without justification or notification.

Why It's Wrong: Violates PDPA's Access and Correction obligation.

Solution: Establish clear procedures to respond to access requests within 30 days. If more time is needed, notify the individual and explain why.