Singapore Website Legal Requirements — PDPA, ACRA and What to Display

Singapore's legal framework for business websites is comprehensive and actively enforced. The Personal Data Protection Commission (PDPC) issues enforcement decisions against businesses of all sizes, and the DNC registry compliance requirements affect any website with a contact form or lead capture mechanism. This guide covers what your Singapore website legally must include and do.

The Personal Data Protection Act (PDPA)

Singapore's Personal Data Protection Act (Act 26 of 2012, significantly amended in 2020) is the foundational law governing how businesses collect, use, and disclose personal data collected through websites. Every Singapore business website that collects any personal information — including a contact form — is subject to PDPA.

Consent Obligations

PDPA requires obtaining consent before collecting, using, or disclosing personal data. For websites, this means:

• Contact and enquiry forms must include a clear consent statement — not buried in lengthy T&Cs, but visible adjacent to the form
• The consent statement must specifically identify what data is collected and for what purpose: e.g., "We collect your name, email, and phone number to respond to your enquiry and, if you tick the box below, to send you marketing updates."
• Marketing consent must be separate from transactional consent — bundled consent is non-compliant under the amended PDPA
• Consent records must be retained: timestamp, IP address, form version, exact consent wording

Privacy Policy Requirements

Your PDPA-compliant privacy policy must:

• Identify your business name (matching ACRA registration) and contact details for data queries
• List every category of personal data collected through your website
• Explain the specific purpose for each category of data
• Identify third parties your data is disclosed to (Google Analytics, email platforms, CRM systems)
• Disclose any overseas data transfers — if your contact form data goes to a US-hosted CRM, this must be disclosed
• Explain the data retention period for each category
• Describe how individuals can access, correct, or withdraw consent for their data

Mandatory Data Breach Notification

Under the 2020 PDPA amendments, businesses must notify the PDPC within 3 calendar days of assessing that a data breach is notifiable (affects 500+ individuals or involves sensitive personal data). Affected individuals must be notified as soon as practicable. Your website infrastructure must enable you to detect breaches and pull affected data within this window — a managed hosting platform with database access and logs is required.

Do Not Call (DNC) Registry Compliance

Singapore's DNC Registry allows individuals to opt out of receiving marketing calls, SMS, and fax messages. For websites:

• Any contact form that captures phone numbers and is used for marketing follow-up must include a DNC registry check in your internal workflow
• If you use the phone numbers captured through your website for any outbound marketing calls or SMS, you must check each number against the DNC registry before contact
• A marketing SMS opt-in that does not mention DNC opt-out rights is non-compliant
• Best practice: include a checkbox or statement on contact forms: "I consent to being contacted by phone or SMS regarding my enquiry. I understand I can register my number on the DNC Registry."

Spam Control Act Compliance

Singapore's Spam Control Act (Act 21 of 2007) governs unsolicited commercial electronic messages. For websites that send email notifications or newsletters:

• Every marketing email sent to Singapore addresses must include a functional unsubscribe mechanism
• The "From" address must be functional and correctly identify the sender
• The subject line must not be deceptive about the commercial nature of the message
• Transactional emails (order confirmations, account notifications) are exempt, but promotional content embedded in transactional emails is subject to the Act

ACRA UEN Display

While not a specific website law, ACRA's (Accounting and Corporate Regulatory Authority) broader regulatory framework and industry practice strongly recommend — and in some sectors mandate — displaying your Unique Entity Number (UEN) on your website. Required for:

• Financial advisory firms (MAS regulation)
• Insurance brokers (MAS)
• Legal practices (Law Society guidelines)
• Healthcare providers (MOH)
• All businesses: strongly recommended in footer as a trust and legitimacy signal

Infocomm Media Development Authority (IMDA) Guidelines

IMDA oversees Singapore's digital economy and has issued guidelines relevant to website operators:

• E-commerce websites must display complete merchant information, pricing, and returns policies before purchase
• Subscription services must clearly disclose recurring charges and cancellation terms
• Digital services sold to Singapore consumers must comply with the Consumer Protection (Fair Trading) Act (CPFTA)

Practical Implementation

A PDPA-compliant Singapore business website needs: a clearly accessible privacy policy linked in the footer, a data rights contact email, granular consent checkboxes on all forms (unchecked by default), and consent record logging. QX137 builds all of this into every Singapore client site at no additional cost within the $500 USD project scope. The technical implementation (consent logging, form data handling, footer structure) is included; the policy content requires review by a Singapore privacy lawyer or PDPC-certified professional.