PDPA SMS Marketing Singapore | MarketingAgency.sg


PDPA and SMS Marketing in Singapore: A Compliance Guide for 2026

SMS marketing offers businesses in Singapore a direct, high-open-rate channel to reach customers — with SMS open rates consistently exceeding 90%, far above email’s typical 20–30%. However, the very directness that makes SMS effective also makes it one of the most heavily regulated marketing channels under Singapore’s Personal Data Protection Act (PDPA). The PDPA’s Do Not Call (DNC) provisions, consent requirements and the Spam Control Act (SCA) collectively create a strict compliance framework that businesses must navigate before sending a single marketing text message.

The regulatory landscape for SMS marketing in Singapore is more prescriptive than for most other channels. Before you can send a promotional SMS, you must verify that the recipient’s number is not on the DNC registry’s No Text Message register, confirm that you have valid consent to send marketing messages to that number, ensure your message meets SCA content requirements, and provide a clear opt-out mechanism. Each of these requirements carries its own set of rules, exceptions and penalties — and failing at any step can result in enforcement action by the Personal Data Protection Commission (PDPC).

This guide provides a practical, step-by-step approach to running PDPA-compliant SMS marketing campaigns in Singapore — from DNC registry checks and consent collection to bulk SMS rules, opt-out handling, penalty exposure, and the operational setup that keeps your digital marketing activities on the right side of the law.

DNC Registry Checks for SMS

The Do Not Call (DNC) registry is the first and most critical compliance checkpoint for SMS marketing in Singapore. Managed by the PDPC, the DNC registry allows Singapore telephone number users to register their numbers on the No Text Message register, indicating that they do not wish to receive marketing text messages. Before sending any marketing SMS, organisations must check the recipient’s number against this register — and must not send to numbers that are registered, unless a valid exemption applies.

DNC checks must be performed no more than 30 days before the marketing message is sent. This 30-day validity window means that a check performed on 1 January is valid for messages sent up to 31 January, but not beyond. For organisations running regular SMS campaigns, this necessitates a routine checking schedule — ideally integrated into your campaign workflow so that every send is preceded by a fresh check or falls within the validity window of a recent check. The PDPC provides both an online checking facility for individual numbers and a bulk checking service for larger lists, accessible through the DNC registry website.

There are limited exemptions to the DNC requirement. The most relevant for marketers is the clear and unambiguous consent exemption — if an individual has given specific consent to receive marketing text messages from your organisation, you may send to their number regardless of its DNC registration status. However, this consent must be express, specific to your organisation, and documented. A general consent to “receive marketing messages” given to a third party does not constitute clear and unambiguous consent from your organisation. The existing relationship exemption allows organisations to send marketing messages to individuals with whom they have an ongoing relationship, but only if the message relates to the subject matter of that relationship. Always document your exemption basis for each contact to ensure you can justify your compliance position if challenged.

Beyond the DNC registry, the PDPA’s consent obligation requires organisations to obtain valid consent before using an individual’s phone number for marketing purposes. Even if a number is not on the DNC register, you still need a lawful basis — typically consent — to collect and use that number for SMS marketing. The consent must cover both the collection of the phone number and its use for sending marketing text messages specifically.

Express consent is the most defensible form for SMS marketing. This typically involves the individual providing their phone number through a form or interaction that clearly states the number will be used for promotional SMS communications. Examples include: a website form with a separate checkbox for SMS marketing consent (“I agree to receive promotional SMS messages from [Organisation Name]”), an in-store sign-up form with explicit SMS marketing language, or a keyword-based opt-in where the individual texts a keyword (such as “JOIN”) to your shortcode, thereby actively initiating the subscription.

Deemed consent may apply in limited circumstances — for example, if a customer provides their phone number during a transaction and you send SMS communications reasonably related to that transaction or the ongoing customer relationship. However, relying on deemed consent for SMS marketing is riskier than for email, given the more intrusive nature of text messages and the heightened regulatory scrutiny on phone-based marketing. If you plan to use a customer’s phone number for promotional SMS beyond transactional notifications, obtain explicit opt-in consent at the point of collection. Ensure that your consent language is specific — a consent to receive “communications” is less clear than a consent to receive “promotional text messages about our products and offers.” Specificity protects both the individual and your organisation in the event of a complaint.

Bulk SMS Rules and Regulations

Bulk SMS — sending the same or similar marketing messages to a large number of recipients simultaneously — is the most common form of SMS marketing and attracts the full weight of PDPA and SCA regulation. Every bulk SMS campaign must satisfy DNC compliance, consent requirements, and SCA content standards for each individual recipient. There is no volume-based exemption — the same rules apply whether you are sending 100 messages or 100,000.

When engaging a bulk SMS service provider — a third-party platform that handles the technical delivery of your text messages — you must ensure that the provider operates within the PDPA framework. You remain responsible for the data protection compliance of your campaign, even if a third party handles the technical sending. Verify that your SMS provider has appropriate data security measures, does not retain your recipient data beyond the campaign period without your authorisation, and does not use your recipient data for any purpose other than delivering your messages. Enter into a data processing agreement with your provider that specifies these obligations.

Segment your SMS campaigns carefully to maximise relevance and minimise complaints. Unlike email marketing, where a poorly targeted message might simply be ignored, an unwanted SMS is experienced as intrusive and is more likely to trigger a complaint to the PDPC. Use your customer data to send targeted, relevant messages — promotional offers based on purchase history, location-relevant notifications, or time-sensitive deals that genuinely add value to the recipient. Indiscriminate blast messaging to your entire database not only risks compliance issues but also damages your brand perception and increases opt-out rates. Quality of targeting directly correlates with both compliance safety and campaign effectiveness.

Opt-Out Requirements and Mechanisms

Every marketing SMS must include a clear and functional opt-out mechanism that allows the recipient to stop receiving further messages from your organisation. Under the SCA, this is a mandatory requirement for commercial electronic messages. Under the PDPA, individuals have the right to withdraw consent at any time, and your organisation must provide a means to do so.

The most common opt-out mechanism for SMS is a reply keyword — including language such as “Reply STOP to opt out” at the end of your message. This mechanism must be functional, meaning that when a recipient replies with the designated keyword, they are automatically removed from your marketing list and no further messages are sent. Other acceptable mechanisms include providing a phone number to call, a website URL to visit, or an email address to contact — but the reply keyword method is preferred because it is immediate, requires minimal effort from the recipient, and can be processed automatically.

Process opt-out requests promptly. Under the SCA, you must cease sending marketing messages within 10 business days of receiving an opt-out request, though best practice is to process opt-outs immediately through automated systems. Maintain a permanent suppression list of opted-out numbers and cross-check every campaign send against this list. Never re-add an opted-out number to your marketing list without obtaining fresh, explicit consent — and be cautious about seeking re-consent too soon after an opt-out, as this can be perceived as harassment. If an individual opts out via one channel (SMS), consider whether this withdrawal of consent should apply across other channels (advertising, email) as well, and communicate with the individual about the scope of their opt-out to avoid confusion.

Spam Control Act and SMS

The Spam Control Act applies to unsolicited commercial electronic messages, a category that includes marketing SMS messages. While the SCA is often discussed in the context of email, its provisions apply equally to text messages and carry specific requirements that SMS marketers must satisfy alongside their PDPA obligations.

Every commercial SMS must identify the sender — either by the sender name displayed in the message header or within the message body itself. If your SMS is sent from a shortcode or alphanumeric sender ID, ensure that the sender ID clearly identifies your organisation. Within the message body, include your organisation’s name if the sender ID is not immediately recognisable. The message must not use misleading subject matter or content — do not misrepresent the nature of the offer, the identity of the sender, or the terms of any promotion. Include a functional unsubscribe mechanism as described above.

The SCA also creates a right of private action — individuals who receive messages in contravention of the Act can bring civil proceedings for damages in addition to any enforcement action by the PDPC. This means that non-compliant SMS marketing exposes your organisation to both regulatory penalties and private litigation. While private actions under the SCA are relatively uncommon, the possibility adds another layer of risk to non-compliant SMS practices. Compliance with the SCA’s requirements is straightforward — clear sender identification, honest content, and a functional opt-out — and should be built into every SMS template as a matter of course.

Setting Up a Compliant SMS Campaign

Running a PDPA-compliant SMS campaign requires a systematic pre-send workflow that incorporates all regulatory requirements. Following this process for every campaign ensures compliance becomes a routine operational practice rather than an afterthought that risks being missed.

Step one: verify your contact list. Ensure every phone number on your list was collected with valid consent for SMS marketing purposes. Review the consent records — when and how consent was obtained, and whether the consent language specifically covered promotional text messages. Remove any numbers for which you cannot verify consent. Step two: perform a DNC registry check. Submit your contact list to the PDPC’s DNC checking service and remove all numbers registered on the No Text Message register, unless you hold documented clear and unambiguous consent from those specific individuals. Note the date of your DNC check — it is valid for 30 days. Step three: cross-check against your suppression list. Remove any numbers belonging to individuals who have previously opted out of your SMS communications.

Step four: draft your message with compliance in mind. Include your organisation’s name, the promotional content, and a clear opt-out instruction (“Reply STOP to opt out”). Keep the message within SMS character limits where possible — ideally under 160 characters for a single SMS segment to minimise cost and improve readability. Step five: test your opt-out mechanism. Send a test message and reply with your designated opt-out keyword to confirm that the automated suppression process works correctly. Step six: send your campaign and monitor responses. Process any opt-out replies immediately, handle any replies or enquiries promptly, and document all campaign details — send date, recipient count, DNC check date, message content — for your compliance records. This systematic approach, combined with a strong social media and multi-channel strategy, ensures every SMS campaign meets regulatory requirements.

Penalties and Enforcement

The penalties for non-compliant SMS marketing in Singapore are substantial and reflect the regulators’ view that phone-based marketing intrusions warrant strong deterrence. Under the PDPA, the PDPC can impose financial penalties of up to S$1 million or 10% of an organisation’s annual turnover in Singapore, whichever is higher. DNC-specific violations — sending marketing messages to registered numbers without valid consent — can attract penalties of up to S$1 million per breach. Under the SCA, penalties of up to S$25 per non-compliant message can accumulate to a maximum of S$1 million.

The PDPC has actively enforced DNC violations against organisations of all sizes, from small businesses to large corporations. Published enforcement decisions reveal common violations: failing to check the DNC registry before sending marketing SMS, continuing to send messages after opt-out requests, using phone numbers collected for one purpose (such as delivery notifications) to send unrelated marketing messages, and failing to maintain adequate records of consent. Penalties have ranged from warnings for isolated incidents to financial penalties exceeding S$100,000 for systematic or repeated violations.

Beyond regulatory penalties, non-compliant SMS marketing generates customer complaints, damages brand reputation, and can trigger negative publicity when enforcement decisions are published. In an era where consumers are increasingly protective of their personal space and digital privacy, receiving unwanted marketing text messages creates a strongly negative brand impression that is difficult to reverse. Compliance is not merely a regulatory requirement — it is fundamental to maintaining the customer trust on which effective content and marketing strategies depend.

Frequently Asked Questions

Can I send marketing SMS to existing customers without checking the DNC?

Only if the customer has given clear and unambiguous consent to receive marketing text messages from your organisation specifically. If a customer provided their phone number for transactional purposes (such as delivery updates) but did not explicitly consent to marketing SMS, you must check the DNC registry before sending promotional messages. The existing relationship does not automatically exempt you from DNC requirements for marketing communications.

How often do I need to check the DNC registry?

You must perform a DNC check no more than 30 days before sending a marketing message. If you run monthly SMS campaigns, you need a fresh DNC check each month. If you send weekly campaigns, a single monthly check covers all sends within that 30-day window, but you must ensure that no send falls outside the validity period of your most recent check. The PDPC provides a bulk checking service to facilitate regular checks for organisations with large contact lists.

What happens if I accidentally send an SMS to a DNC-registered number?

An accidental send to a DNC-registered number is still a violation of the PDPA. However, the PDPC considers the circumstances and severity of the breach when determining penalties. Isolated, accidental violations that are promptly addressed may result in a warning or direction rather than a financial penalty. Demonstrating that you had compliance processes in place (DNC checking procedures, staff training, suppression list management) and that the error was genuinely inadvertent — rather than the result of systemic non-compliance — will mitigate the penalty. Report the error, investigate the cause, and implement measures to prevent recurrence.

Can I use SMS for appointment reminders without consent?

Appointment reminders are generally considered transactional or service-related communications rather than marketing messages, and they fall outside the scope of the DNC provisions and the SCA. If a patient provides their phone number to a clinic for appointment management, sending an SMS reminder for an upcoming appointment is a use consistent with the purpose for which the number was collected. However, if you include promotional content in the appointment reminder (such as advertising a new service or offering a discount), the message may be treated as a marketing communication subject to DNC and consent requirements.

Is WhatsApp marketing subject to the same PDPA rules as SMS?

Yes. The PDPA’s consent and data protection obligations apply to all channels through which you collect and use personal data, including WhatsApp. If you use a customer’s phone number to send marketing messages via WhatsApp, you need valid consent for that purpose. However, WhatsApp messages may not fall under the DNC registry provisions in the same way as traditional SMS, as the DNC registry specifically covers voice calls, text messages and faxes sent to Singapore telephone numbers. Regardless of the DNC technicality, PDPA consent requirements apply fully, and sending unwanted marketing messages via WhatsApp can still result in complaints and enforcement action.

What is the maximum number of SMS I can send per campaign?

There is no legal cap on the number of marketing SMS messages you can send in a single campaign, provided every message complies with the PDPA and SCA requirements — valid consent, DNC clearance, proper content, and functional opt-out. The practical limit is determined by your compliant contact list size. However, sending very high volumes may attract scrutiny from the PDPC and telecommunications providers. Focus on sending fewer, well-targeted messages to consenting recipients rather than maximising volume, as this approach yields better engagement and lower regulatory risk.