DocsBlogIntegrationsSign InSign Up
Laws & Regulations

Global Privacy Laws: Singapore PDPA

The Personal Data Protection Act (PDPA) is Singapore’s comprehensive data protection regulation, broadly aligning with global privacy standards. It aims to regulate personal data processing, protect individuals’ privacy and fundamental rights, and provide legal certainty for data handling.

Overview

The Singapore Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. The PDPA focuses primarily on information management, and its purpose is “to govern the collection, use and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”

Key Dates

  • Signed into law: October 15, 2012
  • Effective date: July 2, 2014

Thresholds

Singapore’s PDPA has universal applicability; it applies to all organizations — regardless of size or industry — that collect, use, or disclose personal data in Singapore. Unlike some other regulations, there is no minimum threshold (e.g., a specific number of employees or the amount of data collected) that exempts an organization from complying with the PDPA.

Consumer Rights

  • Right of Access – Individuals can request access to their personal data held by an organization and to information about how it has been used or disclosed within the past year.
  • Right to Correction – Individuals can request that an organization correct any inaccurate or incomplete personal data about them.
  • Right to Withdraw Consent – Individuals can withdraw consent for the collection, use, or disclosure of their personal data at any time, though reasonable notice and potential contractual limitations may apply.
  • Right to be Informed - Individuals have the right to be informed about the purposes for which their personal data is being collected, used, or disclosed by an organization.
  • Right to Data Portability - Individuals can request that their personal data be transmitted in a machine-readable format from one organization to another.
  • Right to Restrict Processing - In certain situations, individuals can request the restriction of the processing of their personal data. This means that organizations can continue to store the data but not use it for processing purposes.
  • Right to Object - Individuals can object to the use of their personal data for certain purposes, such as direct marketing.
  • Right to non-discrimination - Individuals have the right to not be subjected to discriminatory practices based on their exercise of any of these data protection rights.

Sensitive Data

The PDPA does not provide a specific definition of “sensitive data.” Instead, it requires organizations to implement reasonable security measures that match the sensitivity of the information handled. In practice, advisory guidelines highlight specific categories—such as data related to minors, financial details, medical and genetic information, and personal attributes like race, ethnicity, or religious and political beliefs—as requiring stronger safeguards due to the greater potential for harm if misused.

Penalties

  • Up to S$1 million or 10% of the organization's annual turnover in Singapore, whichever is higher, can be imposed for non-compliance.

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like PDPA in Singapore vs. CCPA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have set up in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like CCPA in California).

Based on the current laws, we recommend the following regional settings:

  • Consent Mode: Express
  • Blocking Mode: Strict
  • **Google Consent Mode V2:** Basic
  • Consent Duration: 12 months
  • Enable Limit Sensitive Information: Off
  • Enable Do Not Sell Consent: Off
  • Enable Global Privacy Control: Off

Current PDPA requirements do not explicitly require Do Not Sell or Global Privacy Control, but you can enable these features if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since regulations like CCPA/CPRA do require Do Not Sell and Global Privacy Control.

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.

While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions, only adding additional regions for stricter states like California if needed). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.

Global Privacy Laws: India DPDPA

India’s Digital Personal Data Protection Act (DPDPA) is the country’s first comprehensive privacy law, designed to regulate the collection, processing, and sharing of digital personal data and safeguard citizens’ rights.

State Privacy Laws: California

A summary of privacy laws in California.

On this page

OverviewKey DatesThresholdsConsumer RightsSensitive DataPenaltiesConfigure Your Consent Banner for PDPARecommended Consent Settings