PDPA Marketing Consent Singapore: What Businesses Must Know Before Sending That Email (2026 Guide)

Every business wants to reach customers. Email newsletters, SMS promotions, WhatsApp broadcasts, Instagram DMs -- the channels keep multiplying, and the temptation to blast messages to everyone in your database grows with them.

Then comes the fine. In 2024, a Singapore company was penalised S$74,000 by the PDPC for sending marketing messages without proper consent. In 2023, another received a S$120,000 penalty for telemarketing violations. These are not edge cases. The Personal Data Protection Commission actively investigates complaints, and marketing consent violations consistently rank among the most common PDPA breaches in Singapore.

This guide explains exactly what the PDPA requires before you send any marketing message. Not the legal jargon version -- the practical, "tell me what to actually do" version that every Singapore SME needs.

What Counts as a "Marketing Message" Under the PDPA?

Before worrying about consent, you need to know what qualifies as marketing. The PDPA defines a marketing message broadly.

These are marketing messages:

• Promotional emails about sales, discounts, or new products
• SMS blasts with coupon codes or limited-time offers
• Telemarketing calls promoting services
• WhatsApp broadcasts about promotions
• Social media DMs with commercial offers
• Fax advertisements (yes, some businesses still do this)

These are generally NOT marketing messages:

• Transactional emails (order confirmations, shipping updates, receipts)
• Service notifications (appointment reminders, account alerts)
• Purely informational content with no commercial purpose
• Responses to customer enquiries
• Legal or regulatory notices

The grey area: Newsletters that mix informational content with product promotions. If your newsletter includes any commercial element -- a "featured product" section, a discount code, a "shop now" button -- it is a marketing message and consent is required.

The Three Pillars of Valid Marketing Consent

Under the PDPA, consent is not just "they gave us their email address." Valid consent must meet three requirements.

1. Consent Must Be Informed

The individual must understand what they are consenting to. This means telling them:

• Who will be sending the messages (your company name)
• What types of messages they will receive (product promotions, event invitations, newsletters)
• Through which channels (email, SMS, phone calls, WhatsApp)
• How frequently (daily, weekly, monthly)

Bad example: A checkbox that says "I agree to the terms and conditions" -- this bundles marketing consent with other agreements and does not specifically inform the individual about marketing.

Good example: "I agree to receive weekly promotional emails from [Company Name] about new products and special offers. I can unsubscribe at any time."

2. Consent Must Be Voluntary

The individual must have a genuine choice. You cannot make consent a condition of a transaction or service.

Violations of this principle:

• "You must agree to receive marketing emails to complete your purchase"
• Pre-ticked consent boxes (the individual did not actively choose to consent)
• Bundling marketing consent with essential service terms so it cannot be declined separately
• Making discount codes or access to content conditional on marketing consent

Compliant approaches:

• Unticked checkbox: "Yes, I would like to receive marketing emails from [Company Name]"
• Separate opt-in step after purchase: "Would you also like to hear about our promotions?"
• Clear, independent consent form not bundled with other agreements

3. Consent Must Be Documented

You need to prove that consent was obtained. If a customer complains to the PDPC, you must be able to show when, how, and what they consented to.

What to record:

• Date and time consent was given
• Method of consent (online form, paper form, verbal during a call)
• Exact wording of the consent statement the individual agreed to
• The channels and purposes they consented to
• IP address and device information (for online consent)

Using a compliance management platform to track consent records is the most reliable approach. Manual spreadsheets work for very small businesses but become error-prone as your customer list grows.

The Do Not Call (DNC) Registry: Additional Rules for Phone Marketing

The DNC Registry adds another layer for phone-based marketing. Even if you have PDPA consent, you must check the DNC Registry before sending marketing SMS or making telemarketing calls.

How the DNC Registry Works

Individuals register their phone numbers on the DNC Registry to opt out of marketing via:

• Voice calls
• SMS/text messages
• Fax messages

Before sending any marketing message to a Singapore phone number, businesses must:

1. Check the DNC Registry -- query the registry to see if the number is registered
2. Check no more than 30 days before sending -- DNC checks expire after 30 days
3. Keep records of all DNC checks -- you must prove you checked before sending

Exceptions to the DNC Registry

You can send marketing messages to a DNC-registered number if:

• The individual gave you clear and unambiguous consent to contact them for marketing purposes (consent must be specific to marketing, not general)
• You are contacting an existing customer about products or services similar to what they previously purchased (but they must be able to opt out)
• The call or message is a survey (not marketing) with no commercial element

DNC Registry Penalties

Fines for DNC violations can reach S$10,000 per message sent to a registered number without consent, capped at S$1 million per breach. For an SMS blast to 1,000 numbers without proper DNC checks, the potential penalty is devastating.

Channel-by-Channel Consent Guide

Email Marketing

Required: Opt-in consent before sending marketing emails. Every email must include a clear, functional unsubscribe link. Unsubscribe requests must be honoured within 10 business days.

Best practice: Use double opt-in (send a confirmation email asking the subscriber to verify their email address). This reduces bounce rates, improves deliverability, and provides stronger consent documentation.

Common mistake: Adding people to your mailing list because they made a purchase. A purchase does not automatically equal marketing consent unless you specifically obtained consent at the point of sale.

SMS Marketing

Required: Opt-in consent plus DNC Registry check within the last 30 days. Every SMS must identify your company and include opt-out instructions (e.g., "Reply STOP to unsubscribe").

Common mistake: Using a customer's phone number (provided for delivery purposes) to send promotional SMS. The phone number was given for delivery notifications, not marketing -- you need separate consent.

Phone Calls (Telemarketing)

Required: DNC Registry check within the last 30 days. If the number is registered, you need clear prior consent to call. Calls must identify your company at the beginning.

WhatsApp and Social Media

Required: Same consent rules apply. The PDPA does not distinguish between channels -- if the message is marketing, consent is required regardless of the platform.

Important note: WhatsApp's own terms of service also prohibit unsolicited bulk messaging. Violations can result in your WhatsApp Business account being banned, on top of PDPA penalties.

Building a Compliant Marketing Consent System

Step 1: Audit Your Current Consent Records

Start by answering: "For every person on our marketing list, can we prove when and how they gave consent?"

If the answer is no for any significant portion of your list, you have a compliance gap. Options:

• Re-consent campaign: Send a one-time email asking existing subscribers to confirm their consent
• Sunset unconfirmed contacts: Remove anyone you cannot prove consented after a grace period
• Going forward: Ensure all new consent is properly documented

Step 2: Update Your Collection Points

Review every place where you collect personal data and ensure marketing consent is:

• Clearly separated from other consents or agreements
• Using unticked checkboxes (not pre-ticked)
• Specific about what the person is consenting to
• Easy to decline without affecting the primary transaction

Step 3: Implement Opt-Out Mechanisms

Every marketing channel must have a clear opt-out mechanism:

• Email: Unsubscribe link in every message
• SMS: "Reply STOP" instruction in every message
• Phone: "Tell us if you would like to stop receiving these calls"
• WhatsApp: Clear unsubscribe option

Opt-out requests must be processed within 10 business days (PDPA requirement) -- though best practice is within 24-48 hours.

Step 4: Maintain Consent Records

Use a system that records:

• Consent given (date, method, purpose, channels)
• Consent withdrawn (date, method, channels)
• DNC checks performed (date, result, which numbers)
• Marketing messages sent (date, channel, content, recipients)

A compliance management tool automates this record-keeping and provides audit-ready reports if the PDPC comes asking.

Real PDPC Enforcement Examples

Understanding how the PDPC has penalised businesses helps you avoid the same mistakes.

Case 1: Spa chain fined S$74,000 -- sent promotional SMS to customers who had provided phone numbers for appointment bookings. The PDPC ruled that providing a phone number for appointments does not constitute consent for marketing.

Case 2: Property agency fined S$26,000 -- agents used personal data from property viewing forms to send marketing messages. Viewing form data was collected for property transactions, not marketing.

Case 3: Retail company fined S$120,000 -- sent telemarketing calls to DNC-registered numbers without proper consent. The company failed to check the DNC Registry before calling.

The pattern is clear: using personal data collected for one purpose (transactions, bookings, enquiries) to send marketing messages without separate, specific consent is the most common violation.

Quick Compliance Checklist

Use this checklist before launching any marketing campaign:

• Do you have documented opt-in consent from every recipient?
• Is consent specific to the channel you are using (email, SMS, phone)?
• For SMS/phone: have you checked the DNC Registry within the last 30 days?
• Does every message identify your company clearly?
• Does every message include a working opt-out mechanism?
• Are you honouring opt-out requests within 10 business days?
• Are your consent records stored securely and accessible for audit?
• Are your consent collection forms using unticked checkboxes with clear language?

If any answer is no, fix it before sending. The cost of compliance is always less than the cost of a penalty.

Next Steps

Marketing consent is one piece of the broader PDPA compliance puzzle. If you are unsure about your overall compliance posture, start with our PDPA compliance checklist and consider whether a compliance management platform would help you manage consent, breach notifications, and data protection policies in one place.

The PDPC is enforcing more aggressively than ever. The businesses that treat consent as a genuine customer relationship practice -- not just a legal checkbox -- are the ones that avoid fines and build trust.