Website Legal Checklist Singapore | MarketingAgency.sg


Website Legal Checklist for Singapore Businesses in 2026

Your website is often the first point of contact between your business and potential customers. It is also, from a legal perspective, one of your most exposed assets. Every form that collects personal data, every cookie that tracks visitor behaviour, every product claim on a landing page and every missing disclosure creates potential legal liability. In Singapore, where the PDPA is actively enforced and consumer protection standards are rising, a website that lacks proper legal foundations is a compliance risk waiting to materialise.

The problem most Singapore businesses face is not a lack of awareness—most know they need a privacy policy and terms of use—but a lack of thoroughness. Legal requirements for websites extend well beyond a boilerplate privacy page copied from a template. Cookie consent mechanisms, accessibility standards, industry-specific disclaimers, data collection notices, copyright protections and contact information requirements all form part of a compliant website. Missing even one element can expose your business to regulatory action, lawsuits or platform penalties.

This checklist covers every legal element your Singapore website needs in 2026. Whether you are building a new site with our web design team or auditing an existing one, work through each section systematically to ensure your website meets current legal standards and protects your business from unnecessary risk.

Privacy Policy Requirements

A privacy policy is not optional for any Singapore website that collects personal data—and virtually every business website does, whether through contact forms, email sign-ups, analytics tools or e-commerce transactions. Under the PDPA, organisations must inform individuals of the purposes for which their personal data is being collected, used and disclosed. Your privacy policy is the primary mechanism for fulfilling this obligation.

A compliant privacy policy for a Singapore website should include:

  • Types of data collected: Clearly list the categories of personal data your website collects. This includes obvious items like names and email addresses, but also IP addresses, device information, browsing behaviour and any data collected through cookies or tracking pixels.
  • Purposes of collection: Explain why you collect each type of data. Common purposes include processing enquiries, fulfilling orders, sending marketing communications, improving website performance and conducting analytics. Be specific rather than vague.
  • Third-party sharing: Disclose all third parties with whom you share personal data. This includes analytics providers (Google Analytics), advertising platforms (Meta, Google Ads), email marketing tools, payment processors and any other service providers that receive visitor data.
  • Data retention periods: State how long you retain personal data and the criteria used to determine retention periods. Under the PDPA, you must not retain personal data longer than necessary for the purpose for which it was collected.
  • Access and correction rights: Explain how individuals can request access to or correction of their personal data. Provide a clear process and contact details for submitting such requests.
  • Data Protection Officer: Include the contact details of your Data Protection Officer (DPO) or the person responsible for data protection matters in your organisation.
  • Updates to the policy: State how and when the policy may be updated, and how users will be informed of changes.

Place your privacy policy in an easily accessible location—typically linked in the website footer and at every point where personal data is collected. Avoid legal jargon where possible; the PDPC encourages plain-language privacy policies that consumers can actually understand.

Terms of Use

Terms of use (also called terms and conditions or terms of service) establish the rules governing how visitors may use your website. While not strictly required by Singapore law for all websites, they are essential for protecting your business, particularly if your site offers e-commerce, user accounts, downloadable content or any form of interactive service.

Key elements to include in your website’s terms of use:

  • Acceptance of terms: Clearly state that by using the website, visitors agree to be bound by the terms. For e-commerce sites, use a clickwrap mechanism (requiring users to actively check a box) rather than a browsewrap approach (assuming agreement through continued use).
  • Intellectual property rights: Assert your ownership of website content, logos, design elements and any proprietary materials. Specify what visitors may and may not do with your content.
  • User conduct: If your website allows user-generated content, comments or reviews, set clear rules for acceptable conduct and reserve the right to remove content that violates your standards.
  • Limitation of liability: Include reasonable limitations on your liability for errors, interruptions or losses arising from the use of your website. These clauses must be fair and reasonable under Singapore law.
  • Governing law: Specify that the terms are governed by the laws of Singapore and that disputes will be resolved in Singapore courts (or through alternative dispute resolution if preferred).
  • E-commerce terms: If you sell products or services online, include detailed terms covering pricing, payment, delivery, returns, refunds and cancellations. These must comply with the Consumer Protection (Fair Trading) Act and the Electronic Transactions Act.

Have your terms of use reviewed by a Singapore-qualified lawyer, particularly if your website involves e-commerce, subscription services or significant user interactions. Template terms downloaded from the internet rarely account for Singapore-specific legal requirements.

Cookies and similar tracking technologies are used by virtually every modern website—for analytics, advertising, personalisation and functionality. While Singapore’s PDPA does not have cookie-specific provisions equivalent to the EU’s ePrivacy Directive, the PDPC has clarified that cookies that collect personal data (such as those used for behavioural tracking and targeted advertising) fall under PDPA requirements. Additionally, if your website has visitors from the EU, UK or other jurisdictions with strict cookie laws, you need a compliant cookie consent mechanism regardless.

Best practices for cookie compliance on Singapore websites:

  • Cookie notice: Display a clear cookie notice informing visitors that your website uses cookies. Explain the types of cookies used (essential, analytics, advertising, functional) and their purposes.
  • Consent mechanism: Implement a cookie consent banner that allows visitors to accept or reject non-essential cookies. Provide granular controls so visitors can consent to specific cookie categories rather than an all-or-nothing choice.
  • Cookie policy: Publish a detailed cookie policy (either as a standalone page or a section within your privacy policy) listing all cookies used on your site, their purposes, durations and the third parties that set them.
  • Prior consent for tracking cookies: Do not load non-essential cookies (particularly advertising and analytics cookies) until the visitor has provided consent. This requires technical implementation using a consent management platform (CMP).
  • Regular cookie audits: Scan your website periodically to identify all cookies being set, including those added by third-party scripts and plugins. New cookies can appear when you add tools or update plugins without your knowledge.

If your SEO strategy relies on analytics data, ensure your analytics implementation respects cookie consent preferences. Google Analytics 4 supports consent mode, which adjusts data collection based on user consent status without completely eliminating tracking capabilities.

PDPA Compliance for Websites

Beyond the privacy policy, several website elements require specific attention to ensure full PDPA compliance. The PDPC’s enforcement decisions provide useful guidance on what constitutes adequate compliance for websites.

PDPA website compliance checklist:

  • Collection limitation: Only collect personal data that is necessary for the stated purpose. If a contact form asks for name and email, do not also require phone number, NRIC or date of birth unless genuinely needed.
  • Consent for marketing: If your website sign-up forms include a marketing opt-in, it must be a separate, unchecked checkbox—not a pre-ticked box or a bundled consent with terms acceptance.
  • Form security: All forms that collect personal data must be transmitted over HTTPS. Ensure your SSL certificate is valid and covers all pages, not just the checkout or login pages.
  • Data storage security: Personal data collected through your website must be stored securely, with appropriate access controls, encryption and backup procedures. If you use a cloud-based CMS or form tool, verify that the provider’s security standards meet PDPA requirements.
  • Intermediary obligations: If your website uses third-party tools that process personal data (chatbots, CRM integrations, analytics platforms), you remain responsible for ensuring these tools comply with PDPA requirements. Execute data processing agreements with all third-party providers.
  • Breach notification readiness: Implement monitoring to detect data breaches affecting your website. Have a documented incident response plan that includes the PDPC’s mandatory breach notification requirements.

For Google Ads landing pages, ensure that conversion tracking and remarketing tags comply with both PDPA consent requirements and Google’s own consent policies.

Accessibility Requirements

Website accessibility—ensuring your site is usable by people with disabilities—is both a legal consideration and a business imperative. While Singapore does not currently have legislation mandating private-sector website accessibility (unlike the US ADA or EU European Accessibility Act), the Singapore government has adopted WCAG 2.0 AA standards for government websites, and this standard is increasingly expected of private businesses. Accessibility also affects your SEO performance, as search engines favour well-structured, accessible content.

Key accessibility elements to implement:

  • Alt text for images: Provide descriptive alternative text for all meaningful images. Decorative images should have empty alt attributes (alt=””) so screen readers skip them.
  • Keyboard navigation: Ensure all interactive elements (links, buttons, forms, menus) can be accessed and operated using a keyboard alone, without requiring a mouse.
  • Colour contrast: Text must have sufficient colour contrast against its background. WCAG 2.1 AA requires a minimum contrast ratio of 4.5:1 for normal text and 3:1 for large text.
  • Form labels: All form fields must have associated labels that clearly describe the expected input. Placeholder text alone is not sufficient.
  • Heading structure: Use a logical heading hierarchy (H1, H2, H3) to structure content. Do not skip heading levels or use headings purely for visual styling.
  • Video captions: Provide captions or transcripts for video and audio content on your website.
  • Responsive design: Ensure your website is fully functional and readable across all device sizes, including when text is enlarged up to 200%.

Run your website through automated accessibility testing tools (such as axe or WAVE) and supplement with manual testing using keyboard navigation and screen reader software.

Disclaimers and Disclosures

Depending on your industry and the content on your website, specific disclaimers may be required to protect your business and comply with regulations. Disclaimers do not override your legal obligations, but they help manage expectations and reduce the risk of misunderstandings or claims.

Common disclaimers for Singapore business websites:

  • General disclaimer: A statement that website content is provided for informational purposes and does not constitute professional advice. This is particularly important for businesses in legal, financial, medical or consultancy sectors.
  • Financial disclaimers: If your website discusses investment products, insurance or financial planning, include disclaimers about investment risks and the fact that past performance does not guarantee future results. MAS-regulated entities have specific disclosure requirements.
  • Medical disclaimers: Healthcare websites must clarify that website content does not substitute for professional medical advice, diagnosis or treatment. Include appropriate disclaimers on any health-related content.
  • Testimonial disclaimers: If you display client testimonials or case studies, disclose that results may vary and that testimonials represent individual experiences. If any testimonial was incentivised, disclose that fact.
  • Affiliate disclosures: If your website earns commissions from affiliate links or product recommendations, disclose this relationship clearly and prominently.
  • External links disclaimer: If your website links to external sites, include a disclaimer that you are not responsible for the content, accuracy or practices of linked websites.

Place disclaimers where they are relevant—near the content they relate to, not buried on a separate page that visitors will never find. For content marketing that includes opinion, advice or recommendations, contextual disclaimers are more effective than generic sitewide statements.

Copyright notices and intellectual property protections serve two purposes: they assert your rights over your original content, and they deter unauthorised copying. While copyright protection in Singapore exists automatically upon creation of original work (you do not need to register copyright), displaying a copyright notice strengthens your position in any future dispute.

Website IP protection checklist:

  • Copyright notice: Display a copyright notice in your website footer. The standard format is: “© 2026 [Company Name]. All rights reserved.” Update the year annually or use a dynamic year display.
  • Content usage terms: Specify in your terms of use what visitors may and may not do with your website content. Address copying, reproducing, distributing and creating derivative works.
  • Image protection: Consider implementing right-click protection or watermarks for high-value images. While these are not foolproof, they deter casual copying.
  • Trademark notices: If your brand name, logo or product names are registered trademarks, use the appropriate trademark symbol (™ for unregistered, ® for registered) and include a trademark notice on your website.
  • DMCA or takedown procedure: If your website hosts user-generated content, establish a procedure for handling copyright infringement claims and removing infringing content promptly.
  • Third-party content licensing: Maintain records of licences for all third-party content used on your website, including stock photos, fonts, icons and code libraries. Ensure your licences cover web usage and are current.

Regularly audit your website for unauthorised use of your content on other sites. Tools like Google Reverse Image Search and Copyscape can help identify instances of content theft.

Contact Information and Legal Identity

Displaying accurate contact information and business identity details on your website is both a legal requirement and a trust signal. Under Singapore’s Companies Act, business correspondence (including websites) must display certain information. From a practical standpoint, visitors who cannot easily find your contact details are less likely to trust your business or make a purchase.

Required and recommended contact information:

  • Company name: Display your full registered company name as it appears on ACRA records. If you operate under a trading name, display both.
  • UEN number: While not strictly required on websites, displaying your Unique Entity Number (UEN) adds credibility and is required on certain business documents and correspondence.
  • Registered address: Display your registered business address. If your operating address is different, display both.
  • Contact details: Provide at least one reliable method of contact—email address, phone number or contact form. For PDPA compliance, include the contact details of your Data Protection Officer.
  • GST registration: If your business is GST-registered, display your GST registration number, particularly on e-commerce pages and invoices.
  • Professional licences: If your business requires professional licensing (e.g., CEA licence for estate agents, MAS licence for financial advisers), display your licence number prominently.

Place essential contact information in your website footer so it appears on every page. Create a dedicated contact page with comprehensive details including a map, operating hours and response time expectations. This supports both your social media profiles and local search visibility.

Frequently Asked Questions

Is a privacy policy legally required for all Singapore websites?

If your website collects any personal data—through contact forms, email sign-ups, analytics tools, cookies or e-commerce transactions—you are required under the PDPA to have a privacy policy that informs visitors about how their data is collected, used and disclosed. Since virtually every business website collects some form of personal data, a privacy policy is effectively mandatory for all Singapore business websites.

Can I use a free privacy policy template for my website?

Free templates can serve as a starting point, but they rarely cover all the specific requirements for your business. A compliant privacy policy must accurately reflect your actual data collection and processing practices, the specific third-party tools you use and any industry-specific regulations that apply. Using a generic template that does not match your actual practices is arguably worse than having no policy at all, as it creates a false representation. Have your policy reviewed by a qualified professional.

Do Singapore websites need a cookie consent banner?

While Singapore’s PDPA does not have cookie-specific provisions equivalent to the EU’s GDPR, cookies that collect personal data (particularly tracking and advertising cookies) fall under PDPA requirements for consent. If your website attracts visitors from the EU, UK or other jurisdictions with strict cookie laws, a consent banner is necessary to comply with those laws. As a best practice, implementing a cookie consent mechanism is recommended for all Singapore business websites in 2026.

What accessibility standard should my Singapore website meet?

While there is no current legal mandate for private-sector website accessibility in Singapore, WCAG 2.1 Level AA is the widely accepted standard. This is the level adopted by the Singapore government for its websites and is increasingly expected by corporate clients and consumers. Meeting WCAG 2.1 AA also improves SEO, user experience and overall website quality. Businesses operating internationally should also consider the requirements of the EU European Accessibility Act and the US ADA.

How often should I update my website’s legal pages?

Review and update your privacy policy, terms of use and other legal pages at least annually, or whenever there is a material change to your data collection practices, business operations, services offered or the regulatory landscape. Significant triggers for updates include adding new analytics or marketing tools, launching e-commerce functionality, expanding into new markets, changes to PDPA guidelines or enforcement approaches, and changes to your third-party service providers.

What happens if my website does not have terms of use?

While there is no specific Singapore law requiring all websites to have terms of use, operating without them leaves your business exposed to risk. Terms of use establish the legal relationship between your business and website visitors, limit your liability, protect your intellectual property and set expectations for user conduct. Without terms, disputes are resolved based on general contract law principles, which may not favour your business. E-commerce sites in particular should have comprehensive terms covering sales, returns and refunds.