PDPA-Compliant Cold Email in Singapore: The Complete 2026 Guide

What the PDPA covers, and what it does not

The Personal Data Protection Act 2012 is Singapore's baseline data protection law, administered by the Personal Data Protection Commission (PDPC). It governs how organisations collect, use, and disclose personal data, which means any data about an individual who can be identified from it. A person's email address, name, and mobile number all count.

The Act imposes a set of data protection obligations on organisations, including the Consent, Purpose Limitation, and Notification Obligations: in plain terms, you generally need consent to collect and use someone's personal data, you must use it only for purposes a reasonable person would consider appropriate, and you must tell people what you are using it for.

Two boundaries matter for outreach teams. First, the PDPA regulates personal data, not company data: information about a company, such as a sales@ inbox or a main office line, is not personal data at all. Second, even where data is personal, the Act carves out business contact information, which is the exception that makes B2B cold email in Singapore practical.

The business contact information exception

Section 2(1) of the PDPA defines business contact information as an individual's name, position or title, business telephone number, business address, business email address, business fax number, and similar information, where it is not provided solely for personal purposes. Section 4(5) then states that the data protection obligations in Parts 3 to 6 of the Act, including the Consent Obligation, do not apply to business contact information.

The practical effect is significant: if you email jane.tan@abccorp.sg about something relevant to her role at Abc Corp, you are using her business contact information, and the PDPA's consent requirements do not apply to that use. This is why the PDPC's own guidance treats B2B marketing using contact details from a business card as generally falling outside the consent regime.

The exception has edges. It covers genuine business contact details used in a business context. A personal Gmail address does not become business contact information just because the person sometimes uses it for work, and contact details that were provided solely for personal purposes stay protected. If you scrape a founder's personal mobile number from a community forum, do not assume the exception covers it.

• Covered: corporate email addresses, office direct lines, job titles, business mailing addresses.
• Not covered: personal email addresses, personal mobile numbers given in a personal capacity.
• Grey zone: sole proprietors and freelancers whose personal and business identities overlap. Be conservative here.

When you need consent, and how deemed consent works

If your outreach touches personal data outside the business contact exception, for example marketing to consumers at their personal email addresses, the Consent Obligation in section 13 applies: you need the individual's consent before collecting, using, or disclosing their personal data, and you must notify them of the purpose.

The PDPA also recognises deemed consent. Under section 15, an individual is deemed to consent where they voluntarily provide their data for a purpose and it is reasonable that they would do so, for example handing over an email address to receive a quote. The 2020 amendments added deemed consent by notification under section 15A, which lets an organisation rely on notice plus an opt-out period for additional purposes, provided it first conducts an assessment to rule out likely adverse effect. Deemed consent by notification cannot be used for sending direct marketing messages, so it is not a backdoor for cold outreach to consumers.

Consent can be withdrawn at any time on reasonable notice under section 16, and you must give effect to the withdrawal. For an outreach team this translates to one operational rule: every opt-out, however it arrives, goes onto a suppression list immediately and permanently.

Where the DNC Registry applies, and where it does not

Part 9 of the PDPA establishes the Do Not Call (DNC) Registry, which holds three registers: No Voice Call, No Text Message, and No Fax Message. Before sending a marketing message to a Singapore telephone number, you must check that the number is not listed, unless you have the user's clear and unambiguous consent or an exemption applies.

Email is not covered. The DNC provisions apply only to voice calls, text messages, and faxes sent to Singapore telephone numbers, so a cold email campaign never requires a DNC check. Cold calls and SMS follow-ups do, which is why mixed-channel sequences need more care than email-only ones.

There is also a B2B carve-out: paragraph 1(g) of the Eighth Schedule excludes from the definition of a specified message any message sent to an organisation, rather than to an individual acting in a personal or domestic capacity, for any purpose of the receiving organisation. A genuine B2B call to a procurement manager's office line about her company's needs is outside the DNC regime. The full rules, including how to check numbers and what enforcement looks like, are covered in our dedicated DNC Registry guide.

The Spam Control Act layer for unsolicited email

The PDPA is not the only statute that touches cold email. The Spam Control Act 2007 regulates unsolicited commercial electronic messages sent in bulk, and it applies regardless of whether the recipient's address is business contact information. Bulk has low thresholds: more than 100 messages with the same or similar subject matter in 24 hours, more than 1,000 in 30 days, or more than 10,000 in a year.

If your campaign meets those thresholds, the Act's Second Schedule requirements kick in: a working unsubscribe facility that stays valid for at least 30 days after sending, honouring unsubscribe requests within 10 business days, no false or misleading header information, an accurate subject line, and labelling unsolicited messages with <ADV>. The Act also bans sending to addresses generated by dictionary attacks or harvested by software.

Most professional B2B senders comply with the substance of these rules as a matter of deliverability hygiene anyway: a real sender identity, an honest subject line, and a one-click way out. The full requirements, including the labelling question that trips up most teams, are unpacked in our Spam Control Act guide.

Penalties and PDPC enforcement in practice

Since 1 October 2022, the maximum financial penalty for breaching the PDPA's data protection provisions is 10 per cent of an organisation's annual turnover in Singapore for organisations with local turnover above S$10 million, or S$1 million in any other case. The largest penalties to date remain the 2019 SingHealth data breach, where the PDPC fined Integrated Health Information Systems S$750,000 and SingHealth S$250,000.

DNC breaches moved from criminal prosecution to a civil financial penalty regime on 1 February 2021. Individuals now face penalties of up to S$200,000 per breach and organisations up to S$1 million. Under the older criminal regime, the first prosecuted case saw Star Zest Home Tuition and its director each fined S$39,000 in 2017 for sending marketing text messages without checking the registry. In February 2024 the PDPC took action against a financial advisor who used dictionary-attack methods to generate numbers and called DNC-registered individuals without checking the register.

The pattern in PDPC enforcement is consistent: the Commission publishes its decisions with names, and most marketing-related cases begin with consumer complaints. A single annoyed recipient with a screenshot is the usual trigger, which is a strong commercial argument for clean lists and instant opt-out handling.

A 10-point compliance checklist for outreach teams

Run every Singapore campaign against this list before launch. It compresses the PDPA, DNC, and Spam Control Act requirements into operating rules a rev-ops team can actually enforce.

• Target business email addresses tied to a role and company, never personal addresses, so the business contact information exception applies.
• Make the message genuinely relevant to the recipient's role at their organisation; that is what keeps it B2B in substance, not just in format.
• Identify yourself and your company accurately in the from-name, signature, and domain. No misleading headers or subject lines.
• Include a working unsubscribe mechanism in every send and keep it functional for at least 30 days.
• Process every opt-out within 10 business days at the latest; same day is the professional standard.
• Maintain a permanent suppression list that is checked automatically before every send, across all campaigns and team members.
• Never buy or use lists built by scraping, address harvesting, or guessing patterns; both the PDPA and the Spam Control Act target dictionary attacks specifically.
• Check Singapore phone numbers against the DNC Registry before any cold call or SMS, unless the B2B exclusion clearly applies, and keep evidence of the check.
• Record where each contact's data came from, so you can answer provenance questions if the PDPC ever asks.
• Appoint a Data Protection Officer (mandatory under the PDPA) and make sure the outreach team knows who it is.