PDPA Withdrawal of Consent: What Happens When Customers Opt Out
PDPA withdrawal of consent guide for Singapore SMEs: what to do when customers opt out, your legal timelines, obligations under the PDPA, and how to stay compliant.

PDPA Withdrawal of Consent: What Happens When Customers Opt Out
When a customer clicks "unsubscribe," replies "STOP," or emails asking you to stop contacting them, they are exercising a legal right — and a PDPA withdrawal of consent triggers specific obligations for your business under Singapore's Personal Data Protection Act 2012. Handling it incorrectly is one of the most common compliance failures the Personal Data Protection Commission (PDPC) sees among small and medium enterprises. This guide explains exactly what happens when customers opt out, your legal timelines, and the practical steps to keep your organisation compliant.
TL;DR — Key Takeaways
- Under Section 16 of the PDPA, customers can withdraw consent at any time by giving reasonable notice — you cannot refuse or penalise them for doing so.
- Once notified, you must cease collecting, using, and disclosing their personal data for the withdrawn purposes within a reasonable time — act without undue delay.
- Withdrawal does not always mean deletion — you may legally retain data required for tax, employment, or contractual obligations.
- Failing to honour a withdrawal can lead to PDPC financial penalties of up to S$1 million or 10% of annual turnover for organisations with turnover above S$10 million.
- You must have an accessible, working opt-out channel and a documented internal process to action requests.
What Is a PDPA Withdrawal of Consent?
A PDPA withdrawal of consent is the formal exercise of an individual's right under Section 16 of the Personal Data Protection Act 2012 to tell your organisation to stop using their personal data. In plain terms: once someone opts out, the consent you previously relied on to collect, use, or disclose their data for a given purpose is revoked. Your organisation must then stop that activity within a reasonable time.
This right is deliberately broad. A customer can withdraw consent for any purpose — marketing emails, SMS promotions, sharing data with third-party partners, or profiling — and they do not need to give a reason. The PDPC's Advisory Guidelines on Key Concepts in the PDPA make clear that withdrawal must be as easy to exercise as giving consent was in the first place.
Definitive statement: Section 16(1) of the PDPA grants every individual the right to withdraw consent, at any time, on giving reasonable notice to your organisation — and Section 16(4) prohibits you from prohibiting that withdrawal, even though you may inform them of the consequences.
Importantly, withdrawal is different from an "access and correction" request (Sections 21–22) and different from the newer Data Portability Obligation. Withdrawal is specifically about revoking permission to keep using the data going forward.
What Must Your Business Do When a Customer Withdraws Consent?
When you receive a withdrawal, your organisation has three core duties: inform the individual of the likely consequences, cease the relevant processing within a reasonable time, and notify any downstream data intermediaries or third parties to whom you disclosed the data. Getting these three steps right is the heart of PDPA compliance.
Here is the actionable sequence every Singapore SME should follow:
Step 1: Acknowledge and inform of consequences
Under Section 16(2), before or as soon as you receive the withdrawal, you must inform the individual of the likely consequences of withdrawing. For example: "If you withdraw consent to receive appointment reminders, we will no longer be able to notify you of upcoming bookings." You may explain consequences — but you must not use them as a threat or impose a penalty.
Step 2: Cease processing within a reasonable time
Section 16(3) requires you to cease collecting, using, or disclosing the personal data. The PDPA does not prescribe a fixed number of days — the obligation is to act within a reasonable time. In practice, act promptly: process the withdrawal as soon as it can reasonably be actioned, giving priority to automated systems such as email marketing lists (which can usually be updated quickly) while allowing a little more time where manual records or multiple systems are involved. The longer processing continues after a valid withdrawal, the harder it is to justify.
Step 3: Notify third parties and data intermediaries
If you shared the customer's data with vendors, partners, or a data intermediary (for example, an outsourced mailing service), you must inform them of the withdrawal so they also stop processing. This is where many businesses fail — the opt-out is honoured internally but the data keeps flowing through a third-party CRM or ad platform.
Step 4: Document the request and your action
Keep a dated record of the request, what you did, and when. If the PDPC investigates a complaint, contemporaneous records are your strongest defence. A structured PDPA compliance checklist for Singapore SMEs can help you build this into a repeatable workflow rather than an ad-hoc scramble.
Does a PDPA Withdrawal of Consent Mean You Must Delete the Data?
No — a PDPA withdrawal of consent means you must stop using the data for the withdrawn purpose, but it does not automatically require deletion. Retention is governed by a separate rule: the Retention Limitation Obligation under Section 25 of the PDPA. This distinction confuses many SME owners.
Here is the key principle. You must dispose of, or anonymise, personal data when it is no longer necessary for any business or legal purpose. But if you have an independent legal basis to retain data, you may — and often must — keep it even after consent is withdrawn. Common examples in Singapore include:
- Tax and accounting records — the Income Tax Act and GST regulations generally require retention for 5 years, as reflected in IRAS guidance.
- Employment records — the Employment Act requires certain records be kept, relevant to any business handling staff data.
- Contractual and transaction records — needed to enforce a contract or defend a legal claim.
Definitive statement: Withdrawing consent stops future processing for the withdrawn purpose, but you may lawfully retain personal data for as long as a legal, regulatory, or legitimate business purpose requires it — after which it must be securely disposed of.
For businesses that handle sensitive financial or transactional records, the interaction between withdrawal and retention is especially delicate. Sector guides such as PDPA for accounting firms and PDPA compliance for e-commerce walk through how to reconcile these competing obligations in practice.
Common Mistakes Singapore SMEs Make With Opt-Outs
The PDPC's published enforcement cases reveal a clear pattern: most consent-related breaches come from process failures, not bad intent. Understanding these mistakes helps your organisation avoid becoming the next cautionary example.
The most frequent errors include:
- No working opt-out channel. An "unsubscribe" link that leads nowhere, or a marketing SMS with no reply-STOP option, breaches the spirit of Section 16 and the Do Not Call (DNC) provisions.
- Honouring the opt-out too slowly. Continuing to send marketing after a reasonable period has passed is a recurring cause of PDPC financial penalties.
- Ignoring third-party systems. The customer is removed from your list but their data remains active in a connected ad platform or CRM.
- Treating withdrawal as deletion — or vice versa. Deleting records you are legally required to keep, or keeping and using data you should have stopped processing.
- No staff awareness. Front-line employees don't recognise an informal "please stop emailing me" as a formal withdrawal.
That last point is critical. A withdrawal does not need to use magic words or a special form — a plain request in any channel counts. Training your team to recognise and route these requests is essential, which is why PDPA staff training is a foundational control rather than a nice-to-have.
Real enforcement outcomes underline the stakes. The PDPC has issued financial penalties and directions in numerous consent and protection cases; reviewing real PDPA penalties and enforcement cases shows how quickly a small oversight can escalate into a reportable incident.
What Are the Penalties for Ignoring a Withdrawal Request?
Failing to honour a PDPA withdrawal of consent exposes your organisation to enforcement action by the PDPC, including directions to comply and significant financial penalties. Since the Personal Data Protection (Amendment) Act 2020 took effect, the maximum financial penalty rose to up to 10% of an organisation's annual turnover in Singapore, or S$1 million, whichever is higher.
For most SMEs with turnover under S$10 million, the S$1 million ceiling applies. Beyond the fine, the PDPC can issue directions requiring you to stop processing, destroy data, or overhaul your practices — and enforcement decisions are published, creating reputational exposure.
Definitive statement: Under the current PDPA penalty regime, organisations that fail to comply with consent obligations face financial penalties of up to S$1 million, or up to 10% of annual Singapore turnover for larger organisations.
The good news: the PDPC consistently treats demonstrable good-faith processes as a mitigating factor. Organisations that can show a documented opt-out workflow, prompt action, and staff training are treated very differently from those with no controls at all.
How to Build a Reliable Opt-Out Process
A compliant withdrawal process rests on three pillars: an accessible opt-out channel, a defined internal workflow with clear timelines, and an audit trail. Building these once — properly — turns opt-outs from a compliance risk into a routine operation.
Practical measures for your organisation:
- Offer at least one clear opt-out method in every marketing communication (unsubscribe link, reply STOP, or a stated email address).
- Assign ownership — your Data Protection Officer (mandatory under Section 11(3) of the PDPA) or a delegate should own the process.
- Set an internal SLA — for example, action all withdrawals within 10 business days and confirm to the customer.
- Map your data flows so you know every third-party system that must also be updated.
- Log every request with date received, action taken, and date completed.
This is exactly the kind of repetitive, rules-based work that is easy to get wrong manually across dozens of channels. ComplyHQ delivers AI-powered compliance that handles your PDPA obligations in minutes, not weeks — automatically generating your consent and withdrawal workflows, DPO documentation, and retention policies so opt-outs are tracked and actioned consistently. For SMEs that also need custom integrations between their CRM, marketing tools, and compliance records, Adaptels builds tailored digital solutions for Singapore businesses.
Finally, remember that withdrawal handling doesn't exist in isolation. It connects to your breach response readiness — if you can't locate and stop processing data, you'll struggle in an incident too. Pairing this with a solid data breach response plan gives your organisation end-to-end resilience.
Key Takeaways
- A PDPA withdrawal of consent is a legal right under Section 16 — customers can opt out anytime, and you cannot refuse or penalise them.
- Cease processing for the withdrawn purpose within a reasonable time and without undue delay — the longer processing continues after a valid withdrawal, the harder it is to justify.
- Withdrawal ≠ deletion — retain data where tax, employment, or contractual law requires, then dispose securely.
- Notify all third parties and data intermediaries, not just your internal systems.
- Non-compliance risks penalties of up to S$1 million or 10% of annual turnover — but documented processes are strongly mitigating.
Handled well, opt-outs build customer trust rather than eroding it. A customer who can leave easily is far more likely to return — and far less likely to file a complaint with the PDPC.
Sources & References
- PDPC — Personal Data Protection Act Overview — official text and summary of the PDPA 2012, including consent provisions.
- PDPC — Advisory Guidelines on Key Concepts in the PDPA — official guidance on consent, withdrawal, and reasonable notice.
- PDPC — Enforcement Decisions — published cases and financial penalties relevant to consent breaches.
- Singapore Statutes Online — Personal Data Protection Act 2012 — full legislative text, including Sections 16 and 25.
- IRAS — Keeping Proper Records and Accounts — official retention requirements relevant to data kept after withdrawal.
Simplify Your Compliance
ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.
Try Free AssessmentFrequently Asked Questions
How long does my business have to process a PDPA withdrawal of consent request?
Can I refuse a customer's withdrawal of consent under the PDPA?
Do I have to delete a customer's data when they withdraw PDPA consent?
Ready to get PDPA compliant?
Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.