- Compliance
PDPA Compliance for Businesses: Can You Identify Website Visitors in Singapore?
- By Ava
Increased digital adoption has turned user data into valuable currency, enabling personalised services while raising critical privacy and compliance challenges. For B2B marketers running lead generation in Singapore, understanding the Personal Data Protection Act (PDPA) is essential to remain both competitive and compliant.
What Is the PDPA and Who Must Comply?
Enacted in 2012 and fully effective since 2014, the PDPA governs the collection, use, disclosure, and care of personal data in Singapore.
All businesses collecting data about individuals or businesses residing in Singapore, including B2B marketers, must comply with the PDPA guidelines when handling personal data.
What is the purpose of PDPA?
1) To Ensure Data Protection Obligations
PDPA balances individuals’ privacy rights and business needs to collect, use or disclose personal data for legitimate and reasonable purposes.
Businesses must comply with data protection obligations when they undertake activities relating to the collection, use or disclosure of personal data. Learn more about the data protection obligations here.
2) To Implement and Safeguard Data
PDPA ensures a data and protection regime to implement and safeguard personal data from misuse and to maintain individuals’ trust in businesses that manage their data.
The Personal Data Protection Commission (PDPC) is the government agency that investigates and enforces the PDPA provisions.
3) To Build Trust and Reputation
By regulating strong flow of personal data among businesses, the PDPA strengthens Singapore’s position as a trusted hub for businesses and helps companies build long-term brand equity.
What is “Personal Data” and “Business Contact Info” Under the PDPA?
Personal data, in electronic and non-electronic formats, refers to data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
Examples of “personal data” include:
- Basic Identifiers: Name, NRIC, passport number, email, address, phone number
- Demographics: Age, gender, nationality, marital status
- Financial Data: Bank or card details
- Online Identifiers: IP addresses, cookies, device IDs
- Biometric & Sensitive Data: Fingerprints, facial recognition, criminal records
Business Contact Information includes information about a business but also excludes business contact information of individuals provided solely for business purposes.
The Data Protection Provisions do not apply to business contact information if used strictly for business purposes.
Examples of “personal data” include:
- Basic Identifiers: Name, Job title
- Company related information: Business phone number, business address, business email, business fax number and business card details.
What You Can’t Do Under PDPA
1) Data Scraping
Data scraping, or web scraping, is a process of importing data from websites into files or spreadsheets. However, assuming ‘public data’ equates free to scrape without consent violates PDPA’s consent requirements:
- Data Privacy Laws
PDPA restricts the collection, use, and sharing of Personally Identifiable Information (PII) without consent, including email addresses.
- Terms of Service
Websites such as LinkedIn, in their User Agreement explicitly prohibit scraping or have restrictions on how their data can be used. Violating these terms can lead to legal issues.
In 2022, LinkedIn filed a federal lawsuit against a Singapore-based company Mantheos Ptd. Ltd and its founders for the unauthorised scraping of millions of LinkedIn member profiles.
- Respect for Privacy
Scraping email addresses and using them for unsolicited marketing can be seen as an invasion of privacy and a form of harassment.
2) Buying Leads from Unreliable Sources
Businesses should exercise appropriate due diligence when obtaining personal data from third party sources.
Unless the third party has documented consent for the collection, use and disclosure of personal data on behalf of the individual or that the source had obtained consent for disclosure of the personal data, buying lead lists is a compliance risk.
3) Tracking Without Notification
Installing tracking tools (like cookies or reverse IP) without notifying users and offering opt-out opportunities breaches PDPA obligations.
Businesses should only collect, use and disclose personal data for the purposes for which individuals have explicitly given consent to.
Can You Legally Identify Website Visitors in Singapore?
Yes, with explicit consent.
B2B marketers should have experiences using tracking visitors. There are tools like Google Analytics , Mixpanel, Hubspot that help you measure traffic and engagement across various platforms, like websites and apps. Marketers use first-party analytics services to fine-tune their digital strategy, optimise campaigns, and take online presence to new heights.
Deemed Consent with Notification Obligation
Under the Section 15A of the PDPA, businesses must ensure that the individual is aware on:
(i) the intention to collect, use or disclose the personal data;
(ii) the purpose of such collection, use or disclosure; and
(iii) a reasonable period within which, and a reasonable manner by which, an individual can opt out of the collection, use or disclosure of his personal data for this purpose.
The Commission did not prescribe the method by which the individual should be notified, but the business may choose to rely on a single mode or multiple modes of communication in notifying individuals adequately.
Here is how businesses should notify users:
- Cookies banner or pop-ups
- Notification provided through interactive portals such as AI Chatbot
- Direct communication such as email, mail or telephone calls or text messages
Key Point: If the individual is properly informed and did not explicitly dissent or not taken any action to opt out, consent is deemed valid under PDPA.
Leadryx’s Ethical Approach to Visitor Identification and Consent
We have designed Leadryx on a foundational commitment to identify high-intent website visitors while strictly complying with Singapore’s PDPA.
Here’s how we implement a compliance-first approach that protects both your business and your website visitors:
1) Purpose-Driven Data Collection
Every piece of data we collect serves a specific, legitimate business purpose disclosed transparently to visitors.
At Leadryx, we employ 1st-party cookies, reverse IP tracking, consent flows and intent analytics only after consent is granted through customizable opt-in flows.
All data is tied to clear business use cases like CRM integration, lead scoring, or outbound triggers.
2) Dynamic Consent for New Purposes
If Leadryx intends to use the data for a new purpose that was not originally communicated to individuals, we disclose early, and seek individual’s fresh consent for the new use.
3) Transparent Data Minimisation
To adhere to purpose limitation, we collect only the data that is necessary for the stated purpose. We disclose clearly, allow opt-outs, and all collected information is processed through a proprietary verification engine that cross-references against multiple trusted B2B data sources before entering your CRM.
4) Third Party Due Diligence
We only work and obtain data from verified, PDPA compliant, B2B data providers and exercise the appropriate due diligence to check and ensure that the data providers are consistently accurate and up to date.
PDPA-Compliant Lead Generation: 5 Examples That Are Legal
1) Email Marketing
Businesses should obtain express consent for the purpose of sending direct marketing messages to individuals.
Consent should be obtained through the opt-in method (e.g. using opt-in forms with unchecked boxes, not pre-checked boxes) and always allow for easy unsubscribe with a privacy link.
2) Event Signups (e.g. Seminars)
Business name cards (that contain name, position, business telephone number, business address, business electronic mail address and business fax number) collected at events for professional use will be considered business contact information.
Accordingly, the event organiser does not need to seek consent to contact individuals about future seminars through business contact information. The event organiser is also not required to care for such information or provide access to and correction of the business contact information collected.
No additional consent needed, as long as used in a business context.
3) Website Forms
Businesses to notify users before submission so the individual is aware of the intention to collect, use or disclose the personal data; the purpose of such collection, use or disclosure; and a reasonable period within which, and a reasonable manner by which, an individual can opt out of the collection, use or disclosure of his personal data for this purpose.
4) Social Media Lead Generation
If you are using lead forms for your social media campaign call-to-action (CTA) for a free quote, sign ups or guide, businesses must include a custom consent statement with links to privacy policy.
5) Conversational AI (Like Ryx by Leadryx)
Our AI assistant, Ryx, discloses lead capture intent, asks consent-driven questions, notify users before submission before syncing leads to your CRM after confirmation.
Bonus: Free PDPA Self-Assessment Tool
This free self-assessment tool helps you to:
- Enable businesses to highlight potential gaps in your personal data protection policies and practices.
- Direct you to the relevant PDPC guides, guidelines and resources.
- Generate a self-assessment report based on the organisation’s own inputs.
Click to try out: https://apps.pdpc.gov.sg/resources/pato
Final Thoughts
Trust and transparency are the new currency in modern marketing.
Whether you are looking to scale lead generation without stepping on legal landmines or turn anonymous website visits into real, high-intent leads, Leadryx helps you identify opportunities, trigger outbound flows, and stay PDPA-compliant.
Join the waitlist and let us show you how to do outbound smarter with ethics, automation, and effectiveness built in from day one.
