PDPA Email Marketing Singapore | MarketingAgency.sg


PDPA and Email Marketing in Singapore: Consent, Compliance and Best Practices for 2026

Email marketing remains one of the most effective and cost-efficient channels for businesses in Singapore — but it operates within a legal framework that demands careful compliance. The Personal Data Protection Act (PDPA) and the Spam Control Act (SCA) together regulate how organisations collect email addresses, obtain consent to send marketing messages, manage opt-out requests and handle the personal data of email recipients. In 2026, with the Personal Data Protection Commission (PDPC) maintaining active enforcement and consumers increasingly aware of their data rights, running compliant email campaigns is both a legal obligation and a trust-building exercise.

The intersection of the PDPA and the SCA creates a dual compliance requirement for email marketers. The PDPA governs whether you have a lawful basis — typically consent — to collect and use an individual’s email address for marketing purposes. The SCA governs the content, format and sending practices of commercial electronic messages, including requirements for sender identification, subject line accuracy and functional unsubscribe mechanisms. A single marketing email must satisfy both laws to be fully compliant, and violations of either can result in enforcement action and financial penalties.

This guide walks through the specific requirements that affect email marketing in Singapore — from the types of consent recognised under the PDPA and how to obtain them properly, to opt-out mechanisms, record-keeping obligations, SCA compliance requirements, and the penalties that can result from non-compliance.

The PDPA recognises multiple forms of consent, and understanding which type applies to your email marketing activities is essential for compliance. Express consent is the most straightforward — the individual clearly and affirmatively agrees to receive marketing emails from your organisation. This typically occurs through an opt-in checkbox on a website form, a written sign-up at an event, or a deliberate action such as clicking a “Subscribe” button on your newsletter page. Express consent is the gold standard for email marketing because it is unambiguous and easy to document.

Deemed consent is more nuanced and arises in situations where an individual’s behaviour or the context of the interaction implies that consent has been given. If a customer provides their email address as part of a purchase transaction, there is deemed consent to send communications related to that transaction — order confirmations, delivery updates and after-sales service. Whether deemed consent extends to marketing emails depends on the circumstances. If a customer purchases a product and you send them promotional emails about similar products, this may fall within deemed consent if a reasonable person would consider it appropriate in the context of that existing relationship.

The 2020 PDPA amendments introduced deemed consent by notification, which allows organisations to notify individuals of a new purpose for using their data and proceed if the individual does not opt out within a reasonable period. For email marketing, this means you could potentially notify existing contacts that you intend to send them a new type of marketing content and, if they do not opt out within the specified period, proceed with deemed consent. However, this mechanism has strict requirements — you must provide clear notice, a reasonable opt-out period, an easy opt-out method, and the new purpose must not be one that would be likely to have an adverse effect on the individual. When in doubt, obtaining express consent through a clear opt-in is always the safer approach for digital marketing campaigns.

Opt-Out and Unsubscribe Requirements

Both the PDPA and the SCA require that recipients of marketing emails have a clear, functional and accessible means of opting out of future communications. Under the PDPA, an individual may withdraw consent for any purpose at any time, and your organisation must facilitate this withdrawal. Under the SCA, every commercial electronic message must include a functional unsubscribe mechanism that allows the recipient to indicate that they do not wish to receive further messages.

Your unsubscribe mechanism must meet specific requirements. It must be clearly visible within the email — typically as an “Unsubscribe” link in the email footer, though best practice is to also include it near the top of the email. It must be functional — clicking the link should lead to a straightforward process, not a multi-step ordeal requiring the recipient to log in, fill out forms, or contact customer service. Under the SCA, the unsubscribe facility must remain functional for at least 30 days after the message is sent. Once a recipient opts out, you must process their request within 10 business days and cease sending marketing emails to that address.

Implement a preference centre rather than a binary subscribe/unsubscribe option. A preference centre allows recipients to choose which types of emails they wish to receive — product updates, promotions, event invitations, industry news — rather than opting out entirely. This approach satisfies the legal requirement for an opt-out mechanism while giving you the opportunity to retain the relationship at a reduced communication frequency. However, ensure that the option to unsubscribe from all communications is prominently available — do not bury it within the preference centre. Maintain a suppression list of all individuals who have opted out and check this list before every campaign send to prevent accidental re-contact, which would be a compliance violation.

Spam Control Act Compliance

The Spam Control Act (SCA) applies specifically to unsolicited commercial electronic messages sent in bulk — a category that includes most marketing emails. Even if you have valid PDPA consent to use a recipient’s email address, your email must also comply with the SCA’s content and format requirements. These two laws operate in parallel, and compliance with one does not automatically satisfy the other.

Under the SCA, every commercial email must include: the sender’s identity (your organisation’s name or the name under which you conduct business), a valid physical address or contact information for the sender, an accurate subject line that is not misleading about the content of the message, and a functional unsubscribe mechanism. The subject line requirement is particularly relevant for marketers — using deceptive or misleading subject lines to increase open rates (such as “Re: Your enquiry” when there was no prior enquiry, or “Urgent: Action required” for a promotional offer) is a violation of the SCA.

The SCA also prohibits certain technical practices associated with spam, including the use of address-harvesting software to collect email addresses from websites, the use of dictionary attack methods to generate email addresses, and the use of falsified header information to disguise the origin of a message. While these practices are more commonly associated with spam operations than legitimate marketing, ensure that your email acquisition methods are transparent and above board. Purchasing email lists from third-party providers carries particular risk, as you have no control over how those addresses were collected and whether the SCA’s prohibitions on harvesting were observed. Building your own opt-in list through your website, events and customer interactions is both more compliant and more effective.

Record-Keeping Obligations

Robust record-keeping is the foundation of PDPA compliance for email marketing. If a complaint is lodged with the PDPC or an individual disputes that they consented to receive your emails, you bear the burden of demonstrating that valid consent was obtained. Without proper records, you cannot defend your compliance — and the PDPC will treat the absence of consent evidence as a compliance failure.

For every email subscriber, maintain records of: the date consent was obtained, the method through which consent was given (website form, event sign-up, in-store registration), the specific purposes communicated at the point of consent (what types of marketing communications they agreed to receive), and the version of the privacy notice or consent form that was in effect at the time. If consent was obtained through a website form, retain logs that capture the form submission, including the IP address and timestamp. If consent was obtained through a physical form, retain the signed form or a scanned copy.

Equally important are records of opt-out requests. Document when each opt-out request was received, through which channel (unsubscribe link, email reply, phone call, in-person request), and when it was processed. Maintain your suppression list permanently — even if you delete other data about an individual, you must retain their opt-out status to ensure you do not inadvertently re-add them to your marketing list. Integrate your record-keeping with your content marketing and email automation platforms to ensure that consent data, opt-in dates, and opt-out requests are captured automatically rather than relying on manual processes that are prone to gaps and errors.

Third-Party Lists and Data Sharing

Using third-party email lists — lists purchased from data brokers, shared by partner organisations, or obtained through co-marketing arrangements — is one of the highest-risk activities in email marketing under the PDPA. When you send marketing emails to individuals on a third-party list, you are using personal data that you did not collect directly, and you must be able to demonstrate that the individuals on that list consented to receive marketing communications from your organisation specifically.

General consent to receive marketing from “partners” or “affiliated companies” is often insufficient under the PDPA. The consent must be specific enough that a reasonable person would understand that they were agreeing to receive communications from your organisation. If you are considering using a third-party list, conduct due diligence: request evidence of how the data was collected, review the consent language used at the point of collection, verify that your organisation or your type of organisation was specifically mentioned, and assess whether the data broker or partner has a track record of PDPA compliance.

When sharing your own customer data with third parties — such as a Google Ads agency running Customer Match campaigns or a co-marketing partner — ensure that your consent mechanism covers this disclosure. Your privacy notice should clearly state that data may be shared with specified third parties or categories of third parties for specified purposes. Enter into data protection agreements with any third party receiving your customer data, specifying how the data will be used, protected, and deleted when the purpose is fulfilled. The PDPA holds you accountable for the data protection practices of your data processors, so choosing partners with strong compliance standards is essential.

Marketing Automation and PDPA

Marketing automation platforms are powerful tools for email marketing — enabling triggered emails, behavioural segmentation, lead scoring, drip campaigns and personalised content delivery. However, the sophistication of these platforms introduces PDPA considerations that marketers must address. Every automated email must satisfy the same consent and compliance requirements as a manually sent campaign, and the complexity of automation workflows can create compliance blind spots if not carefully managed.

Audit your automation workflows for PDPA compliance. Review every trigger that adds a contact to an automated sequence — does the trigger point correspond to a valid consent event? If a website visitor downloads a whitepaper and is automatically enrolled in a 12-email nurture sequence, was the consent obtained at the download point specific enough to cover this extended communication? If a customer makes a purchase and enters a post-purchase email flow, do the emails in that flow go beyond transactional communication into marketing territory, and if so, was marketing consent obtained at checkout?

Pay particular attention to data retention within your automation platform. Marketing automation systems accumulate large volumes of personal data over time — contact records, behavioural data, email engagement history, website tracking data. Under the PDPA’s retention limitation obligation, you must not retain personal data longer than necessary for the purpose for which it was collected. Implement automated data purging rules within your platform — for example, archiving contacts who have not engaged with your emails in 18–24 months, deleting behavioural data after a defined retention period, and ensuring that data for contacts who have opted out is removed from active use while maintaining the suppression record. Regular data hygiene not only supports PDPA compliance but also improves your marketing performance metrics by keeping your database clean and engaged.

Penalties for Non-Compliance

Non-compliance with email marketing regulations under the PDPA and the SCA can result in significant consequences. The PDPC can impose financial penalties of up to S$1 million or 10% of an organisation’s annual turnover in Singapore, whichever is higher, for PDPA breaches. The SCA provides for fines of up to S$25 per unsolicited message, up to a maximum of S$1 million. These penalties can be imposed separately, meaning a single email campaign could theoretically attract enforcement action under both laws.

The PDPC has issued numerous enforcement decisions related to email marketing. Common violations include sending marketing emails without valid consent, failing to provide a functional unsubscribe mechanism, continuing to send emails after a recipient has opted out, collecting email addresses through deceptive means, and inadequately protecting email databases leading to data breaches. Penalties have ranged from warnings and directions for first-time or minor breaches to five- and six-figure financial penalties for serious or repeated violations.

Beyond financial penalties, non-compliant email marketing damages your sender reputation, increases spam complaint rates, reduces deliverability, and erodes the trust that makes email marketing effective. Email service providers and inbox providers use complaint rates and spam reports to determine whether your emails reach the inbox or the spam folder — and recipients who receive unwanted emails are quick to mark them as spam. A compliant, consent-based email programme not only avoids regulatory penalties but also delivers better engagement, higher open rates and stronger customer relationships. Investing in compliance through proper SEO and content strategies that build organic opt-in lists is far more sustainable than risking penalties through non-compliant mass emailing.

Frequently Asked Questions

Do I need consent to send transactional emails?

Transactional emails — order confirmations, shipping notifications, password resets, account updates — are generally not considered marketing communications and do not require marketing consent under the PDPA or the SCA. However, if your transactional emails include promotional content (such as product recommendations or discount codes alongside an order confirmation), the promotional portion may bring the email within the scope of the SCA. Best practice is to keep transactional emails purely transactional, or to clearly separate transactional and promotional content and ensure that recipients have consented to the marketing elements.

Can I email someone who gave me their business card?

Receiving a business card in a professional context generally gives rise to deemed consent under the PDPA for communications related to the business purpose of the interaction. If you met someone at an industry event and exchanged business cards while discussing a potential collaboration, you may follow up by email regarding that collaboration. However, deemed consent from a business card exchange does not extend to adding the person to your general marketing email list for promotional newsletters or campaigns. For ongoing marketing communications, obtain express consent.

How quickly must I process an unsubscribe request?

Under the SCA, you must process unsubscribe requests within 10 business days. Under the PDPA, you must process consent withdrawal requests within a reasonable period. Best practice is to process unsubscribe requests immediately — most email marketing platforms can handle this automatically. If there is a delay, communicate the expected processing time to the individual and ensure no marketing emails are sent during the processing period. Any marketing email sent after an unsubscribe request — even if within the 10-business-day window — risks a complaint and enforcement action.

Is double opt-in required under the PDPA?

Double opt-in — where a subscriber must confirm their subscription by clicking a link in a confirmation email — is not legally required under the PDPA. Single opt-in (where the individual submits their email address and is immediately added to the list) is sufficient, provided the consent is clearly and voluntarily given. However, double opt-in is strongly recommended as a best practice because it provides stronger evidence of consent, confirms the email address is valid and owned by the subscriber, reduces bot sign-ups, and produces higher-quality email lists with better engagement rates.

Can I re-engage subscribers who have not opened emails in months?

Yes, sending re-engagement emails to inactive subscribers is permissible as long as they have not opted out and their original consent remains valid. However, if subscribers have been inactive for an extended period (12–24 months), consider whether continued emailing serves a legitimate purpose and whether the original consent is still meaningful. A best practice is to send a re-engagement email asking if they wish to continue receiving your communications, and to remove those who do not respond. This approach respects the spirit of the PDPA while maintaining a clean, engaged list.

Does the PDPA apply to emails sent from overseas to Singapore recipients?

The PDPA applies to organisations that collect, use or disclose personal data in Singapore, regardless of where the organisation is based. If you are an overseas organisation sending marketing emails to individuals in Singapore using personal data collected in Singapore (for example, through a Singapore-facing website), the PDPA applies to your activities. Ensure your email marketing practices comply with the PDPA when targeting Singapore recipients, even if your organisation is headquartered elsewhere.