How it works What We Check Pricing Articles About Free Scan β†’
Shopify PDPA Compliance Singapore
← All Articles Singapore Β· PDPA ⏱ 8 min read Updated 27 June 2026

Shopify PDPA Compliance Singapore: A Step-by-Step Guide for Merchants

🎧 Key takeaways
0:00
0:00

Shopify is the dominant ecommerce platform in Singapore. The Personal Data Protection Act (PDPA) is Singapore's primary data privacy law β€” enforced by the Personal Data Protection Commission (PDPC). These two facts create a specific compliance obligation that most Shopify merchants haven't fully addressed.

This guide covers what PDPA requires from Singaporean Shopify stores, where most stores fail, and the specific steps to fix it.

⚠️ Disclaimer: This article is for informational purposes only and does not constitute legal advice. PDPA requirements are interpreted and enforced by the PDPC. Consult a qualified lawyer for advice specific to your situation.


Why PDPA Applies to Your Shopify Store

PDPA applies to any organization that collects, uses, or discloses personal data in Singapore β€” regardless of where the organization is incorporated. If you:

...PDPA obligations apply to you.

Personal data under PDPA includes anything that identifies a person: name, email address, phone number, shipping address, purchase history, IP address, device identifiers, browsing behavior on your store.

Shopify collects all of this by default.

Check your PDPA compliance before your next campaign. Run a free PDPA scan on your Shopify store β†’ β€” see exactly what tracking fires before consent.


The 5 PDPA Obligations Every Shopify Merchant Must Meet

1. Consent Obligation

You must obtain consent before collecting, using, or disclosing personal data β€” unless an exception applies (e.g., the data is publicly available, or collection is required by law).

For a Shopify store, this means:

Critical Shopify default: Shopify installs tracking pixels and analytics by default. Unless you've disabled these or gated them behind consent, they are likely firing for every Singapore visitor before consent is obtained.

2. Purpose Limitation Obligation

You can only use personal data for the purpose for which it was collected. If a customer gives you their email to fulfill an order, you cannot use that email to send marketing messages unless they've separately consented to marketing.

Common failure mode: import order-contact emails into a marketing list and send promotions without a separate marketing opt-in.

3. Notification Obligation

You must inform customers what data you're collecting and why β€” at the point of collection. In practice, this means your Shopify store needs a privacy policy that:

4. Access and Correction Obligation

Customers have the right to access the personal data you hold about them and request corrections. Your privacy policy must explain how to exercise this right, and you must be able to respond to requests.

5. Data Breach Notification

Under PDPA amendments effective February 2021, mandatory data breach notification applies. If you experience a breach of significant volume or sensitivity, you must notify the PDPC within 3 calendar days. You must also notify affected individuals if the breach is likely to cause significant harm.


The Tracking / Cookie Consent Gap

This is where most Shopify stores fail the PDPA test.

By default, a Shopify store loads:

All of these collect personal data. Under PDPA, you need consent before this data collection starts.

The fix: You need a consent management system on your Shopify store that:

  1. Shows a cookie consent notice to Singapore visitors
  2. Blocks tracking scripts until consent is obtained
  3. Provides an easy way to refuse

Shopify's built-in cookie consent bar does not block scripts. It is not PDPA-compliant for tracking purposes.

Shopify Apps for PDPA-Compliant Cookie Consent

Consentmo (free tier + paid) β€” Shopify-native CMP. Blocks scripts by category, GDPR/PDPA ready, geo-targeting to show the notice only to Singapore visitors. Most practical option for Shopify.

CookieYes for Shopify β€” Integrates via script tag, auto-categorizes cookies, blocking available on paid tiers.

App capabilities and tiers as of June 2026 β€” verify current features on each app's Shopify listing.


Your Shopify Privacy Policy: What to Include for PDPA

A Shopify default privacy policy template is not sufficient for PDPA. You need to add:


PDPA vs GDPR: Key Differences for Shopify Merchants

If your store serves both Singapore and EU customers, both frameworks apply β€” independently.

Aspect PDPA (Singapore) GDPR (EU)
Enforced by PDPC National DPAs (CNIL, BfDI, ICO, etc.)
Maximum fine Higher of S$1,000,000 or 10% of annual turnover (since 1 Oct 2022) 4% global annual turnover or €20M
Breach notification deadline 3 calendar days to PDPC 72 hours to national DPA
Marketing consent Explicit opt-in required Explicit opt-in required
Tracking/cookie consent Required before tracking Required (ePrivacy Directive)
Extraterritorial scope Yes β€” data of SG residents Yes β€” data of EU residents
Right to access personal data Yes (PDPA s.21) Yes (GDPR Art. 15)

PDPC Enforcement: What It Looks Like

The PDPC publishes its enforcement decisions at pdpc.gov.sg. Key patterns from their decisions database:


Shopify PDPA Compliance Checklist

Consent & Cookie Management

Privacy Policy

Marketing

Breach Preparedness


Selling to Both Singapore and the EU?

If your Shopify store serves both Singapore residents and European customers, you operate under two independent data protection regimes simultaneously. Sitetals covers both. Run the EU/GDPR scan for your European exposure and the PDPA scan for Singapore.

For broader GDPR/EU context: GDPR fines in 2026: 13 real cases and what they cost. For a complete compliance self-check: the 12 GDPR checks most businesses miss.


Run a Free PDPA Scan

Paste your Shopify store URL. Get a free scan showing tracking behavior, missing consent mechanisms, and PDPA compliance gaps.

Free PDPA scan at Sitetals

Full PDF report with PDPC enforcement references and a remediation checklist: €49.


Sources: PDPA 2012 (Singapore), as amended 2021 Β· PDPC Advisory Guidelines on eCommerce (2021) Β· PDPC Enforcement Decisions 2020–2025 Β· PDPC data breach notification requirements (Advisory 01/2021)

🩸 β€” Sitetals Editorial