Cookie Consent and Website Tracking Under PDPA: What Singapore Businesses Must Do

If you run a website or e-commerce store in Singapore, you're already collecting data—whether you realise it or not. Every page load, every button click, every purchase creates digital breadcrumbs that cookies and tracking pixels follow. The PDPA (Personal Data Protection Act 2012) means you can't just collect quietly anymore. You need consent, transparency, and documented proof that you asked permission.

For SME owners, this feels overwhelming. But it's simpler than you think—if you understand the rules and set up your compliance once.

This guide walks you through exactly what the PDPC expects, why cookie tracking matters under PDPA, and how to build a cookie consent framework that protects both your customers and your business.

Understanding PDPA and Personal Data Collection

The PDPA applies to any organisation in Singapore that handles personal data—including data collected through cookies and website tracking tools.

Personal data under PDPA means any information that can identify an individual:

• Email addresses
• IP addresses (yes, really—the PDPC treats IP addresses as personal data)
• Cookie identifiers
• Behavioural tracking data linked to a user
• Names, phone numbers, purchase history

The moment a cookie or tracking pixel captures any of these, you're handling personal data. And when you handle personal data, PDPA compliance isn't optional—it's mandatory.

The PDPA Consent Principle

PDPA is built on the Consent Principle. In plain English: you must get clear, voluntary, specific consent before you collect or use personal data.

The PDPC's 2021 Advisory Guidelines on Consent are explicit: "Consent should be obtained before personal data is collected or used."

This means:

• Consent must come before the cookie is placed—not after
• Users must actively opt-in (clicking a button)—not opt-out
• Consent must be specific to each purpose (analytics, marketing, advertising)
• Pre-ticked boxes are not valid under PDPA

Real Consequences for Non-Compliance

In 2023, the PDPC issued a correction notice to a major e-commerce retailer for silently tracking users without proper consent. The retailer was forced to implement immediate changes and faced reputational damage. While they weren't fined on this occasion, the retailer spent thousands on remediation and legal advice.

In another case, a Singapore fintech startup was caught retargeting users with ads based on undisclosed tracking. The PDPC's investigation revealed they had no documented consent records—a dangerous position. They escaped a formal fine but only because they cooperated fully and implemented changes quickly.

For SMEs, the pattern is clear: enforcement is real, and penalties compound fast.

What Counts as a Cookie Under PDPA?

Not all cookies are the same. Understanding the types helps you know which require consent.

Strictly Necessary Cookies (No Consent Required)

These cookies are essential for your website to function:

• Session cookies that keep users logged in
• Security cookies that prevent fraud
• Load-balancing cookies that distribute traffic
• Language preference cookies
• Shopping cart cookies

The PDPC accepts that strictly necessary cookies don't require explicit consent because users can't access your service without them. However, you still need to disclose them in your privacy policy.

Functional Cookies (Consent Usually Required)

These improve user experience but aren't essential:

• Remembering user preferences
• Storing form data
• Tracking video play progress
• Personalising website layout

These require consent because they go beyond technical necessity.

Analytics Cookies (Consent Required)

Tools like Google Analytics, Hotjar, and Mixpanel track user behaviour to help you understand site performance:

• Page views, session duration, bounce rate
• User journeys and conversion funnels
• Device and browser data
• Heatmaps and session recordings (if enabled)

Analytics cookies must have documented consent. Even if the data is anonymised, if there's any possibility of re-identification, it's personal data under PDPA.

Marketing & Advertising Cookies (Explicit Consent Required)

The strictest category. These enable retargeting and personalised ads:

• Facebook Pixel
• Google Ads remarketing
• LinkedIn tracking
• Email marketing platform pixels

Users must actively opt-in. You cannot rely on pre-ticked boxes or implicit consent.

Third-Party Cookies (Extra Caution)

If your website uses third-party tools (Shopify, WooCommerce plugins, email capture widgets), those tools may place cookies. You remain responsible for PDPA compliance—you can't pass accountability to the vendor.

Building a PDPA-Compliant Cookie Consent Framework

Here's what you actually need to do:

1. Audit Your Current Cookie Usage

Before you do anything else, document every cookie on your website:

Use tools like:

• Browser DevTools (right-click → Inspect → Applications → Cookies)
• Chrome extension "Cookie-Editor" or "EditThisCookie"
• Cookiebot or OneTrust (paid, but comprehensive)

For each cookie, record:

• Cookie name and function
• What data it collects
• Whether it's first-party or third-party
• How long it persists
• Who the vendor is (if third-party)

Don't skip this step. Most enforcement actions happen because businesses don't know what's actually on their website.

2. Create a Clear Privacy Policy & Cookie Policy

Your privacy policy must explain:

• What personal data you collect and why
• How long you keep it
• Who you share it with
• Users' rights (access, correction, withdrawal)

Your cookie policy (or cookie section in your privacy policy) must detail:

• Each cookie type and its purpose
• How long cookies persist
• The business or legitimate interest
• How users can withdraw consent

Write in plain language. Legal jargon loses you trust. Singapore users deserve to understand what's happening.

3. Implement a Consent Management Platform (CMP)

A CMP is software that:

• Displays a cookie banner before non-essential cookies load
• Captures user choices
• Stores consent records (critical for proving compliance)
• Enables users to withdraw consent later

Popular options:

• Cookiebot (comprehensive, PDPC-familiar)
• OneTrust (enterprise-grade)
• TrustBox (affordable for SMEs)
• Iubenda (good for e-commerce)
• Simple Cookie (lightweight, budget option)

Choose one that:

• Blocks non-essential cookies until consent is given
• Records consent timestamps and preferences
• Allows easy withdrawal of consent
• Provides audit reports for PDPC investigations

4. Design a Compliant Cookie Banner

Your banner must:

• Appear before non-essential cookies are placed
• Be prominent (not hidden at the bottom)
• Provide granular controls ("Accept All" + "Reject All" + custom choices)
• Explain each cookie category clearly
• Link to your full cookie policy
• Use plain language (not legal terms)

Example structure:

We use cookies to improve your experience.

📊 Analytics Cookies - Help us understand how you use our site
🎯 Marketing Cookies - Enable personalised ads and retargeting
⚙️ Functional Cookies - Remember your preferences

[Accept All]  [Reject All]  [Manage Preferences]

[Learn More]

Pre-ticked boxes are not compliant. Users must actively opt-in.

5. Handle Third-Party Tool Consent

If you use:

• Google Analytics → requires consent before loading
• Facebook Pixel → requires consent before loading
• Mailchimp widget → requires consent before loading
• Hotjar → requires consent before loading

Your CMP should delay loading of these tools until consent is received. Tools like Google Tag Manager can help conditionalise when scripts fire.

Many SMEs accidentally load these tools before getting consent—a common PDPA violation.

Consent Management Best Practices for Singapore SMEs

Store Consent Records

Every time a user interacts with your banner, record:

• Their choice (Accept/Reject/Customise)
• Timestamp
• IP address (anonymised is better)
• Browser/device info
• Which cookies they consented to

If the PDPC investigates, these records prove you asked permission. Without them, you have no defence.

Allow Easy Withdrawal

Users must be able to change their mind. Provide:

• A "Cookie Preferences" link in your website footer
• A link in your privacy policy
• A way to withdraw consent from your CMP dashboard

If a user withdraws consent, stop using those cookies immediately. Don't process any data collected after withdrawal.

Refresh Consent Periodically

PDPC guidance suggests refreshing consent every 12-24 months. If your cookie policy changes (e.g., you add a new analytics tool), ask for fresh consent.

Document Your Data Processing

Create a Data Processing Register listing:

• What data you collect (name, email, IP, behaviour)
• Why (functional necessity, analytics, marketing)
• How long you keep it
• Who has access
• Where it's stored (cloud provider location matters)

This isn't just for PDPA—it's best practice data governance.

Common PDPA Cookie Mistakes (And How to Avoid Them)

Mistake 1: Silent Analytics Tracking

What it looks like: You install Google Analytics without any banner or consent request.

Why it's dangerous: IP addresses and analytics user IDs are personal data. Even "anonymised" analytics require consent if re-identification is possible.

Fix: Get consent before loading any analytics tool. If you must use unblocked analytics, use privacy-focused tools (Plausible, Fathom, Simple Analytics) that don't require cookies or consent.

Mistake 2: Pre-Ticked Boxes

What it looks like: Your cookie banner has boxes for "Marketing Cookies" and "Analytics Cookies" that are already ticked.

Why it's dangerous: PDPA requires affirmative consent—not presumed consent. Pre-ticks violate the Consent Principle.

Fix: All non-essential categories should be unticked by default. Users must actively click to consent.

Mistake 3: Vague Cookie Descriptions

What it looks like: "We use cookies to improve your experience."

Why it's dangerous: Users don't know what they're consenting to. PDPC requires specific, informative consent.

Fix: Name each cookie type, explain what data it collects, and state the business purpose clearly.

Mistake 4: No Consent Records

What it looks like: You have a cookie banner, but your CMP doesn't log who consented to what.

Why it's dangerous: During a PDPC audit, you can't prove compliance. Absence of records is treated as non-compliance.

Fix: Choose a CMP that timestamps and stores every consent interaction. Export reports monthly for your records.

Mistake 5: Consent Buried in Legal Jargon

What it looks like: Your cookie policy is 3,000 words of dense legal language.

Why it's dangerous: Users can't give informed consent if they can't understand. PDPC expects plain language.

Fix: Explain cookies in 1-2 sentences per category. Link to detailed info for the legally curious. Aim for Secondary School level reading.

Streamlining PDPA Compliance for SMEs

Managing PDPA compliance across your whole operation—data retention, consent, third-party vendors, audit trails—is genuinely complex. Many SME owners juggle compliance alongside running their business.

ComplyHQ simplifies this. It's AI-powered compliance software that builds your consent framework, tracks consent records, and flags compliance gaps in real time. Instead of manual spreadsheets and guesswork, you get PDPA compliance that handles your obligations in minutes, not weeks. This matters most when PDPC audits happen—you've already got your proof.

But whether you use ComplyHQ or build compliance manually, the fundamentals remain: consent first, transparency always, records forever.

PDPA Compliance Checklist for Your Website

Use this to audit your current setup:

• Cookie Audit Complete – You've documented every cookie on your site
• Privacy Policy Updated – It explains personal data collection, retention, and rights
• Cookie Policy Created – Clear, granular explanations of each cookie type
• CMP Installed – A consent management platform blocks non-essential cookies
• Consent Records Stored – Every user interaction with your banner is logged
• Third-Party Tools Conditionalised – Analytics, pixels, widgets don't load until consent
• Withdrawal Mechanism in Place – Users can change preferences anytime
• Pre-Ticked Boxes Removed – All non-essential categories start unticked
• Plain Language Used – Your cookie descriptions are understandable, not legal jargon
• Audit Trail Maintained – You can export consent records for PDPC investigations

What Happens During a PDPC Investigation?

If the PDPC audits your website (via complaint or proactive sweep), here's what they check:

1. Consent timing – Do cookies load before consent? (Many fail this.)
2. Consent specificity – Can users opt-in to each category separately?
3. Consent documentation – Do you have timestamped records?
4. Cookie transparency – Can users understand what each cookie does?
5. Third-party vendors – Are third-party pixels/scripts conditionalised?
6. Data retention – Do you delete old data as promised?
7. User rights – Can users easily access, correct, or delete their data?

If you pass, you get a clean audit. If you fail, the PDPC issues a Correction Notice—you must fix violations within a specified timeframe. Ignore it, and you face escalation to financial penalties (up to SGD 1 million) and potential prosecution.

Having documented consent records, a working CMP, and a clear privacy policy means you'll likely pass.

Moving Forward: PDPA Compliance as Ongoing Practice

PDPA compliance isn't a one-time project. It's an ongoing practice:

• Quarterly reviews – Check your cookie audit for new tools or changes
• Annual consent refresh – Ask users to re-consent if your policy changes
• Vendor management – Track which third parties you use and their PDPA compliance
• Team training – Make sure your team knows PDPA basics and why consent matters
• Incident response plan – Know what to do if a data breach happens

Singapore's data protection environment is tightening. Recent PDPC enforcement actions target both large corporations and small businesses. SMEs who take compliance seriously now avoid costly remediation later.

Your customers also care. PDPA breaches damage trust. A transparent, consent-first approach builds confidence that their data is safe with you.

Final Thoughts

Cookie consent under PDPA isn't about restriction—it's about respect. Users deserve to know what you're tracking and why. When you explain clearly and ask permission, most will consent. You get the data you need for analytics and marketing; they get a website that respects their privacy.

Start with the checklist above. Audit your cookies, build your policies, implement a CMP, and maintain consent records. If you get stuck, tools and platforms exist to help.

The PDPC's message is clear: compliance is not negotiable. But it's achievable for any SME willing to invest a few hours upfront.

Have PDPA questions about your website? ComplyHQ's compliance experts help Singapore SMEs navigate data protection in plain language. Start your free compliance audit today.