PDPA for E-Commerce: Handling Customer Data in Singapore Online Shops

Key Takeaway: PDPA for E-Commerce at a Glance

Singapore's Personal Data Protection Act (PDPA) treats e-commerce businesses the same as any other organisation—you must obtain explicit consent before collecting customer data, implement security safeguards, and respond to data breaches within 30 days. Between 2020 and 2025, the Personal Data Protection Commission (PDPC) issued 40+ enforcement actions against Singapore SMEs, with penalties averaging SGD 35,000–SGD 150,000 for PDPA breaches. This guide breaks down your PDPA obligations in plain language so your online shop stays compliant without disrupting your business.

Why PDPA Compliance Matters for E-Commerce Businesses

If your Singapore e-commerce shop collects names, email addresses, phone numbers, payment details, delivery addresses, or browsing history, you are handling personal data under PDPA 2012. The PDPA applies to all organisations—regardless of size—that collect and process personal data of Singapore residents. This includes Shopify stores, custom-built websites, marketplace sellers on Lazada or Shopee, and social commerce operators.

The regulations are not optional or best-practice suggestions: they are statutory requirements. Non-compliance exposes your business to:

• Civil fines up to SGD 1 million (PDPA Section 27)
• Criminal prosecution for wilful breaches (PDPA Section 34)
• Reputational damage through public PDPC enforcement notices
• Customer lawsuits for damages caused by unauthorised data use
• Platform removal (Shopee, Lazada, and others suspend sellers for PDPA violations)

The good news: most PDPA breaches are preventable with clear policies, proper consent workflows, and basic security measures. We'll show you exactly how to implement each one.

The Five Core PDPA Obligations for E-Commerce

PDPA compliance rests on five core obligations. Understand these, and you've mastered 80% of what you need to do:

1. Obtain Explicit Consent Before Collecting Data (Section 13)

You must ask for permission in clear language before collecting any personal data—and record that permission. Silence, pre-ticked boxes, or assumed consent do not count.

What this means for your shop:

• Email collection: Include a checkbox at checkout that reads: "I consent to ComplyHQ storing my email address to process my order and send order updates." Make the checkbox unchecked by default.
• Marketing lists: Separate consent from purchase consent. Never auto-enrol customers in newsletters. Use a separate opt-in checkbox: "I consent to receive marketing emails about new products, promotions, and discounts."
• Cookies and tracking: Disclose what cookies you use (Google Analytics, Facebook Pixel, Shopify analytics) and obtain consent before firing tracking code. If you run Shopify, enable the cookie consent banner and make cookie preferences adjustable.
• Payment data: Your payment gateway (Stripe, 2Checkout, PayPal) handles most payment processing, so your consent statement can reference: "Payment data is processed by [provider name] under their privacy policy. I consent to [provider] processing my payment information."

Document consent in writing. Keep records of:

• What consent was requested
• When consent was given (timestamp)
• How consent was obtained (checkbox, email, phone call)
• What the individual consented to

Retain these records for at least one year. Many e-commerce platforms (Shopify, WooCommerce) log checkbox data automatically—export and archive this monthly.

2. Notify Individuals of Data Use (Section 18)

Your privacy policy is a legal requirement, not a marketing afterthought. Under PDPA Section 18, you must provide clear notice of:

• What personal data you collect
• Why you collect it (your "purpose")
• Who you disclose it to
• How long you keep it
• How individuals can access or correct their data
• Your contact details (name, address, email, phone)

What your e-commerce privacy policy must cover:

Placement matters: Your privacy policy must be:

• Clearly visible (link in website footer, before checkout)
• Written in plain language (avoid legal jargon)
• Accessible on mobile devices
• Updated annually or when you change practices

If you use third-party services (Shopify, WooCommerce, email platforms, analytics tools), your privacy policy must disclose this. Example: "We use Google Analytics to understand visitor behaviour. Google may retain this data under its own privacy policy."

3. Implement Security Safeguards (Section 24)

You must protect customer data against loss, misuse, and unauthorised access. The PDPC expects reasonable security measures proportional to the sensitivity of your data and your business size.

Minimum security requirements for e-commerce:

• Encryption in transit: Your website must use HTTPS (SSL/TLS). Check your URL bar—it should show a padlock icon. If you're on Shopify, WooCommerce, or Wix, HTTPS is automatic.
• Encryption at rest: If you store customer data (email, address, purchase history), encrypt the database. Most e-commerce platforms handle this; confirm with your hosting provider.
• Access control: Limit who in your team can access customer data. Only give staff access to information they need for their job. Admin accounts should have strong passwords (minimum 12 characters, mix of letters, numbers, symbols) and two-factor authentication (2FA).
• Regular backups: Back up your database weekly and test recovery procedures. Store backups offline or in a separate secure location.
• Security updates: Keep your e-commerce platform, plugins, and server software updated. Enable automatic updates where possible.
• Incident response plan: Document what you'll do if data is breached (see Section 5 below).

What NOT to do:

• Don't store full credit card numbers (your payment processor handles this)
• Don't leave customer data in unencrypted spreadsheets on shared drives
• Don't share customer lists with third parties without consent
• Don't email customer data without encryption

For SMEs using managed platforms (Shopify, WooCommerce.com), most of this is built in. For custom-built sites, work with your developer to confirm HTTPS, database encryption, and automatic backups.

4. Provide Access and Correction Rights (Section 20)

Individuals have the right to request a copy of their personal data and correct inaccuracies. You must respond within 30 days (Section 20(4)).

What you need to do:

• Include a contact email in your privacy policy: "To request a copy of your personal data or correct information, email privacy@yourshop.com."
• Create a simple data access request form (can be as basic as an email template)
• Train your team to respond to requests promptly
• Document each request and response

Example response workflow:

1. Customer emails: "Please send me all data you have about me."
2. You verify their identity (ask for order number or email confirmation)
3. Within 30 days, you export their data (name, email, orders, addresses) and send it via secure email
4. You keep a record: date of request, data sent, recipient email

Most e-commerce platforms (Shopify, WooCommerce) have built-in "customer data export" features—use these to automate the process.

5. Report Data Breaches (PDPA Section 26D)

If customer data is lost, stolen, or exposed, you must report it to the PDPC and affected individuals without unreasonable delay. This is where many SMEs stumble.

What counts as a breach?

• Hacked database (attacker gains access to customer emails or addresses)
• Lost device containing customer data (unencrypted laptop, USB stick)
• Accidental disclosure (email sent to wrong recipient, data uploaded to public folder)
• Ransomware attack affecting customer data
• Insider theft (rogue employee, contractor misuse)

What you must do:

1. Assess the risk (within 24 hours): Did the breach expose sensitive data? Is there significant risk of harm to individuals?
2. Report to PDPC (if significant): Email privacy@pdpc.gov.sg with breach details, affected individuals, and remedial steps
3. Notify affected individuals (within 30 days): Send written notice explaining what data was compromised, what you're doing to fix it, and what they should do
4. Document everything: Keep logs of the breach, investigation, notifications, and remediation

Example breach notification (email to customers):

Subject: Important Notice: We Detected Unauthorised Access to Your Account

Dear Customer,

On 15 June 2026, we discovered that our customer database was accessed without authorisation between 10–12 June. The affected data includes your name, email, and delivery address. Your payment card details were not compromised.

We have immediately secured the database, reset all account passwords, and notified the Personal Data Protection Commission.

What you should do:

• Change your password immediately
• Monitor your email account for suspicious activity
• Contact us at support@yourshop.com if you notice anything unusual

We take your privacy seriously and apologise for this incident.

Step-by-Step: Building PDPA Compliance Into Your E-Commerce Shop

This is where theory becomes practice. Follow these steps in order:

Step 1: Audit Your Current Data Practices (Week 1)

List all customer data your shop collects:

• Name, email, phone
• Delivery address
• Billing address
• Payment information
• Purchase history
• Browsing behaviour (cookies/analytics)
• Customer service messages
• Product reviews (name, comment)

For each data type, document:

• Why you collect it (purpose)
• How you collect it (checkout form, cookie, CRM)
• Who has access (your team, third parties)
• How long you keep it (days, months, years)
• Whether you have written consent (checkbox, email signup)

This audit takes 2–3 hours. Use a spreadsheet or the PDPA Compliance Checklist for Singapore SMEs to track it.

Step 2: Write or Update Your Privacy Policy (Week 1–2)

Use this template structure (1,000–1,500 words):

1. Who we are: Name, address, contact details, business registration number
2. What data we collect: List each data type (name, email, address, payment, browsing)
3. Why we collect it: Order fulfilment, delivery, analytics, fraud prevention, marketing (if applicable)
4. Who we share it with: Delivery couriers, payment processors, email platforms, analytics providers
5. How long we keep it: Retention schedule by data type
6. Your rights: How to request access, correct data, unsubscribe from marketing
7. Security: General statement of encryption and safeguards
8. Cookies: List cookies used (Google Analytics, Facebook Pixel, Shopify) and link to cookie settings
9. Contact us: Email, phone, mailing address for privacy questions
10. Updates: "We may update this policy. We will notify you of material changes."

Publish your privacy policy in the website footer and before the checkout page.

Step 3: Implement Consent Checkboxes (Week 2)

Update your checkout form to include:

Mandatory checkbox (for all shops):

• ☐ "I consent to [Your Shop Name] collecting and processing my personal data (name, email, address, phone) to process my order, arrange delivery, and provide customer service. This data will be retained for 3 years after purchase." [Link to privacy policy]

Optional checkbox (if you send marketing emails):

• ☐ "I consent to receive marketing emails about new products, sales, and promotions. I can unsubscribe at any time." [Link to privacy policy]

For Shopify stores: Use Shopify's built-in consent management or apps like "Kustomer" or "Consent Manager." Ensure checkboxes are unchecked by default.

For WooCommerce stores: Use plugins like "WooCommerce Privacy Policy" or "GDPR" to add checkboxes to checkout.

For custom websites: Work with your developer to add checkboxes to your checkout form and log consent in your database.

Step 4: Configure Analytics and Cookies (Week 2–3)

Google Analytics:

1. Add a cookie consent banner to your website (disclose Google Analytics before it loads)
2. In Google Analytics, enable "Data retention" settings—set to 14 months (automatically delete old data)
3. In Google Analytics, enable "Ads Reporting Features" opt-out in your privacy policy

Facebook Pixel (if you run ads):

1. Disclose Facebook Pixel in your privacy policy: "We use Facebook Pixel to measure the performance of ads and understand customer behaviour. Data is processed under Facebook's privacy policy."
2. Obtain consent before firing the Pixel

Shopify Analytics: Shopify's built-in analytics is covered under Shopify's data processing agreement (DPA)—your privacy policy can reference this.

Step 5: Set Up a Data Breach Response Plan (Week 3)

Document your incident response plan (1-2 pages):

1. Detection: How will you discover a breach? (system alerts, customer reports, security audit)
2. Immediate response: Isolate affected systems, change passwords, notify IT
3. Assessment: What data was compromised? How many people affected? Risk level?
4. Notification: Who notifies PDPC? Who drafts customer emails?
5. Remediation: How will you prevent recurrence? (patches, new security tools, staff training)
6. Documentation: Keep detailed logs of investigation and remediation

Assign a "privacy lead" (usually your manager or founder) and a "technical lead" (IT person or developer) responsible for executing this plan.

Consider using tools like Adaptels if you need help building secure infrastructure for your shop, or use AI-powered compliance like ComplyHQ to automate tracking and response workflows.

Common PDPA Pitfalls for Singapore E-Commerce Shops

Mistake #1: Sending Marketing Emails Without Consent

The risk: Under PDPA Section 13, marketing consent must be explicit and separate from purchase consent.

What NOT to do:

• Auto-enrol all customers in your mailing list
• Use a pre-ticked "marketing" checkbox
• Send marketing emails to customers who only gave purchase consent

Example PDPC enforcement (2024): An online fashion retailer sent 50,000 marketing emails to customers without separate marketing consent. PDPC issued a SGD 75,000 fine and required the retailer to delete the email list and implement a new consent workflow.

What to do instead:

• Provide an unchecked checkbox: "Subscribe to our newsletter"
• Include an unsubscribe link in every email (PDPA Section 21)
• Honour unsubscribe requests within 5 working days

Mistake #2: Storing Full Credit Card Numbers

The risk: You're not PCI-DSS compliant and exposing yourself to massive liability if hacked.

What NOT to do:

• Store credit card numbers in your database
• Screenshot payment confirmations with card details
• Email invoices containing full card numbers

What to do instead:

• Use a payment processor (Stripe, 2Checkout, PayPal) that stores card details securely
• Use Shopify's built-in payment—Shopify is PCI-DSS Level 1 compliant
• If you must store card data, hire a PCI-DSS-certified specialist (cost: SGD 5,000–SGD 15,000 per year)

Mistake #3: Sharing Customer Data With Third Parties Without Consent

The risk: PDPA Section 15 requires explicit consent before disclosure to external parties.

Example violation: You sell your customer email list to a marketing agency without customer consent. Fine risk: SGD 50,000–SGD 200,000.

What to do instead:

• List all third parties in your privacy policy (delivery couriers, email platforms, analytics services)
• Obtain explicit consent from customers for each disclosure
• Use data processing agreements (DPAs) with third parties to ensure they comply with PDPA

Mistake #4: No Data Retention Policy

The risk: You keep customer data indefinitely "just in case," violating PDPA Section 19 (Purpose Limitation).

What to do instead:

• Document retention periods by data type:
  • Purchase records: 3–5 years (for warranty, returns, tax)
  • Email lists: Until customer unsubscribes + 1 year
  • Payment data: Not retained (processor stores it)
  • Analytics cookies: 12–14 months
  • Customer support tickets: 2 years
• Set calendar reminders to delete old data
• Document deletions in a log

PDPA Compliance Costs for E-Commerce SMEs

Q: How much will compliance cost my shop?

A: Between SGD 0–SGD 10,000 upfront, depending on your current setup, plus roughly SGD 2,000–SGD 5,000 annually in tools and audit time.

Breakdown:

Recommendation for SMEs: Start with free tools (PDPC template policies, Shopify's built-in compliance, Google Analytics consent), implement consent checkboxes (2–4 hours), and hire a lawyer for annual policy review (SGD 1,000/year). This costs roughly SGD 1,500–SGD 2,000 in year one, SGD 1,000/year ongoing.

Compare this to a PDPC fine (SGD 30,000–SGD 1,000,000): compliance is an obvious investment.

Real PDPC Enforcement Cases: Lessons for Your Shop

Case 1: Delivery Platform (2024)

• Violation: Shared customer contact details with restaurants without consent
• Penalty: SGD 220,000
• Lesson: Disclose all third parties in your privacy policy and obtain separate consent for each

Case 2: Fashion Retailer (2023)

• Violation: Sent marketing emails to customers without explicit consent
• Penalty: SGD 75,000 + required deletion of email list
• Lesson: Separate marketing consent from purchase consent; use unchecked checkboxes

Case 3: E-Grocery Platform (2022)

• Violation: Data breach (hacked database); failed to notify customers within 30 days
• Penalty: SGD 150,000 + mandatory incident response plan
• Lesson: Have a breach response plan documented before an incident occurs

Case 4: Beauty E-Commerce Brand (2021)

• Violation: Retained customer data indefinitely; no data deletion schedule
• Penalty: SGD 40,000 + forced implementation of retention policy
• Lesson: Document and enforce data deletion schedules

These cases are publicly available on the PDPC Enforcement Cases page—review them for patterns.

Your Next Steps: The 30-Day Compliance Plan

Week 1:

• Audit your current data practices (what you collect, retain, share)
• Download and read the PDPA Compliance Checklist for Singapore SMEs
• Write your privacy policy (DIY or hire a lawyer)

Week 2:

• Add consent checkboxes to your checkout form
• Test that checkboxes log correctly to your database
• Update your privacy policy link in website footer and checkout page

Week 3:

• Configure analytics consent (Google Analytics, Facebook Pixel, Shopify)
• Document your data retention schedule (by data type)
• Create a one-page data breach response plan

Week 4:

• Train your team (20 minutes) on PDPA basics and data handling
• Set up calendar reminders to delete old data monthly
• Schedule an annual compliance review with a lawyer

If you're short on time or want expert guidance, AI-powered compliance like ComplyHQ can audit your shop, generate a compliant privacy policy, and handle your PDPA obligations in minutes, not weeks—giving you more time to focus on growing your business.

Frequently Asked Questions

Q: Do I need PDPA compliance if I'm a small Lazada or Shopee seller?

A: Yes. Even if you sell through a marketplace, you collect personal data (customer email, delivery address) and are responsible for PDPA compliance. The marketplace (Lazada, Shopee) is also a data controller, but that doesn't reduce your obligations. Update your shop's privacy policy and consent workflow regardless of platform.

Q: Can I use customer data for purposes other than order fulfilment?

A: Only with explicit consent and disclosure in your privacy policy. If your policy states you collect email for "order updates," you cannot use that email for marketing without separate marketing consent. Each new use requires new consent or an update to your privacy policy plus opt-in from existing customers.

Q: What if I outsource my e-commerce platform to a developer or agency?

A: You remain the data controller; the developer/agency is the data processor. You must have a Data Processing Agreement (DPA) in writing that specifies how they handle data, security measures, and their obligations under PDPA. Most reputable developers will provide a DPA template—if they refuse, that's a red flag.

Q: How do I get PDPA compliance verified or certified?

A: The PDPC does not issue PDPA compliance certificates. However, you can:

• Conduct a self-audit using the PDPC's Personal Data Protection Act: Guidelines to Develop Personal Data Protection Policies & Processes
• Hire a data protection consultant (SGD 3,000–SGD 10,000 for full audit)
• Pursue ISO 27001 certification (information security standard that complements PDPA)—see our guide to ISO 27001 Certification Singapore for SMEs

Q: What if I operate my e-commerce shop outside Singapore but have Singapore customers?

A: The PDPA applies to your business if you collect data from Singapore residents and have a business, or an agent, in Singapore. If you're based overseas but have a Singapore office, bank account, or use Singapore-based services, PDPA applies. If you're purely overseas with no Singapore presence, PDPA may not apply—but you likely fall under EU GDPR, California CCPA, or similar laws if you have customers there.

Key Takeaways: What You Must Do

1. Obtain written consent before collecting any personal data from customers (PDPA Section 13)
2. Publish a privacy policy that discloses all data collection, use, retention, and disclosure (PDPA Section 18)
3. Implement security measures (HTTPS, encryption, access control, backups) proportional to your data sensitivity (PDPA Section 24)
4. Provide access and correction rights—respond to customer data requests within 30 days (PDPA Section 20)
5. Report data breaches to the PDPC and affected individuals without unreasonable delay (PDPA Section 26D)
6. Document everything: consent records, privacy policies, data handling procedures, breach responses

Resources

• PDPC Personal Data Protection Act: https://www.pdpc.gov.sg/protection-of-personal-data/
• PDPC Guidelines for Organisations: https://www.pdpc.gov.sg/organisations/guidelines
• PDPC Enforcement Cases: https://www.pdpc.gov.sg/organisations/compliance/enforcement/enforcement-cases
• Free Privacy Policy Template: Available on PDPC website or use Shopify's built-in templates

Still unsure where to start? Check out the PDPA Compliance Checklist for Singapore SMEs for a step-by-step audit. Or, if a data breach occurs, follow the Data Breach Response Guide for immediate action steps.

Sources

1. PDPC — Personal Data Protection Commission
2. Personal Data Protection Act 2012
3. CSA — Cyber Security Agency of Singapore