PDPA After 7.7: Handling New Customer Data and Marketing Consent for Singapore SMEs
The new customer records you collected during the 7.7 sale can only be used for marketing if you obtained clear, specific consent for that purpose — a completed checkout is not the same as permission to send promotions. Under Singapore's Personal Data Protection Act (PDPA), you may use the data to fulfil and support the order the customer placed, but a separate, documented opt-in is required before you add these buyers to a marketing list or send them an EDM, SMS blast, or WhatsApp broadcast. The days right after a mega sale are the most important window to sort this out, because the temptation to re-market to thousands of fresh contacts is exactly when SMEs slip into non-compliance.
What does PDPA require for the customer data you collected during 7.7?
PDPA is built around three core obligations that matter most after a sale: consent, purpose limitation, and notification. You must have notified the customer of the purposes for collecting their data, collected it only for purposes a reasonable person would consider appropriate, and obtained consent for any purpose beyond completing the transaction itself.
In practice, this means a customer who bought a product during 7.7 has implicitly consented to you using their name, address, and contact details to process, ship, and support that order. That same checkout does not give you consent to send them weekly newsletters, cross-sell campaigns, or birthday promos. If you want to do that, the consent for marketing has to be obtained separately and stored as evidence — because under PDPA the burden of proving consent sits with your business, not the customer.
Did you actually get valid marketing consent at checkout?
Pull up your checkout flow from the sale and check honestly. Valid marketing consent under PDPA generally requires a clear, affirmative action by the customer — not a buried clause or a pre-ticked box. Ask yourself:
- Was there a distinct, unticked checkbox for marketing communications, separate from the terms-and-conditions acceptance?
- Did the wording clearly state what they were signing up for (email, SMS, both) and from whom?
- Did your platform record the timestamp and the exact consent text shown at the time?
If the answer to any of these is no, treat those contacts as transactional-only until you re-permission them. A common, compliant fix is a single "welcome" email — sent under the transactional relationship — that invites the buyer to opt in to your marketing list. Those who opt in become a clean, defensible audience; those who do not stay off it.
How should you separate transactional messages from marketing under PDPA?
This distinction is where most lean teams get into trouble, because the same email tool sends both. A transactional message services the order the customer placed — order confirmations, shipping updates, delivery notifications, refund and return information, and direct responses to their enquiries. A marketing message promotes products or offers, including "you might also like," abandoned-cart nudges, and post-purchase upsells.
The practical step is to tag every contact in your CRM or email platform with their consent status — for example transactional-only versus marketing-opted-in — and to build your campaign segments to exclude transactional-only contacts by default. If your tooling cannot enforce that separation reliably, this is a strong signal to consolidate onto a platform that can, rather than relying on staff to remember the difference under pressure.
What about the DNC Registry for SMS and call campaigns?
If your 7.7 follow-up plan includes SMS blasts or sales calls to Singapore phone numbers, the PDPA's Do Not Call (DNC) provisions apply on top of consent. Before sending a specified marketing message to a local number, you must check it against the DNC Registry, unless you have clear and unambiguous written consent from that individual to receive such messages.
Two points lean teams often miss: first, the "ongoing relationship" exemption is narrow and does not blanket-cover every past buyer; second, every marketing SMS must identify the sender and provide a way to opt out. The safest workflow is to scrub your campaign list against the DNC Registry before each send, keep the receipt of that check, and honour opt-outs within the required timeframe. For email, there is no DNC equivalent, but every marketing email still needs a working unsubscribe link.
How long can you keep this data, and when must you dispose of it?
PDPA's Retention Limitation obligation says you must stop retaining personal data once the purpose for which it was collected no longer applies and there is no legal or business reason to keep it. For a 7.7 buyer, you have legitimate reasons to retain transaction records for tax, warranty, and accounting purposes — IRAS, for instance, requires business records to be kept for five years. But a contact who never opted in to marketing and never bought again should not sit indefinitely on a live marketing list "just in case."
Set a written retention schedule: how long transactional records are kept, how long inactive marketing contacts are kept before review, and how data is securely disposed of when the time comes. This is also good housekeeping — smaller, cleaner lists improve deliverability and cut the blast radius if you ever suffer a breach.
What's a practical 7-day PDPA cleanup workflow?
You don't need a legal department to get this right before your next campaign. A focused week is enough for most SMEs:
- Day 1–2: Export the new 7.7 contacts and tag each by consent status based on what your checkout actually captured.
- Day 3: Send a single welcome / opt-in email to transactional-only contacts inviting them to join your marketing list.
- Day 4: Build segments so campaigns exclude transactional-only and non-consenting contacts by default.
- Day 5: Scrub any SMS or call lists against the DNC Registry and save the check receipts.
- Day 6: Document a simple retention schedule and confirm your unsubscribe and opt-out links work.
- Day 7: Write a one-page internal record of what you did — your evidence of compliance if ever questioned.
If this feels like more than your team can absorb on top of fulfilment and returns, it is a textbook case for a managed service to set up the consent tagging, segmentation, and retention rules once, so the process runs cleanly every sale thereafter.
Frequently Asked Questions
1. Can I email everyone who bought during 7.7 with a new promotion?
Only those who gave separate marketing consent. You can send everyone a transactional follow-up about their order, and that message can include a clear invitation to opt in to marketing — but a blanket promotional blast to non-consenting buyers risks breaching PDPA.
2. Does an unsubscribe link make my email campaign PDPA-compliant?
An unsubscribe link is necessary but not sufficient. You still need valid consent to send marketing in the first place. The unsubscribe mechanism handles withdrawal of consent; it doesn't create the consent you needed to start.
3. Do I need to check the DNC Registry if I'm only sending emails?
No. The DNC Registry covers voice calls, SMS, and faxes to Singapore phone numbers. Email marketing is governed by the PDPA's consent rules rather than the DNC provisions, though you still need consent and a working unsubscribe option.
Digital Perpetual helps Singapore SMEs set up compliant, automated customer-data workflows that survive every sale period. If your post-7.7 list needs sorting before your next campaign, we can build the consent and retention rules once and keep them running.
Ready to Transform Your Business?
Let Digital Perpetual help you automate, streamline, and grow.
Get Started with Digital Perpetual →