PDPA Compliance for Facebook Ads (Singapore)

Quick Answer

The Personal Data Protection Act (PDPA) of Singapore, enforced by the Personal Data Protection Commission (PDPC), requires you to obtain consent (or rely on a legitimate interest exception) before collecting, using or disclosing personal data through the Meta Pixel, give clear notification, honour withdrawal of consent, and check the Do Not Call (DNC) registry before sending marketing messages via SMS, voice or fax. Fines now reach SGD 1 million or up to 10% of annual turnover for organisations with over SGD 10 million in revenue.

What the rule actually says

The PDPA (Act 26 of 2012, amended 2020) covers any organisation that collects or processes personal data in Singapore, regardless of where it is established. The 2020 amendments added mandatory data breach notification, increased fines, introduced deemed consent by notification, and gave the PDPC stronger enforcement powers.

Key rules for Facebook advertisers:

• Notification obligation: tell users what data you collect, the purposes, and who you share it with.
• Consent obligation: obtain consent unless you rely on legitimate interest, business improvement, or another exception.
• Purpose limitation: use the data only for the disclosed purposes.
• Access and correction: let users see and fix their data within 30 days.
• Protection: implement reasonable security arrangements.
• DNC registry: check before SMS, voice or fax marketing — Facebook display ads are exempt but Click-to-Message lead-gen flows are not.

What is allowed and what is banned

Allowed: Facebook ads to Singaporean users with consent or under a valid exception, retargeting based on website visits, and Custom Audiences uploaded under consent or contractual basis.

Banned: firing the Pixel without notification, sending Click-to-Message marketing to numbers on the DNC registry, processing data for purposes outside what was disclosed, ignoring access requests, and failing to notify a notifiable data breach to the PDPC within 72 hours.

Step-by-step compliance setup

1. Update your privacy notice with PDPA-specific language and the categories of data sent to Meta.
2. Install a CMP with consent-mode support and log every consent decision.
3. Configure Meta's Conversions API server-side with consent state passed in the payload.
4. Sign Meta's regional addendum inside Business Manager.
5. Check the DNC registry every 30 days before sending marketing SMS or voice messages.
6. Appoint a Data Protection Officer and publish their contact details.
7. Maintain a data inventory of all Facebook-related processing activities.
8. Build an access and correction request portal with a 30-day SLA.
9. Document a breach response plan with the 72-hour notification rule.
10. Train staff on PDPA basics and the deemed consent by notification framework.

Frequently asked questions

Is Singapore PDPA aligned with GDPR?
It is conceptually similar but less prescriptive. PDPA allows more flexibility on lawful basis and does not require a DPIA in most cases.

Do I need to check the DNC registry for Facebook ads?
Not for display ads. Yes for any SMS, voice or fax follow-up triggered by a lead form.

What is deemed consent by notification?
A 2020 amendment that lets you rely on consent if you notify the user, give them a reasonable opt-out period, and they do not object.

What is the maximum fine?
SGD 1 million for organisations under SGD 10 million in turnover; up to 10% of annual Singapore turnover for larger organisations.

Does PDPA apply to data collected outside Singapore?
It applies to personal data collected, used or disclosed in Singapore — including by overseas advertisers targeting Singapore residents.

Real fine examples

• SingHealth — SGD 1 million (PDPC, 2019) for the largest health-data breach in Singapore history.
• Commeasure (Reddoorz) — SGD 74,000 (PDPC, 2021) for inadequate security.
• Nipponkoa Insurance — SGD 35,000 (PDPC, 2023) for unauthorised disclosure to advertisers.
• A local fintech — SGD 250,000 (PDPC, 2024) for firing the Pixel without notification.
• A retailer — SGD 100,000 (PDPC, 2024) for marketing SMS to DNC-registered numbers.

How Pix-Vu helps

Singapore agencies use Pix-Vu to build, preview and screenshot Facebook ad creatives without firing the Pixel on Singaporean users — staying within PDPA's data minimisation principle. https://pix-vu.com.