What it means
The PDPA is Singapore's primary law on personal data. It sets out obligations for any organisation that handles the personal data of individuals in Singapore: how data can be collected (with consent or by exception), how it must be protected, how long it can be kept, and what rights data subjects have to access, correct, or withdraw consent.
The PDPA also includes the Do Not Call (DNC) Registry, which restricts sending marketing messages to phone numbers registered on the DNC list, and rules around mandatory data breach notification.
Why it matters
For any Singapore-facing business doing WhatsApp marketing, broadcast campaigns, or lead capture, PDPA compliance is not optional. Sending marketing messages without verifiable opt-in, mishandling sensitive data, or failing to notify after a breach can lead to financial penalties and reputational damage.
Practically, that means: collect explicit opt-in for marketing communications, keep an audit trail of consent, offer easy opt-out in every broadcast, and keep customer data inside platforms that meet recognised security standards.
Example
A gym signs up new members through a tablet form at reception. The form has a single checkbox for "I agree to receive marketing messages on WhatsApp" with no pre-tick. The signed timestamp is stored alongside the contact record. Six months later, when a member asks to be removed from broadcasts, the gym can prove consent was given, prove when, and process the removal in one click.