Shopify is the dominant ecommerce platform in Singapore. The Personal Data Protection Act (PDPA) is Singapore's primary data privacy law β enforced by the Personal Data Protection Commission (PDPC). These two facts create a specific compliance obligation that most Shopify merchants haven't fully addressed.
This guide covers what PDPA requires from Singaporean Shopify stores, where most stores fail, and the specific steps to fix it.
β οΈ Disclaimer: This article is for informational purposes only and does not constitute legal advice. PDPA requirements are interpreted and enforced by the PDPC. Consult a qualified lawyer for advice specific to your situation.
PDPA applies to any organization that collects, uses, or discloses personal data in Singapore β regardless of where the organization is incorporated. If you:
...PDPA obligations apply to you.
Personal data under PDPA includes anything that identifies a person: name, email address, phone number, shipping address, purchase history, IP address, device identifiers, browsing behavior on your store.
Shopify collects all of this by default.
Check your PDPA compliance before your next campaign. Run a free PDPA scan on your Shopify store β β see exactly what tracking fires before consent.
You must obtain consent before collecting, using, or disclosing personal data β unless an exception applies (e.g., the data is publicly available, or collection is required by law).
For a Shopify store, this means:
Critical Shopify default: Shopify installs tracking pixels and analytics by default. Unless you've disabled these or gated them behind consent, they are likely firing for every Singapore visitor before consent is obtained.
You can only use personal data for the purpose for which it was collected. If a customer gives you their email to fulfill an order, you cannot use that email to send marketing messages unless they've separately consented to marketing.
Common failure mode: import order-contact emails into a marketing list and send promotions without a separate marketing opt-in.
You must inform customers what data you're collecting and why β at the point of collection. In practice, this means your Shopify store needs a privacy policy that:
Customers have the right to access the personal data you hold about them and request corrections. Your privacy policy must explain how to exercise this right, and you must be able to respond to requests.
Under PDPA amendments effective February 2021, mandatory data breach notification applies. If you experience a breach of significant volume or sensitivity, you must notify the PDPC within 3 calendar days. You must also notify affected individuals if the breach is likely to cause significant harm.
This is where most Shopify stores fail the PDPA test.
By default, a Shopify store loads:
All of these collect personal data. Under PDPA, you need consent before this data collection starts.
The fix: You need a consent management system on your Shopify store that:
Shopify's built-in cookie consent bar does not block scripts. It is not PDPA-compliant for tracking purposes.
Consentmo (free tier + paid) β Shopify-native CMP. Blocks scripts by category, GDPR/PDPA ready, geo-targeting to show the notice only to Singapore visitors. Most practical option for Shopify.
CookieYes for Shopify β Integrates via script tag, auto-categorizes cookies, blocking available on paid tiers.
App capabilities and tiers as of June 2026 β verify current features on each app's Shopify listing.
A Shopify default privacy policy template is not sufficient for PDPA. You need to add:
If your store serves both Singapore and EU customers, both frameworks apply β independently.
| Aspect | PDPA (Singapore) | GDPR (EU) |
|---|---|---|
| Enforced by | PDPC | National DPAs (CNIL, BfDI, ICO, etc.) |
| Maximum fine | Higher of S$1,000,000 or 10% of annual turnover (since 1 Oct 2022) | 4% global annual turnover or β¬20M |
| Breach notification deadline | 3 calendar days to PDPC | 72 hours to national DPA |
| Marketing consent | Explicit opt-in required | Explicit opt-in required |
| Tracking/cookie consent | Required before tracking | Required (ePrivacy Directive) |
| Extraterritorial scope | Yes β data of SG residents | Yes β data of EU residents |
| Right to access personal data | Yes (PDPA s.21) | Yes (GDPR Art. 15) |
The PDPC publishes its enforcement decisions at pdpc.gov.sg. Key patterns from their decisions database:
If your Shopify store serves both Singapore residents and European customers, you operate under two independent data protection regimes simultaneously. Sitetals covers both. Run the EU/GDPR scan for your European exposure and the PDPA scan for Singapore.
For broader GDPR/EU context: GDPR fines in 2026: 13 real cases and what they cost. For a complete compliance self-check: the 12 GDPR checks most businesses miss.
Paste your Shopify store URL. Get a free scan showing tracking behavior, missing consent mechanisms, and PDPA compliance gaps.
Full PDF report with PDPC enforcement references and a remediation checklist: β¬49.
Sources: PDPA 2012 (Singapore), as amended 2021 Β· PDPC Advisory Guidelines on eCommerce (2021) Β· PDPC Enforcement Decisions 2020β2025 Β· PDPC data breach notification requirements (Advisory 01/2021)
π©Έ β Sitetals Editorial