Industry Guides11 min read26 April 2026

PDPA Compliance for E-Commerce: Singapore Online Business Guide

Complete PDPA compliance guide for Singapore e-commerce businesses. Covers customer data collection, cookie consent, payment data, marketing emails, cross-border transfers, and practical steps to get compliant.

ComplyHQ Team

PDPA Compliance for E-Commerce: Singapore Online Business Guide

E-commerce businesses collect more personal data than almost any other type of SME. Customer names, addresses, payment details, browsing behaviour, purchase history, and marketing preferences — every transaction generates personal data that falls under the PDPA.

If you run an online store targeting Singapore customers, compliance is not optional. The penalties for non-compliance can reach S$1 million, and a data breach can destroy customer trust overnight.

This guide covers the specific PDPA requirements that apply to e-commerce businesses in Singapore.

What Data E-Commerce Businesses Typically Collect

Before addressing compliance, understand the scope of data your online business handles:

Customer Account Data

  • Full name, email address, phone number
  • Shipping and billing addresses
  • Account passwords (hashed)
  • Date of birth (if collected for promotions)

Transaction Data

  • Order history and purchase amounts
  • Payment card details (usually tokenised by payment processor)
  • Refund and exchange records
  • Delivery tracking information

Marketing and Analytics Data

  • Email marketing preferences and engagement metrics
  • Cookie and tracking data (browsing behaviour, session data)
  • Social media profiles (if using social login)
  • Customer reviews and feedback

Third-Party Data

  • Data received from marketplace platforms (Shopee, Lazada, Amazon)
  • Data from advertising platforms (Meta, Google Ads)
  • Data from analytics tools (Google Analytics, Hotjar)

Every category above involves personal data under the PDPA. Your data inventory must account for all of them.

Key PDPA Requirements for E-Commerce

1. Privacy Policy on Your Website

Every e-commerce site needs a comprehensive privacy policy. For online businesses, it must specifically cover:

  • Data collected at checkout: Name, address, email, phone, payment information
  • Cookies and tracking: What cookies you use and what they track
  • Third-party sharing: Payment gateways (Stripe, PayNow), logistics providers, marketing platforms
  • Cross-border transfers: Whether customer data is stored or processed outside Singapore
  • Marketing communications: How customers can opt in and opt out
  • Data retention: How long you keep order records and customer accounts

Place your privacy policy in the website footer and link to it from checkout pages and account registration forms.

2. Consent at Checkout

Collecting customer data for order fulfilment does not require separate consent — it is necessary for the transaction. However, you need explicit consent for:

  • Marketing emails and SMS: Use a clear opt-in checkbox (not pre-ticked) at checkout
  • Sharing data with third parties for marketing purposes
  • Using data for purposes beyond the original transaction (personalisation, profiling)

The consent must be informed (tell customers what they are agreeing to) and specific (separate consent for different purposes).

3. Do Not Call Registry Compliance

If your e-commerce business sends marketing messages by phone or SMS, you must check the Do Not Call (DNC) Registry before sending. This applies to:

  • Promotional SMS messages about sales or new products
  • Telemarketing calls to customers
  • Fax marketing (less common but still regulated)

You must check the DNC Registry before every marketing campaign. Sending marketing messages to registered numbers without consent can result in fines of up to S$10,000 per message.

4. Payment Data Security

Payment card data requires special care. Best practices for e-commerce:

  • Never store raw card numbers — use tokenisation via your payment processor (Stripe, Adyen, PayNow)
  • Use PCI DSS compliant payment gateways — this offloads most payment security requirements
  • Implement HTTPS across your entire site, not just checkout pages
  • Do not email payment information — use secure payment links instead

If you use Stripe, PayPal, or similar processors, they handle card data security. Your PDPA obligation is to ensure your processor has adequate protection measures and to include them in your data disclosure policy.

5. Cross-Border Data Transfers

E-commerce businesses frequently transfer data internationally:

  • Hosting providers: AWS, Google Cloud, Shopify (servers may be outside Singapore)
  • Payment processors: Stripe processes data in multiple jurisdictions
  • Marketing tools: Mailchimp, Klaviyo, HubSpot (US-based)
  • Analytics: Google Analytics (US-based)
  • Marketplace platforms: Shopee, Lazada (regional data processing)

Under the PDPA, you can transfer data overseas only if the receiving country provides comparable data protection, or you take reasonable steps to ensure the data receives equivalent protection. In practice, this means:

  • Using providers with strong data protection policies
  • Including data protection clauses in vendor contracts
  • Disclosing cross-border transfers in your privacy policy

6. Customer Data Access and Correction Requests

Customers have the right to:

  • Access their personal data that you hold
  • Request corrections to inaccurate data
  • Withdraw consent for marketing communications

You must respond to access requests within 30 days. For e-commerce, common requests include:

  • "What data do you have about me?"
  • "Delete my account and all associated data"
  • "Stop sending me marketing emails"

Have a clear process for handling these requests. Most e-commerce platforms (Shopify, WooCommerce) have built-in tools for customers to manage their data.

E-Commerce-Specific Compliance Checklist

Use this checklist alongside the comprehensive PDPA compliance checklist:

  • Privacy policy published on website with e-commerce-specific disclosures
  • Consent checkbox for marketing at checkout (not pre-ticked)
  • Unsubscribe mechanism in all marketing emails
  • DNC Registry checks before SMS/phone marketing campaigns
  • Payment processing via PCI DSS compliant gateway
  • HTTPS enabled across entire site
  • Cookie notice explaining tracking technologies
  • Data processing agreements with all third-party vendors
  • Cross-border data transfers disclosed and protected
  • Customer data access/correction request process documented
  • DPO appointed and contact details published
  • Data retention schedule for order records and customer accounts
  • Breach response plan covering customer data

Common E-Commerce PDPA Mistakes

Pre-Ticked Marketing Consent Boxes

A pre-ticked "Subscribe to our newsletter" checkbox at checkout does not constitute valid consent under the PDPA. Consent must be actively given by the customer. Use an unchecked opt-in checkbox with clear language about what the customer is signing up for.

No Unsubscribe in Marketing Emails

Every marketing email must include a working unsubscribe link. You must process opt-out requests within 10 business days. This is required by both the PDPA and the Spam Control Act.

Retaining Customer Data Indefinitely

Many e-commerce businesses never delete customer data. The PDPA requires you to stop retaining personal data when it is no longer needed for the purpose it was collected. Establish retention periods: active customer data while the account is in use, order records as required by tax law, and delete the rest on a schedule.

Ignoring Third-Party Platform Obligations

Using Shopify, Lazada, or another platform does not transfer your PDPA obligations. You are still the data controller. Ensure your platform's data handling meets PDPA requirements and disclose platform use in your privacy policy.

How ComplyHQ Helps E-Commerce Businesses

ComplyHQ is built for Singapore SMEs, including e-commerce businesses:

  • Gap assessment tailored to e-commerce data practices
  • Privacy policy generator that covers online business requirements
  • Data inventory builder to map customer data across platforms and vendors
  • AI compliance chat for instant answers about e-commerce-specific PDPA questions

Start with a free assessment to see where your online business stands.

Related Resources

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Do I need a cookie consent banner for my Singapore e-commerce site?
The PDPA does not specifically require cookie consent banners the way the EU's GDPR does. However, if your cookies collect personal data (such as tracking cookies that identify users), you should notify visitors and obtain consent where the data is used for purposes beyond what is necessary for the website to function. If you serve EU customers, you must comply with GDPR cookie requirements as well.
Can I send marketing emails to customers who bought from my store?
Yes, with conditions. Under the PDPA, you can send marketing emails to existing customers if they gave consent at the time of purchase (e.g., by opting in at checkout). You cannot add customers to marketing lists automatically without their knowledge. Every marketing email must include an unsubscribe option, and you must honour opt-out requests within 10 business days. You must also comply with the Spam Control Act.
Do I need to comply with PDPA if my e-commerce business is registered overseas but sells to Singapore customers?
Yes. The PDPA applies to organisations that collect, use, or disclose personal data in Singapore, regardless of where the organisation is registered. If you process Singapore customers' personal data, you must comply with the PDPA.
How should I handle customer data stored by Shopify or other platforms?
You remain responsible for your customers' data even when it is stored on a third-party platform like Shopify, WooCommerce, or Lazada. Ensure your platform provider has adequate data protection measures, include data protection terms in your agreement, and understand where customer data is stored (including whether it leaves Singapore). Your privacy policy should disclose the use of third-party platforms.
What should my e-commerce privacy policy include?
Your privacy policy should include: what personal data you collect (name, address, payment details, browsing behaviour), the purposes of collection (order fulfilment, marketing, analytics), who you share data with (payment processors, logistics providers, marketing platforms), how customers can access or correct their data, your data retention policy, your DPO's contact details, and any cross-border data transfers. See our guide on whether you need a privacy policy for your Singapore website.

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

26 April 202613 min read

MAS Compliance for Singapore SMEs: What You Need to Know in 2026

Complete guide to MAS compliance requirements for Singapore SMEs. Covers licensing, AML/CFT obligations, Technology Risk Management, consumer protection rules, and PDPA intersection.

Read more
17 April 202614 min read

Employment Act Singapore 2026: Complete Guide for Employers

Complete 2026 guide to Singapore's Employment Act for employers. Covers employee rights, overtime, leave entitlements, termination, CPF, and key compliance obligations.

Read more
17 April 202612 min read

Workplace Safety and Health Act (WSHA): What Every Singapore SME Must Know

Complete guide to Singapore's Workplace Safety and Health Act for SMEs. Key requirements, penalties, risk assessments, incident reporting, and a practical compliance checklist.

Read more