Singapore's Spam Control Act: What Counts as Spam and How to Stay Legal

What the Act covers

The Spam Control Act regulates unsolicited commercial electronic messages sent in bulk. Each of those words carries weight. Commercial means the message markets or promotes goods, services, land, or business opportunities. Unsolicited means the recipient did not request it or consent to receiving it. Electronic messages include email and messages to mobile numbers, and following the 2021 amendments the regime also reaches commercial texts sent in bulk to instant messaging accounts.

Bulk has precise statutory thresholds, and they are lower than most teams expect: you send in bulk if you send more than 100 messages with the same or similar subject matter within 24 hours, more than 1,000 within 30 days, or more than 10,000 within a year. A modest SDR sequence running steadily for a quarter clears these numbers easily, so most real cold email programmes should assume the Act applies.

The Act also contains flat prohibitions that apply regardless of compliance elsewhere: you must not send to addresses obtained through address-harvesting software or generated by dictionary attacks, and you must not falsify header or routing information to disguise the origin of a message.

The labelling question: do cold emails need <ADV>?

The Second Schedule of the Act requires every unsolicited commercial electronic message to be labelled: the subject field must begin with <ADV> followed by a space, or, if the message has no subject field, the label must appear at the start of the message body. This is the requirement that surprises teams most, because almost no B2B cold email in the wild carries the label.

Strictly read, a bulk cold email campaign to recipients who have not consented is unsolicited and commercial, and the labelling requirement applies to it. The common arguments against labelling, that the emails are personalised, that they are one-to-one business correspondence, or that everyone else skips it, do not change the statutory text. They go to enforcement risk, not to what the law says.

How you handle this is a business decision to make with eyes open. Enforcement under the Act is by civil action from affected parties rather than by a regulator issuing fines, and labelling disputes against legitimate B2B senders have been rare. But teams that send genuinely targeted, low-volume, research-driven messages sit on much safer ground than teams blasting templated sequences at thousands of addresses, both legally and commercially. If your programme looks like the latter, the Act says label it.

Unsubscribe rules: the exact requirements

The unsubscribe requirements in the Second Schedule are specific, and worth implementing exactly. Every message must contain an unsubscribe facility: a clear and conspicuous statement that the recipient may use an email address, or other contact method, to tell you not to send further messages. The statement must be in English, and the unsubscribe route must not cost the recipient anything beyond the usual cost of sending it.

Two deadlines anchor the regime. The unsubscribe address or facility must remain valid and capable of receiving requests for at least 30 days after your message is sent. And once a recipient submits an unsubscribe request, you must stop sending within 10 business days; any message sent after that window is treated as sent in breach of the Act.

Operationally, the 10-business-day window is a ceiling, not a target. Modern outreach tooling processes opt-outs instantly, and instant suppression is what recipients expect. The window exists to accommodate slow manual processes, not to let you squeeze in two more follow-ups after someone says stop.

• Include an unsubscribe statement and contact route in every message, in English.
• Keep the unsubscribe route working for at least 30 days after each send.
• Honour every request within 10 business days; instantly in practice.
• Apply opt-outs across your whole organisation, not just one campaign or rep.

Sender identification: no false or misleading headers

The Act requires that messages not contain false or misleading information about their origin. Header information, meaning the source, destination, and routing data attached to the message, must be accurate, and the from-line must not disguise who is actually sending. Relaying a message through another machine to obscure its origin is specifically targeted.

Subject lines fall under the same principle: a title that would mislead the recipient about the content of the message breaches the Second Schedule. Subject lines like 'Re: our call' when there was no call, or 'Invoice attached' on a sales pitch, are not clever copywriting; they are the exact behaviour the statute describes.

For deliverability reasons you should be doing all of this anyway. Authenticated sending domains with SPF, DKIM, and DMARC, a real human sender name, and an honest subject line are table stakes for landing in the inbox in 2026. The Act simply makes the floor legal as well as practical.

How the Spam Control Act interacts with the PDPA

The two statutes divide the territory cleanly. The PDPA governs the data: whether you may collect, hold, and use a person's contact details at all, with a broad exception for business contact information. The Spam Control Act governs the message: what a bulk commercial email must contain and how opt-outs must work, regardless of how lawfully the address was obtained.

This means the PDPA's business contact information exception does not exempt you from the Spam Control Act. An email to jane.tan@abccorp.sg may need no consent under the PDPA, yet still require an unsubscribe facility, honest headers, and labelling under the Spam Control Act if sent in bulk. Compliance in Singapore means clearing both bars, plus the DNC Registry rules if your sequence includes calls or SMS to Singapore numbers.

Remedies differ too. The PDPC enforces the PDPA directly with financial penalties. The Spam Control Act instead gives people who suffer loss a civil cause of action, with statutory damages of up to S$25 per message, capped at S$1 million in aggregate unless actual loss is proven higher. At cold email volumes, S$25 per message compounds quickly, which is the Act's quiet deterrent.

A compliant cold email, annotated line by line

Here is a Singapore-compliant cold email skeleton, with the reason each element exists. The example assumes a B2B send to a business email address, which keeps it inside the PDPA's business contact information exception.

• From: 'Sarah Lim, HuntSales <sarah@huntsales.io>'. Real person, real company, authenticated domain. Satisfies the accurate-origin requirement and builds trust.
• Subject: 'Question about Abc's outbound process'. Honest and specific. It describes the actual content, so it cannot mislead. Add <ADV> at the front if your programme is bulk and unsolicited under the Act.
• Line 1: 'Saw Abc is hiring two SDRs in Singapore this quarter.' A genuine, researched reason for contact. This is what separates targeted outreach from spam in substance.
• Body: two or three sentences on the specific problem you solve for companies like theirs. Commercial purpose stated plainly; nothing disguised.
• Ask: one clear, low-friction question. 'Worth a 15-minute look?' No false urgency, no fake prior relationship.
• Signature: full name, company, and a working contact route. Identifies the sender and gives the recipient someone to respond to.
• Footer: 'If you would rather not hear from me, reply with unsubscribe or click here.' The unsubscribe facility, in English, free to use, kept working for at least 30 days, and honoured well inside 10 business days.