Spam Control Act Singapore: A Complete Guide for Marketers in 2026

Every business in Singapore that sends commercial emails, SMS messages, or fax communications is subject to the Spam Control Act 2007 (SCA). Despite being nearly two decades old, the Act remains a cornerstone of Singapore’s digital marketing regulations — and many businesses still fall foul of its requirements. Whether you are sending promotional newsletters, cart abandonment emails, or seasonal sale notifications, the SCA dictates how, when, and to whom you can send these messages.

The Spam Control Act works alongside the Personal Data Protection Act 2012 (PDPA) to create a two-layered compliance framework. The SCA governs the sending of unsolicited commercial messages, while the PDPA regulates the collection and use of the personal data (email addresses, phone numbers) needed to send those messages. Getting one right but not the other still leaves your business exposed to enforcement action.

This guide explains the key provisions of the Spam Control Act as they apply to marketing activities in Singapore in 2026, with practical guidance on building compliant messaging programmes that deliver results without legal risk.

What Counts as Spam Under the SCA

The Spam Control Act defines “unsolicited commercial electronic messages” as messages sent in bulk to recipients who have not requested them, where the primary purpose is to advertise, promote, or offer goods, services, or business opportunities. The Act covers three communication channels: email, SMS, and fax.

Understanding what qualifies as a commercial message is critical because the distinction determines whether the SCA applies:

  • Promotional emails: Newsletters promoting products, sale announcements, new product launches, and marketing content are all commercial messages. Even a blog update email is commercial if it includes promotional links or calls to action.
  • Transactional emails: Order confirmations, shipping notifications, password resets, and account updates are generally not commercial messages — provided their primary purpose is transactional. However, adding significant promotional content to a transactional email can reclassify it as commercial.
  • Mixed-purpose messages: If a message contains both transactional and promotional content, the SCA looks at the primary purpose. If the promotional content is incidental to the transaction, the message may remain transactional. If the promotional content is the main reason for sending the message, it is commercial.
  • B2B messages: The SCA applies to both business-to-consumer and business-to-business communications. Sending unsolicited promotional emails to business contacts without consent is still spam under the Act.

A common misconception is that the SCA only applies to mass emails sent to purchased lists. In reality, any unsolicited commercial message — even one sent to a single recipient — can constitute spam if the required consent and identification requirements are not met. Our email marketing services are designed to keep your campaigns compliant from the ground up.

The Spam Control Act requires that recipients have given consent before receiving commercial messages. Consent under the SCA can be either express or inferred, but the rules differ depending on the channel and the existing relationship with the recipient.

Express consent is the clearest form of permission. It occurs when a recipient actively opts in to receive messages — for example, by ticking a subscription checkbox on your website, completing a sign-up form, or verbally agreeing to receive updates. Express consent should always be your primary mechanism.

Inferred consent applies in specific circumstances:

  • Existing business relationship: If a person has purchased from your business within the preceding 12 months, you may infer consent to send them commercial messages related to similar products or services. This exception is narrower than many businesses assume — it does not authorise sending unrelated promotions.
  • Published contact details: If a person has published their email address or phone number without indicating that they do not wish to receive commercial messages, consent may be inferred for messages relevant to their role or business.
  • Enquiry-based consent: If a person initiates contact with your business — submitting an enquiry form, requesting a quote, or visiting your premises — you may infer consent for follow-up messages directly related to their enquiry.

Regardless of the type of consent, you must maintain records demonstrating when and how consent was obtained. If a dispute arises, the burden of proof rests with the sender. This is where a well-implemented website with proper consent mechanisms becomes essential.

Opt-Out Mechanisms and the Do Not Call Registry

The Spam Control Act requires every commercial message to include a functional opt-out mechanism. This requirement is non-negotiable — even if the recipient originally gave express consent, they must always have the ability to withdraw it.

Opt-out requirements under the SCA:

  • Clear unsubscribe option: Every commercial email must contain a clearly visible unsubscribe link or instruction. The opt-out process must be simple — requiring no more than a single click or a reply email. Requiring recipients to log in, fill out forms, or call a phone number is non-compliant.
  • Timely processing: Opt-out requests must be processed within 10 business days. Best practice in 2026 is immediate or same-day processing — modern email marketing platforms handle this automatically.
  • No conditions: You cannot charge a fee for unsubscribing, require the recipient to provide a reason, or impose any other conditions on the opt-out process.
  • Permanent effect: Once a recipient opts out, you must not send them further commercial messages unless they subsequently provide fresh consent. Adding unsubscribed addresses back to your mailing list is a violation.

For SMS and phone-based marketing, the Do Not Call (DNC) Registry maintained by the PDPC adds another layer. Before sending marketing SMS messages or making telemarketing calls, businesses must check their contact lists against the DNC Registry. Sending messages to numbers on the registry without clear and unambiguous consent is an offence under the PDPA. The DNC Registry applies to Singapore telephone numbers and covers voice calls, SMS, MMS, and fax messages.

Sender Identification Requirements

The Spam Control Act mandates that every commercial message clearly identifies the sender. This requirement serves two purposes: it allows recipients to know who is contacting them, and it provides a point of contact for opt-out requests and complaints.

Specific identification requirements include:

  • Sender’s identity: The message must clearly state the name of the person or business sending the message. Using misleading sender names, fake email addresses, or disguised phone numbers is a specific offence under the SCA.
  • Contact information: The message must include a valid physical address or a valid and functioning return email address or phone number where the sender can be contacted.
  • Accurate header information: For emails, the “From,” “To,” and routing information must be accurate and not misleading. Using forged headers, spoofed email addresses, or relayed messages designed to obscure the sender’s identity is prohibited.
  • Subject line accuracy: The subject line of a commercial email must not be misleading about the content of the message. Subject lines designed to trick recipients into opening the email — such as fake “Re:” prefixes or misleading urgency — violate the SCA.

Proper sender identification also benefits your marketing performance. Emails with clear, recognisable sender names have higher open rates and lower spam complaint rates. Misleading practices might increase short-term opens but will damage your sender reputation and deliverability over time. For guidance on building sender reputation alongside compliance, explore our content marketing services.

Penalties and Enforcement

The Spam Control Act is enforced by the Infocomm Media Development Authority (IMDA), while the PDPA provisions — including the DNC Registry — are enforced by the Personal Data Protection Commission (PDPC). Penalties under these frameworks are substantial and have been applied with increasing frequency.

Under the Spam Control Act:

  • Civil action: Recipients of spam can take private civil action against senders to recover damages. The court may award compensation for the cost and inconvenience of receiving spam, and may impose additional damages of up to SGD 25 per message, capped at SGD 1 million in aggregate.
  • ISP remedies: Internet service providers can take action against spammers, including blocking their services and recovering costs associated with handling spam complaints and infrastructure strain.

Under the PDPA (for DNC violations):

  • Financial penalties: The PDPC can impose financial penalties of up to SGD 1 million for organisations that breach DNC provisions. For serious or repeated offences, penalties can reach 10 per cent of annual turnover.
  • Directions: The PDPC can issue directions requiring businesses to stop sending messages, destroy data collected in breach of the Act, or implement specific compliance measures.

In practice, the PDPC has been increasingly active in enforcement. Several Singapore businesses have faced five- and six-figure fines for sending marketing messages to numbers on the DNC Registry or for failing to process opt-out requests within the required timeframe.

Intersection with the PDPA

The Spam Control Act and the PDPA are complementary but distinct pieces of legislation. Businesses must comply with both, and the intersection creates specific compliance obligations that are easy to overlook.

The PDPA governs the collection, use, and disclosure of personal data — which includes the email addresses and phone numbers you use for marketing. Before you even consider the SCA’s consent requirements for sending messages, you must first have a lawful basis under the PDPA for possessing the recipient’s contact information.

Key areas of intersection:

  • Dual consent: You need consent under the PDPA to collect and use the personal data (the email address) and consent under the SCA to send commercial messages to that address. In practice, a single well-drafted consent mechanism can satisfy both requirements — but it must explicitly cover both data collection and marketing communications.
  • Withdrawal of consent: Under the PDPA, individuals can withdraw consent for the use of their personal data at any time. This is broader than the SCA’s opt-out mechanism — a PDPA withdrawal may require you to delete the contact data entirely, not just stop sending messages.
  • Data breach notification: If your email marketing database is compromised, the PDPA’s mandatory data breach notification requirements apply. You must notify the PDPC and affected individuals if the breach is likely to result in significant harm.
  • Overseas transfers: If you use an email marketing platform hosted outside Singapore, the PDPA’s cross-border data transfer provisions apply to the personal data stored on that platform.

The practical takeaway is that compliant pemasaran digital in Singapore requires a unified approach to data protection and messaging compliance, not siloed efforts for each regulation.

Building Compliant Email Marketing Practices

Compliance with the Spam Control Act should not be treated as a burden — it is an opportunity to build higher-quality marketing programmes that deliver better results. Permission-based email marketing consistently outperforms spam in every metric: open rates, click-through rates, conversion rates, and customer lifetime value.

Practical steps for compliant email marketing in 2026:

  1. Use double opt-in: Require new subscribers to confirm their subscription via a confirmation email. This creates a clear record of consent and reduces fake sign-ups and spam complaints. While not legally required, double opt-in is best practice and improves list quality significantly.
  2. Maintain a suppression list: Keep a permanent list of all individuals who have opted out. Before every campaign send, check your mailing list against this suppression list. Modern email marketing platforms automate this, but you should verify the process is functioning correctly.
  3. Audit your list sources regularly: Review where your email addresses come from. Purchased or rented lists almost certainly violate both the SCA and the PDPA. Even lists built organically can degrade over time — regularly remove inactive subscribers and re-confirm consent for older contacts.
  4. Segment and personalise: Sending relevant content to targeted segments reduces unsubscribe rates and spam complaints. A well-segmented campaign using our SEO-driven content strategy keeps your audience engaged and your compliance risk low.
  5. Document everything: Maintain records of consent, including when it was obtained, how it was obtained, and what the subscriber was told. Keep records of all opt-out requests and when they were processed. This documentation is your defence if a complaint is made.
  6. Test your opt-out process: Regularly test your unsubscribe mechanism to ensure it works correctly. A broken unsubscribe link is both a compliance violation and a customer experience failure.

For businesses looking to build or overhaul their email marketing operations, our perkhidmatan pemasaran bersepadu combine email, social media, and content marketing within a fully compliant framework.

Soalan Lazim

Does the Spam Control Act apply to WhatsApp marketing messages?

The SCA specifically covers email, SMS, and fax. WhatsApp messages fall outside the SCA’s technical scope. However, WhatsApp marketing is still regulated under the PDPA — you need consent to collect and use the recipient’s phone number for marketing purposes, and you must respect the DNC Registry for phone-based marketing. WhatsApp’s own terms of service also restrict unsolicited commercial messaging and can result in account bans.

Can I send marketing emails to people who gave me their business card?

Receiving a business card may provide a basis for inferred consent under the SCA if the context suggests the person would reasonably expect to receive marketing communications from you. However, the consent is limited to messages relevant to the context in which the card was exchanged. A business card received at a technology conference does not authorise promotional emails about unrelated products. Best practice is to follow up with a confirmation or opt-in request before adding the contact to your regular marketing list.

What is the penalty for sending a single unsolicited commercial email?

While enforcement typically focuses on bulk or repeated offending, the SCA allows civil action for individual messages. A recipient can seek damages of up to SGD 25 per message. More significantly, a single complaint can trigger a PDPC investigation that examines your broader marketing practices, potentially uncovering systemic non-compliance that results in much larger penalties.

How does the Spam Control Act affect email marketing to overseas recipients?

The SCA applies to messages sent from or to Singapore. If you are a Singapore business sending emails to overseas recipients, the SCA applies, and you must also comply with the spam laws of the recipient’s country — such as the CAN-SPAM Act in the United States, GDPR in the European Union, or Australia’s Spam Act 2003. Conversely, overseas businesses sending commercial emails to Singapore recipients are subject to the SCA.

Is there a safe harbour for transactional emails that include some promotional content?

The SCA does not define a precise threshold for when a transactional email becomes commercial. The test is the primary purpose of the message. If the main reason for sending the email is to provide transactional information — such as an order confirmation — and the promotional content is secondary and incidental, the message is generally treated as transactional. However, if the promotional content is prominent or the transactional content is merely a pretext, the message is commercial and must comply with the SCA in full.

Do I need to check the DNC Registry before every email campaign?

The DNC Registry applies to phone calls, SMS, MMS, and fax — not email. You do not need to check the DNC Registry before sending emails. However, if your marketing programme includes SMS campaigns alongside email, you must check the registry before each SMS send or at least every 30 days if you are maintaining an ongoing messaging list. The PDPC provides an API for automated checking against the registry.