PDPA Compliance for Ecommerce in Singapore: What Your Website Must Have in 2026

If you're running an ecommerce store that serves customers in Singapore — whether you're based there or selling into the market from India, the UAE, or anywhere else — you're subject to the Personal Data Protection Act (PDPA). And in 2026, the Personal Data Protection Commission (PDPC) is not sending polite reminders. They're issuing fines.

We build Shopify stores and custom ecommerce platforms for Singapore-based clients at Innovatrix Infotech. PDPA-ready configuration is not an add-on we charge extra for — it's part of every standard project delivery. This guide walks through exactly what your ecommerce website needs to be compliant, from cookie banners to data breach protocols, with specific technical implementation steps.

What Data Does PDPA Actually Regulate?

The PDPA covers any data that can identify an individual, either directly or in combination with other accessible information. For ecommerce, that includes:

• Customer names and email addresses collected during checkout
• Payment information processed through your gateway
• Shipping addresses stored in order management
• IP addresses and browsing behaviour captured via cookies and analytics
• Phone numbers used for SMS marketing or order updates
• Account login credentials for returning customers

The scope is broader than many store owners realize. If your Shopify store uses Facebook Pixel, Google Analytics, Klaviyo, or any retargeting tool — you're collecting personal data that falls under PDPA jurisdiction.

The Four Non-Negotiables for PDPA-Compliant Ecommerce

1. Explicit Consent Cookie Banners (No Pre-Checked Boxes)

Singapore's PDPA requires that consent be obtained before collecting personal data. Pre-checked consent boxes — the kind many Shopify themes default to — do not meet this standard.

Your cookie consent implementation must:

• Present a clear banner before any tracking scripts fire
• Offer granular controls (necessary cookies vs analytics vs marketing)
• Not load Google Analytics, Meta Pixel, or any third-party script until consent is granted
• Store consent records with timestamps for audit purposes

What Innovatrix uses: We implement CookieYes for most Singapore ecommerce projects. It integrates cleanly with Shopify's theme architecture, supports granular consent categories, and auto-scans your site for cookies. OneTrust is the enterprise alternative, but for D2C brands doing under SGD 10M in revenue, CookieYes at ~USD 10/month delivers equivalent compliance at a fraction of the cost. Complianz is our pick for WordPress-based stores.

Shopify-specific implementation: Use Shopify's Customer Privacy API (Shopify.customerPrivacy) to gate third-party scripts. This API lets you check consent status before loading tracking pixels:

// Check consent before loading Meta Pixel
Shopify.customerPrivacy.setTrackingConsent({
  analytics: consentGiven,
  marketing: consentGiven,
  preferences: consentGiven
}, function() {
  if (consentGiven) {
    // Load Meta Pixel, GA4, Klaviyo
  }
});

Most agencies skip this step entirely. They install CookieYes but still let GA4 fire on page load. That's technically non-compliant.

2. Privacy Policy with Data Retention Schedule

A generic privacy policy template from the internet will not protect you. Your privacy policy must specify:

• What data you collect and why (purpose limitation)
• How long you retain each category of data
• Who has access to the data (internal teams, third-party processors)
• How data subjects can access, correct, or delete their data
• Your Data Protection Officer's contact information

Since June 2025, the PDPC requires that DPO business contact information be publicly accessible — not buried in a PDF. Your DPO's email or Singapore phone number must be readily findable from your website.

Data retention schedule example for ecommerce:

3. Right to Access and Delete Data on Request

Under PDPA, customers can request access to their personal data and ask for corrections or deletions. Your ecommerce platform must support:

• A customer data export flow (Shopify has a built-in GDPR/privacy request workflow under Settings → Privacy)
• Processing deletion requests within 30 days
• Documenting all access and deletion requests for your records

Shopify implementation: Navigate to Settings → Privacy → Customer Privacy. Enable the data request and erasure request features. When a customer submits a request, Shopify compiles their data (orders, customer profile, discount usage) into a downloadable file.

For custom ecommerce builds on Next.js or headless setups, you'll need to build this flow yourself. We typically wire a /privacy-request API endpoint that queries the database for all records associated with a customer email, generates a JSON export, and queues a deletion job with a 72-hour confirmation window.

4. Data Breach Notification Within 3 Calendar Days

If a data breach occurs that results in significant harm to affected individuals or affects 500+ people, you must notify the PDPC within 3 calendar days of assessing the breach severity. You must also notify affected individuals.

Your breach notification procedure should include:

• A documented incident response plan (who does what, in what order)
• Contact details for your DPO and legal counsel pre-arranged
• Template notification emails for both the PDPC and affected customers
• Technical logging that captures breach scope (which records, which systems)

Most small ecommerce stores have zero breach response planning. By the time they realize what happened, the 3-day window has closed.

The Third-Party App Audit Most Stores Skip

This is where PDPA compliance gets uncomfortable. Every Shopify app you install can potentially collect customer data — and many do so without adequate disclosure.

Common offenders include:

• Review apps that scrape customer names and emails to send review requests without explicit consent
• Upsell/cross-sell apps that track browsing behaviour and build customer profiles
• Chat widgets that store conversation transcripts with personal data on third-party servers
• Email marketing integrations that sync customer data to platforms with servers outside Singapore

Before going live, audit every installed app:

1. Check where they store data (Singapore, US, EU?)
2. Review their privacy policy for PDPA-equivalent protections
3. Verify they support data deletion requests
4. Ensure they don't share data with unnamed third parties

If an app stores customer data on servers in a jurisdiction with weaker protections than PDPA requires, you need contractual safeguards (data processing agreements) or you need to find an alternative app.

Penalties: What Non-Compliance Actually Costs

The PDPC can impose fines of up to SGD 1 million or 10% of annual turnover in Singapore, whichever is higher. In 2025, an integrated resort operator was fined SGD 315,000 for breaching the protection obligation alone.

Beyond fines, enforcement actions are published on the PDPC website. For an ecommerce brand building trust with Singapore consumers, having your company name on that list is devastating.

PDPA Compliance Checklist for Ecommerce Stores

• Cookie consent banner implemented with granular controls
• No tracking scripts load before consent is granted
• Privacy policy includes data retention schedule
• DPO contact information publicly accessible on website
• Customer data access/export flow functional
• Customer data deletion flow functional with 30-day SLA
• Data breach notification procedure documented
• Breach notification templates prepared for PDPC and customers
• All third-party apps audited for data handling practices
• Data processing agreements in place with cross-border processors
• Staff trained on PDPA obligations (documented)
• Consent records stored with timestamps for audit

How Innovatrix Handles PDPA for Singapore Clients

As an Official Shopify Partner with clients across Singapore, Dubai, and India, we've built PDPA compliance into our standard delivery process. Every Shopify store we ship to the Singapore market includes:

• CookieYes integration with Shopify Customer Privacy API gating
• Privacy policy template customized to the client's specific data flows
• Customer data export and deletion workflows configured and tested
• Third-party app audit with documented findings
• Breach notification procedure documentation

This isn't a compliance upsell. It's part of the build. When we delivered a Shopify store for a Singapore-based D2C brand, the PDPA configuration added zero extra cost because we'd already built the process into our sprint workflow.

Our DPIIT-recognized startup status and AWS Partner credentials mean we also handle the infrastructure side — ensuring data residency, encryption in transit, and access controls meet the standard.

When NOT to Handle PDPA Compliance Yourself

If your ecommerce operation processes sensitive personal data (health products, financial services), handles data for more than 10,000 Singapore residents, or has complex cross-border data flows — you need a qualified DPO and likely legal counsel specializing in Singapore data protection law. This guide covers the technical implementation for standard D2C ecommerce. It's not a substitute for legal advice on edge cases.