Handling Customer Feedback and Online Reviews Under PDPA: Singapore SME Guide

If you're running a business in Singapore, you know customer reviews and feedback are gold. They build trust, improve your products, and drive sales. But here's what many SME owners don't realize: collecting, storing, and publishing customer feedback involves handling personal data—and that means complying with the Personal Data Protection Act (PDPA) 2012.

Miss this, and you could face fines up to SGD 1 million or prison time. Get it right, and you'll have a compliant system that actually scales with your business.

This guide walks you through every step of handling customer feedback under PDPA, with practical advice you can implement today.

Why Customer Reviews Fall Under PDPA

Let's start with the basics. The PDPA applies whenever you collect, use, or disclose personal data—and that's broadly defined.

A customer review that includes:

• Their name
• Email address
• Phone number
• Location/suburb
• Purchase history
• Photo or profile picture

...all of this is personal data. Even if a customer shares it voluntarily in a review, you become responsible for protecting it under PDPA once you collect it.

The Personal Data Protection Commission (PDPC) has been explicit about this. In their Advisory Guidelines on Personal Data Protection in the Private Sector, they clarify that testimonials, case studies, and reviews containing identifiable information require proper consent and handling.

The Real Cost of Non-Compliance

Between 2020 and 2024, the PDPC published enforcement reports showing a pattern of penalties for SMEs mishandling customer data:

• 2021: SGD 5,000 fine to a healthcare provider for publishing patient testimonials without consent
• 2022: SGD 30,000 fine to an e-commerce SME for collecting reviews without clear privacy notices
• 2023: SGD 50,000+ penalties for unauthorized use of customer feedback in marketing campaigns

These weren't massive enterprises—they were businesses like yours that simply didn't know the rules.

Step 1: Consent Before Collection

The foundation of PDPA compliance is consent. You cannot collect personal data for any purpose without the individual's knowledge and agreement.

What "Consent" Means Under PDPA

Consent isn't just a checkbox. It must be:

• Affirmative: The customer actively agrees (not a pre-ticked box)
• Informed: They know what data you're collecting and why
• Specific: You explain each purpose (e.g., "to display on our website" vs. "for marketing emails")
• Documented: You keep records of when and how consent was given

How to Request Review Consent Properly

In-Store or At Point of Sale: Include a simple form or receipt line:

"May we use your feedback in testimonials and on our website? □ Yes, I consent □ No, thank you"

Get their signature or digital tick. Store this record for 12 months minimum.

Online Feedback Forms: After a purchase, send an email or in-app prompt:

We'd love your feedback! 

By submitting your review, you agree that we may:
☐ Publish it on our website with your first name
☐ Share it on our social media channels
☐ Use it in marketing emails (separately—don't assume they consent)

Your name will appear as: [First Name Only] / [Initials] / [Anonymous]

Make these checkboxes unchecked by default. Under PDPA, pre-ticked consent is invalid.

Review Platforms (Google, Facebook, Trustpilot): When directing customers to leave reviews on third-party platforms, include a notice:

"When you leave a review on [Platform], their privacy policy applies. We may repost your review on our website. Learn how we handle your data: [link to your privacy policy]"

Step 2: Minimization—Collect Only What You Need

PDPA's purpose limitation principle (Section 18) means you should only collect personal data necessary for your stated purpose.

If your goal is to collect feedback on product quality, you don't need:

• Full home address
• Phone number
• Date of birth
• Marital status
• Income level

What to collect:

• First name (or initials)
• Email (only if you need to follow up)
• Feedback on the product/service
• Star rating

Nice to have, but ask permission:

• Full name
• Photo/profile picture
• Location (suburb only, not street address)
• Job title (if relevant to B2B feedback)

Never collect:

• NRIC number
• Bank details
• Family information
• Political/religious views (unless directly relevant)

This approach reduces your compliance burden and makes customers more comfortable sharing feedback.

Step 3: Storage and Security

Once you've collected reviews with consent, you must protect that data. PDPA Section 24 requires you to take reasonable security measures.

For SMEs, "reasonable" means:

Basic Security Checklist

✅ Access Control

• Only staff who need to manage reviews can access the data
• Use password-protected systems (not shared Excel files)
• Remove access when staff leave

✅ Data Encryption

• If storing customer details with reviews, encrypt sensitive fields (email, phone)
• Use HTTPS on your website (look for the padlock icon)
• Don't store full credit card numbers

✅ Regular Backups

• Back up review data weekly to a secure location
• Test restores quarterly

✅ Vendor Management

• If using a review platform (Trustpilot, Google, etc.), check their privacy policy
• Ensure they're PDPA-compliant (most global platforms are)
• Have a Data Processing Agreement in place

✅ Incident Response Plan

• Document what you'll do if customer data is breached
• Have a process to notify affected customers within 30 days

Red flags to avoid:

• Storing reviews in unencrypted email attachments
• Using personal cloud accounts (Dropbox, Google Drive) without encryption
• Printing reviews without securely destroying them later
• Sharing customer details with staff who don't need them

Step 4: Publishing Reviews—What You Can and Cannot Do

This is where many SMEs slip up. Just because someone gave you permission to "use their feedback" doesn't mean you can use it everywhere, forever.

Rule: Separate Consent for Separate Uses

Use Case 1: Publishing on Your Website Customer consents → You can display the review with first name and rating on your review page.

Use Case 2: Email Marketing Campaign New consent required. Even if they agreed to website publication, that doesn't cover marketing emails. Send a separate request:

"We'd like to feature your testimonial in our monthly newsletter. May we include your name and review? Yes / No"

Use Case 3: Social Media Ads Another separate consent. Paid advertising has different privacy implications than organic posts.

Use Case 4: Printed Materials (Brochures, Flyers) Different medium, different consent. Ask specifically about print use.

How to Display Reviews Compliantly

Option A: Anonymized (Safest)

"5-star review: 'This product transformed my workflow. Highly recommend!' — Anonymous"

No consent needed for personal data because no personal data is disclosed.

Option B: First Name + Review

"5-star review: 'This product transformed my workflow.' — Sarah L."

Requires written consent. Keep the consent record on file.

Option C: Full Name + Photo + Testimonial

"5-star review: 'This product transformed my workflow. I've been using it for two years!' — Sarah Lee, Marketing Manager at XYZ Corp"

Requires explicit, documented consent. Higher risk—only use if customer enthusiastically agrees. Keep records for 12 months.

What About Negative Reviews?

PDPA doesn't prevent customers from leaving negative reviews, and it doesn't prevent you from responding to them. However:

• Do respond professionally and factually
• Do offer to take the conversation offline to resolve the issue
• Don't publicly disclose personal information about the customer to "explain your side"
• Don't harass or defame the reviewer

The PDPC considers fake positive reviews and deleting legitimate negative reviews without cause to be unfair practices. Play it straight.

Step 5: Data Retention—When to Delete

PDPA Section 27 requires you to stop retaining personal data once you no longer need it for your stated purpose.

Retention Schedule for Customer Reviews

How to Delete Properly:

• Don't just hide data from view—permanently delete it
• Use secure deletion tools (don't just move to trash)
• If using a third-party review platform, request they delete the data
• Document the deletion date and method

Step 6: Customer Rights—Access, Correction, and Deletion

Under PDPA, customers can ask you to:

1. Access their data (Section 16)
2. Correct inaccurate data (Section 17)
3. Stop using their data (Section 21)
4. Withdraw consent (Section 21)

You have 30 days to respond.

Real Scenario: A Customer Asks You to Remove Their Review

What happens:

1. Customer emails: "Please remove my review from your website."
2. You check: Do you have a legitimate reason to keep it? (Usually no, if they're withdrawing consent.)
3. You remove their name and identifying details from the public review within 30 days.
4. You document the request and your action.
5. You respond: "We've removed your identifying information from the review. Thank you for your feedback."

What NOT to do:

• Ignore the request
• Delete the entire review without asking why
• Share their contact details with staff to "convince them" to keep the review up
• Wait 90 days to respond

Step 7: Privacy Notices—Tell Customers How You Use Their Data

PDPA Section 18 requires you to provide a privacy notice before or at the time of collection.

Your notice should explain:

✅ What personal data you collect (name, email, feedback content) ✅ Why you collect it (to improve services, publish testimonials, respond to issues) ✅ Who might access it (your team, review platforms, potentially marketing partners) ✅ How long you keep it (12-24 months) ✅ How to contact you about your data (privacy@yourcompany.com)

Where to put your privacy notice:

• On your feedback form or survey
• In the email requesting reviews
• On your website's "Privacy Policy" page
• In your terms of service

Simple example:

How We Use Your Feedback

When you submit feedback or a review, you're sharing personal data with us. Here's how we protect it:

• We only use your feedback to improve our services and (with your permission) to showcase testimonials
• We keep your data for up to 24 months unless you ask us to delete it sooner
• We never sell your data to third parties
• You can request access, correction, or deletion anytime by emailing privacy@ourcompany.com
• Responses within 30 days guaranteed

See our full privacy policy: [link]

Make this notice easily accessible and plain language—not legal jargon buried in a 10,000-word policy document.

Step 8: Using AI and Tools—Compliance When Automating

Many SMEs now use AI tools to manage reviews: automated follow-ups, sentiment analysis, chatbots that respond to feedback. PDPA still applies.

Key Rules for Automated Review Systems

1. Transparency: If a chatbot is handling customer data, disclose it.
2. Purpose Limitation: Don't use customer review data to train AI models without consent.
3. Human Review: Don't delete or block reviews based solely on automated decisions—have a human verify.
4. Data Accuracy: Regularly audit your system for errors or bias.

Good practice: Tools like ComplyHQ help SMEs automate compliance documentation, consent tracking, and data retention schedules—AI-powered compliance that handles your PDPA obligations in minutes, not weeks. But always verify the tool's own privacy policy and data handling practices.

Step 9: Employee Training—Your First Line of Defense

Your staff are your biggest compliance risk. A single employee sharing customer reviews in a WhatsApp group or using feedback data without consent can expose your business to penalties.

Minimal Training Checklist

All staff who handle reviews should know:

• ✅ Reviews contain personal data (it's not "just opinions")
• ✅ We only use reviews for purposes customers agreed to
• ✅ We delete data when customers ask
• ✅ Sharing customer details without permission is a breach
• ✅ What to do if a customer wants to access or delete their data

Run through this in your next team meeting (15 minutes). Document attendance. If audited, you can show you took reasonable steps to ensure compliance.

Step 10: Documentation and Audit Readiness

The PDPC doesn't require elaborate documentation, but you need enough to prove compliance if audited.

Minimal Records to Keep

Store these securely (encrypted, access-controlled, backed up).

Common PDPA Mistakes SMEs Make With Reviews

Mistake 1: Pre-Ticked Consent Boxes ❌ Wrong: "I agree to publish my review with my full name" [✓ checked] ✅ Right: "I agree to publish my review with my full name" [ ] unchecked

Mistake 2: Assuming One Consent Covers All Uses ❌ Wrong: Customer consents to website review → you use it in email campaigns ✅ Right: Get separate consent for each use (website, email, social media, print)

Mistake 3: Not Responding to Data Requests ❌ Wrong: Customer emails "delete my data" → you ignore it ✅ Right: Respond within 30 days, document your action

Mistake 4: Storing Excessive Data ❌ Wrong: Collecting full address, phone number, job title when only name is needed ✅ Right: Collect minimum data necessary (first name, email, feedback content)

Mistake 5: No Privacy Notice ❌ Wrong: Collecting reviews without explaining how you'll use the data ✅ Right: Include a short, clear notice on your feedback form

Mistake 6: Vendor Risk ❌ Wrong: Using a review platform without checking their privacy policy ✅ Right: Verify they're PDPA-compliant, have a data processing agreement

What to Do Now—Your Action Plan

This week:

1. Audit your current feedback collection process. Are you getting proper consent?
2. Review your privacy notice. Is it clear and accessible?
3. Check your data retention schedule. Are you deleting old reviews as required?

This month:

1. Update consent forms/checkboxes (make them unchecked by default)
2. Document your data storage and security measures
3. Brief your team on PDPA basics (15-minute meeting)

This quarter:

1. Implement a simple consent tracking system (spreadsheet or CRM note)
2. Create a data deletion process
3. Review your terms of service and privacy policy with a compliance perspective

Staying Compliant as You Scale

As your SME grows, your compliance needs will evolve. You might move from managing reviews in a spreadsheet to using a CRM platform, or from asking for feedback via email to running monthly surveys.

At each step, ask yourself:

• What personal data am I collecting?
• Do I have consent for this specific use?
• How am I protecting this data?
• When will I delete it?
• Can customers easily access or delete their data?

If you're unsure about any part of the process, the PDPC offers free advisory services for SMEs. You can also review their latest enforcement actions at pdpc.gov.sg to see what they're actively monitoring.

Final Thoughts

Handling customer feedback under PDPA isn't complicated—it's just about being intentional. Collect only what you need, ask before you use it, protect it properly, and delete it when you're done.

Do this, and you'll turn customer reviews into a genuine competitive advantage: customers will trust you with their feedback because they know you respect their data.

Fail to do this, and you're one PDPC audit away from a significant fine.

The choice is yours. Start with the action plan above, and you'll have a PDPA-compliant review process within a month.

Key Takeaways

• Consent first: Get explicit, documented permission before collecting or publishing personal data
• Minimize data: Only collect what you genuinely need
• Secure it: Use basic encryption, access controls, and secure backups
• Honor requests: Respond to data access and deletion requests within 30 days
• Separate uses: Don't assume one consent covers all uses (website vs. email vs. ads)
• Train staff: Ensure your team understands reviews contain protected data
• Keep records: Maintain consent forms and documentation for 12 months minimum
• Stay updated: Check PDPC enforcement actions and advisory guidelines annually

ComplyHQ Team Last updated: May 24, 2026