Understanding Consent Under PDPA: When and How to Collect Personal Data

Consent is the cornerstone of the PDPA. Before you collect, use, or disclose personal data, you generally need the individual's permission. But the PDPA's consent framework is more nuanced than a simple "yes or no." It includes express consent, deemed consent, deemed consent by notification, and a set of exceptions where consent is not required at all.

Understanding these distinctions is critical for Singapore businesses. Get consent wrong, and you risk penalties of up to S$1 million per breach. Get it right, and you build a foundation of trust with your customers while staying compliant.

The Consent Obligation: What the Law Says

Under Part IV, Division 1 of the PDPA (Sections 13-17):

• Section 13: An organisation shall not collect, use, or disclose personal data unless the individual gives, or is deemed to have given, consent.
• Section 14: Deemed consent applies when the individual voluntarily provides data for a reasonable purpose, or when data is publicly available.
• Section 15: Deemed consent by contractual necessity applies when data processing is reasonably necessary to perform a contract.
• Section 15A: Deemed consent by notification applies when an organisation notifies the individual and provides a reasonable opt-out period.
• Section 16: An individual may withdraw consent at any time with reasonable notice.
• Section 17: Organisations must not require consent beyond what is reasonable as a condition of providing a product or service.

Types of Consent Under the PDPA

1. Express Consent

Express consent is the most straightforward form. The individual actively and clearly agrees to the collection, use, or disclosure of their personal data.

Examples:

• Checking a consent box on a web form
• Signing a consent clause in a contract
• Verbally agreeing after being informed of the purpose
• Clicking "I agree" on a terms and conditions page
• Replying "yes" to a consent request via email or SMS

Requirements for valid express consent:

• The individual must be informed of the purpose of data collection
• The consent must be voluntary (not coerced or bundled with unrelated conditions)
• The individual must understand what they are consenting to (no hidden clauses)

2. Deemed Consent by Voluntary Provision

When an individual voluntarily provides personal data for a purpose that would be considered reasonable by any ordinary person, consent is deemed to have been given.

Examples:

• A customer provides their name and email on a contact form to ask a question — they are deemed to have consented to you using their data to respond
• A visitor gives their business card at a trade show — they are deemed to have consented to follow-up business communication
• A patient provides health information to a clinic during a consultation — they are deemed to have consented to treatment purposes

Limitation: Deemed consent by voluntary provision covers only the obvious, immediate purpose. If a customer gives their email to receive a receipt, you cannot use it for marketing without separate consent.

3. Deemed Consent by Contractual Necessity (Section 15)

Consent is deemed given when the collection, use, or disclosure of personal data is reasonably necessary to perform a contract that the individual is a party to.

Examples:

• An e-commerce customer provides their address — consent to share it with a logistics company for delivery is deemed
• An employee provides bank account details — consent to use them for salary payment is deemed
• A client signs a service agreement — consent to share their details with relevant team members to perform the service is deemed

4. Deemed Consent by Notification (Section 15A)

Introduced by the 2020 PDPA amendments, this mechanism allows organisations to notify individuals of an intended data use and obtain deemed consent if the individual does not opt out within a reasonable period.

How it works:

1. Notify the individual of the purpose for which you intend to collect, use, or disclose their data
2. Provide a reasonable period for the individual to opt out
3. Provide a clear and easy way to opt out
4. If the individual does not opt out, consent is deemed given

Requirements:

• The notification must be clear and conspicuous
• The opt-out period must be reasonable (the PDPC has not specified a minimum, but 14-30 days is common practice)
• The opt-out mechanism must be simple and accessible
• You must assess that the collection/use/disclosure would not have any adverse effect on the individual

Example: A company sends existing customers an email saying: "We plan to share your email address with our partner company for joint promotions. If you do not wish for us to do so, click here to opt out within 14 days." If the customer does not opt out, consent is deemed given.

Important: Deemed consent by notification is not a blanket permission to collect data through inaction. It applies only when the intended use is reasonable and unlikely to cause harm. The PDPC can challenge the use of this mechanism if the purpose is inappropriate.

When Consent Is Not Required: Exceptions

The PDPA provides a set of exceptions in the Second, Third, and Fourth Schedules where personal data can be collected, used, or disclosed without consent. Key exceptions include:

Collection Without Consent

• Data collection is required by law (e.g., tax reporting, employment records, AML/KYC requirements)
• Data is publicly available (e.g., information published on a public website or directory)
• Collection is necessary for national interest or emergency situations
• Collection is for evaluative purposes (e.g., credit assessments, job reference checks)

Use Without Consent

• Use is necessary for investigations by public agencies (police, regulatory authorities)
• Use is for research or statistical analysis where the data is anonymised
• Use is in the legitimate interests of the organisation, but only for specific purposes defined in the Fourth Schedule (e.g., debt recovery, insurance claims, legal proceedings)

Disclosure Without Consent

• Disclosure is required by law (e.g., court orders, regulatory reporting)
• Disclosure is to a public agency for the performance of its functions
• Disclosure is for business asset transactions (mergers, acquisitions, restructuring)

Important: Even when exceptions apply, you must still comply with other PDPA obligations, including the Protection, Retention, and Accuracy obligations.

Consent Withdrawal: What You Must Do

Under Section 16, individuals have the right to withdraw consent at any time by giving reasonable notice. Here is how to handle it:

Your Obligations When Someone Withdraws Consent

1. Process the withdrawal within a reasonable time (best practice: confirm within 10 business days, cease processing within 30 days)
2. Inform the individual of consequences before processing the withdrawal. For example: "If you withdraw consent for email communication, we will not be able to send you order updates or delivery notifications."
3. Stop processing the individual's data for the purpose from which consent was withdrawn
4. Update your records to reflect the withdrawal
5. Ensure downstream systems respect the withdrawal (CRM, email marketing, third-party tools)

What You Do NOT Have to Do

• Delete all their data: Withdrawal of consent does not trigger a right to deletion. You can retain data for legitimate legal or business purposes, even after consent is withdrawn.
• Stop all processing: Withdrawal applies only to the specific purpose from which consent was withdrawn. If you have separate consent for other purposes, those remain valid.
• Comply immediately: You are entitled to a reasonable processing period. However, do not use this as an excuse to delay — the PDPC expects prompt action.

Common Withdrawal Mechanisms

Provide clear, accessible ways for individuals to withdraw consent:

• Unsubscribe links in marketing emails
• Account settings where users can manage their preferences
• Contact form or email to your DPO
• Phone call to your customer service team

The process for withdrawing consent should not be unreasonably difficult. If consent was obtained through a one-click sign-up, withdrawal should not require a multi-step process.

Consent Best Practices for Singapore Businesses

Do

• Be specific: Obtain separate consent for each distinct purpose. Do not bundle marketing consent with service consent.
• Be transparent: Clearly state what data you are collecting and why, at the point of collection.
• Keep records: Document when and how consent was obtained, and what the individual was told. You may need to prove consent in a PDPC investigation.
• Make withdrawal easy: Provide simple, accessible mechanisms for consent withdrawal.
• Review regularly: As your data practices evolve, review whether your consent mechanisms still cover your actual uses.

Do Not

• Bundle consent with service conditions: You cannot make consent to marketing a condition of purchasing your product (Section 17).
• Use deceptive design patterns: Consent mechanisms designed to trick users into agreeing (dark patterns) undermine the validity of consent.
• Assume consent is permanent: Consent can be withdrawn at any time. Design your systems to handle this.
• Rely on deemed consent for sensitive purposes: For sensitive data types (health, financial, NRIC) or unusual purposes, always obtain express consent.
• Ignore the DNC Registry: Even if a customer consented to marketing, check the DNC Registry before sending marketing messages to Singapore phone numbers. DNC registration overrides prior consent unless the customer provided clear and unambiguous consent specifically for phone marketing.

Practical Scenarios

Scenario 1: E-Commerce Website

A customer places an order and provides their name, email, shipping address, and credit card information.

• Order fulfilment (shipping, payment processing): Deemed consent by contractual necessity
• Order confirmation emails: Deemed consent (necessary for the transaction)
• Marketing newsletters: Requires express consent (separate checkbox during checkout: "I would like to receive promotional emails")
• Sharing data with delivery partner: Deemed consent by contractual necessity
• Sharing email with marketing partner: Requires express consent

Scenario 2: B2B Service Provider

A potential client provides their business card at a networking event.

• Following up about your services: Deemed consent by voluntary provision (they gave you their card at a business event)
• Adding them to a marketing mailing list: Deemed consent by notification (notify them and provide an opt-out period) or express consent
• Sharing their details with a partner company: Requires express consent

Scenario 3: HR and Employment

A job applicant submits a resume through your careers page.

• Evaluating their application: Deemed consent by voluntary provision
• Background checks: Requires express consent (include a consent clause in the application form)
• Retaining their resume for future openings: Requires express consent ("May we keep your resume on file for 12 months for future opportunities?")
• Payroll processing after hiring: Deemed consent by contractual necessity (employment contract)

Not sure if your consent mechanisms are compliant? ComplyHQ's AI compliance assistant can review your data collection points and advise on whether your consent practices meet PDPA requirements. Start a free assessment

Related Resources

• PDPA Compliance Checklist for Singapore SMEs (2026 Edition) — Full compliance checklist
• 10 PDPA Obligations Every Singapore Business Must Follow — All obligations explained
• Do I Need a Privacy Policy for My Singapore Website? — Privacy policy requirements
• NRIC Collection Rules in Singapore — Special consent rules for NRIC data
• PDPA vs GDPR: Key Differences — How PDPA consent compares to GDPR