Skip to main content
Back to Guides
Compliance5 min read

Singapore PDPA Cookie Consent: 2026 Guide

Since October 2022, Singapore's regulator can fine organisations up to 10% of local turnover for data breaches. Here's how the PDPA treats cookies, how deemed consent works, and why ignored browser settings don't count as agreement.

Since 1 October 2022, Singapore's Personal Data Protection Commission (PDPC) can fine an organisation up to 10% of its annual turnover in Singapore, or S$1 million, whichever is higher, for breaching the data protection provisions of the PDPA. That's a meaningful jump from the old S$1 million ceiling, and it's the number that should frame how you handle cookies.

Singapore's approach to cookies is more flexible than the EU's, but flexible isn't the same as absent. This guide covers how the Personal Data Protection Act (PDPA) treats cookies, how deemed consent works, and where the PDPC draws the line.

The law and the regulator

The PDPA is Singapore's data protection statute, first enacted in 2012 and amended substantially in 2020. It's administered by the PDPC. The Commission publishes Advisory Guidelines that explain how it interprets the Act, and its Advisory Guidelines on the PDPA for Selected Topics includes a chapter on online activities and cookies. Those guidelines aren't the law itself, but they're how the regulator signals what it expects.

When cookies need consent

The PDPA turns on whether a cookie collects, uses or discloses personal data. If a cookie handles personal data, the consent obligation applies. If it doesn't identify anyone, the framework isn't triggered. That's the first question to ask about each cookie you set.

Where consent is needed, the PDPA offers more routes than a straight opt-in:

  • Express consent. The clearest basis, and the right choice for advertising and cross-site tracking cookies.
  • Deemed consent. If a cookie is necessary for an activity the individual has clearly requested, and they voluntarily provide the data for that purpose, consent can be deemed. A cookie that keeps items in a shopping cart during checkout is a common example.
  • Deemed consent by notification (section 15A). Introduced in the 2020 amendments, this lets you proceed after notifying people of the purpose, assessing that it won't have an adverse effect, and giving a reasonable opt-out period.

Ignored Browser Settings Are Not Consent

The PDPC's Advisory Guidelines are explicit on this point: the mere failure of an individual to actively manage their browser settings does not mean they've consented to collection, use or disclosure of their personal data. You can't fall back on "they could have blocked cookies in their browser" as a substitute for asking. For advertising and analytics cookies, get express consent through the banner.

Notification and purpose limitation

Even where consent is deemed, the PDPA's notification and purpose-limitation obligations still apply. You have to tell people the purposes for which you're collecting their data, and you can only use it for purposes a reasonable person would consider appropriate. A cookie notice that lists your categories and their purposes, with a link to a fuller privacy policy, covers the notification side. Reusing analytics data to build advertising profiles without fresh consent is the kind of purpose creep the Act guards against.

Accountability and data subject rights

The 2020 amendments added a mandatory accountability layer. Every organisation has to appoint a Data Protection Officer and publish a way to contact them, and you're expected to have written policies that show how you meet the PDPA. Individuals can ask what personal data you hold and how it's been used, and can request corrections. If your analytics or advertising cookies tie back to an identifiable person, that data falls inside those access and correction rights, so keep your cookie records in a form you could actually produce on request.

Singapore also runs a separate Do Not Call registry for telephone, SMS and fax marketing. That's a different regime from cookie consent, but it's part of the same PDPA and worth knowing if your site captures phone numbers alongside setting marketing cookies. The two obligations stack: honouring a cookie opt-out doesn't excuse messaging a number on the Do Not Call list.

Penalties

The enhanced penalty regime took effect on 1 October 2022. For organisations with annual turnover in Singapore above S$10 million, the maximum financial penalty is 10% of that turnover. For everyone else, the cap is S$1 million. The PDPC can also issue directions to stop non-compliant processing and to put things right. Its published enforcement decisions lean heavily on security lapses and unauthorised disclosure, so a clean consent record is part of showing you took reasonable care.

Where CookieBeam Fits

CookieBeam's regional rules let you tune the banner for Singapore visitors, so you can seek express consent for advertising cookies while treating genuinely requested functional cookies differently. Per-purpose consent logging records which categories each visitor accepted, with a timestamp, giving you evidence of the choice rather than an assumption from browser settings. You define the categories; the banner handles the gating.

A practical setup for Singapore

Put the pieces together and a workable approach looks like this. Classify each cookie by whether it handles personal data and whether the user genuinely requested the activity it supports. Let strictly functional cookies (cart, session, load balancing) run under deemed consent, with a clear notice. Gate everything else, advertising, cross-site tracking and any analytics that identifies people, behind express consent in the banner. Give visitors a way back into their preferences, keep a record of what each person chose, and name a Data Protection Officer who can answer access requests. That setup satisfies the PDPA's consent, notification and accountability duties without over-blocking cookies the law lets you treat as deemed.

Related guides

Singapore's deemed-consent model is worth comparing with stricter neighbours. See Thailand's PDPA, South Korea's PIPA, and China's PIPL. For the wider view, read cookie consent laws around the world and running one banner across a global audience.

Primary sources: Personal Data Protection Commission (Singapore), pdpc.gov.sg; Personal Data Protection Act 2012; PDPC Advisory Guidelines on the PDPA for Selected Topics; PDPC announcement on enhanced financial penalties (effective 1 October 2022).

Singapore PDPA Cookie Consent 2026: PDPC Rules | CookieBeam | CookieBeam