All articles
Pillar

PDPA-compliant WhatsApp marketing in Singapore: a practical guide

How to run WhatsApp marketing in Singapore without breaching PDPA. Consent, DNC registry, withdrawal, data minimisation, and what the law actually says — with real examples for advisors, realtors, and SMBs.

Published · 7 July 2026· 12 min read

If you run a business in Singapore and want to stay in touch with clients on WhatsApp — sending vouchers, birthday messages, or follow-ups — the Personal Data Protection Act (PDPA) applies to you. This guide covers what the law actually requires, where the gray areas are, and how to build a WhatsApp outreach process that survives regulatory scrutiny. It is written for financial advisors, realtors, and independent professionals, not lawyers — but the obligations are real and the penalties for getting it wrong start at S$10,000 per breach.

What PDPA actually covers

The Personal Data Protection Act 2012 (amended 2020) governs how organisations in Singapore collect, use, disclose, and retain personal data. A phone number is personal data. A client's name, birth date, purchase history, and preferences are personal data. If you are using any of these to decide who to message on WhatsApp and what to send them, PDPA applies.

The Act sets out nine main obligations that every organisation must meet:

  • Consent — obtain clear, informed consent before collecting, using, or disclosing personal data.
  • Notification — tell individuals the purpose for which you are collecting their data.
  • Purpose limitation — only use the data for the purpose the person consented to.
  • Access — allow individuals to request access to the data you hold about them.
  • Correction — allow individuals to request correction of inaccurate data.
  • Accuracy — take reasonable steps to ensure data is accurate before use.
  • Protection — protect personal data with security arrangements reasonable for the data's sensitivity.
  • Retention limitation — do not retain data longer than the purpose requires.
  • Transfer limitation — ensure overseas transfers meet equivalent protection standards.

A tenth obligation — data breach notification — was added in the 2020 amendments and took effect in February 2021. It requires notifying the Personal Data Protection Commission (PDPC) and affected individuals of significant breaches.

Key takeaway: PDPA is channel-agnostic. It does not matter whether you send a message via email, SMS, or WhatsApp — the consent and purpose obligations apply the same way. There is no "WhatsApp exemption."

Consent is the foundation of PDPA compliance. Before you send a client a marketing message on WhatsApp, you need their consent, and you need to be able to prove you have it.

What counts as valid consent

Valid consent under PDPA must be:

  • Knowing and informed — the individual understood they were agreeing to receive marketing messages and knew the purpose.
  • Voluntary — not obtained under duress or as a condition of a service unless the data collection is reasonably necessary for that service.
  • Documented — you can demonstrate consent was given if asked by the PDPC or the individual.

Written consent is not strictly required — verbal consent can be valid — but in practice, you need a record. "I think they said yes when I called them" is not a defensible position in front of the PDPC.

Deemed consent for existing client relationships

The 2020 amendments introduced the concept of deemed consent. If an individual has an existing relationship with you (for example, they are your client) and you collect their contact details in that context, consent to use the data for related purposes may be deemed. However, deemed consent for marketing is narrow — the individual must have been given a clear opportunity to opt out and did not do so.

Practical rule: For WhatsApp marketing, do not rely on deemed consent alone. Get an explicit opt-in — a checkbox on your intake form, a reply "YES" to a confirmation message, or a signed consent in your onboarding paperwork. Record the date, the method, and what the person agreed to.

Notification obligation

At the point of collecting the data, you must inform the individual of the purposes for which the data will be used. A privacy notice or a consent statement on your form satisfies this. "We'll use your number to send you occasional vouchers and birthday messages" is sufficient if it is visible at the point of collection.

The DNC registry and WhatsApp

The Do Not Call (DNC) registry is managed by the PDPC and allows individuals to register their Singapore telephone numbers to opt out of telemarketing messages. It covers three channels: voice calls, SMS, and fax.

Does the DNC registry cover WhatsApp?

This is where it gets nuanced. The DNC provisions in the PDPA refer to "telemarketing messages" sent via "telephone calls," "text messages" (SMS), and "fax messages." WhatsApp messages are not explicitly named in the Act. Legal opinion is divided:

  • Some practitioners argue WhatsApp messages are functionally equivalent to SMS and therefore fall under the DNC registry's text message provisions.
  • Others argue WhatsApp is an over-the-top (OTT) messaging app, not a telecommunication service, and is therefore outside the DNC registry's scope.
  • The PDPC has not issued a definitive ruling that settles this question.

The safe position: Regardless of whether the DNC registry technically covers WhatsApp, the PDPA's consent obligations apply. If you have valid consent from the recipient, the DNC registry is not a concern — consent overrides a DNC registration. If you do not have consent, sending WhatsApp marketing messages is risky under both the consent obligations and potentially the DNC provisions. Get consent and the question becomes moot.

Checking the DNC registry

If you send telemarketing via SMS or calls, you must check the DNC registry (or have clear, unambiguous written consent that overrides the registry). The registry is free to check for registered organisations. For WhatsApp-only outreach with documented consent, a DNC check is not strictly required — but it is a low-cost precaution if you also use SMS.

Under PDPA, an individual can withdraw consent at any time. When they do, you must:

  1. Stop collecting, using, or disclosing their personal data for the purpose they withdrew consent from.
  2. Inform any third parties to whom you disclosed the data (if practical).
  3. Process the withdrawal within a reasonable time (the PDPC expects within 30 days, sooner if practical).

On WhatsApp, the most common withdrawal signal is a reply like "stop" or "unsubscribe." Your process must catch these. If a client texts "stop" and you send them another voucher two weeks later, that is a PDPA breach.

Common failure mode: Many small businesses handle WhatsApp manually — the advisor reads a "stop" message, means to update their spreadsheet, forgets, and sends the next broadcast to everyone. This is how PDPC complaints start. Automated consent tracking eliminates this failure mode.

Data minimisation in practice

PDPA requires that you collect only the personal data you need for your stated purpose — no more. This is the data minimisation principle, and it is where many CRM implementations go wrong.

The birthday voucher example

If your purpose is "send the client a birthday voucher," you need to know when their birthday is. But do you need the full birth date (day, month, year)? For sending a voucher on the right day, you need the day and month. For age-segmented offers, you might need the year. You almost never need the full date for a birthday voucher campaign.

Storing the full birth date when you only need the month and day is a data minimisation failure. If your database is breached, the exposed data is more sensitive than it needed to be — and the PDPC will note this in any enforcement action.

How AICRMGenius handles this: AICRMGenius stores only birth month (1–12) and birth year. The full birth date is never collected. Birthday vouchers are sent during the client's birth month. This is a deliberate PDPA design choice — the system cannot leak a birth date it does not have.

Other minimisation decisions

  • Do not store NRIC numbers unless you have a specific legal requirement to do so.
  • Do not store payment card details — use a payment processor (the card data lives with them, not you).
  • Do not store more conversation history than you need. Retention limitation means deleting data when the purpose is fulfilled.

Data breach notification

Since February 2021, Singapore organisations must notify the PDPC of significant data breaches. A breach is "notifiable" if:

  • It results in significant harm to the affected individuals (e.g., financial loss, loss of employment, identity theft), or
  • It affects 500 or more individuals.

Notification to the PDPC must be made within 3 business days of assessing that the breach is notifiable. Affected individuals must also be notified if the breach is likely to cause significant harm.

For a small business using a CRM, the most likely breach scenario is a compromised account or a misconfigured database exposure. Using a hosted CRM with proper access controls and Singapore-based data residency reduces both the likelihood and the severity of a breach.

Practical compliance checklist

If you are running WhatsApp outreach for a Singapore business, work through this list. It is not a substitute for legal advice, but it covers the obligations that the PDPC most commonly enforces against small businesses.

  1. Collect consent at intake. Add a checkbox or signed statement to your onboarding form: "I agree to receive occasional vouchers and updates via WhatsApp." Record the date and method.
  2. State the purpose. Tell the client what you will use their number for, in plain language, at the point of collection.
  3. Make withdrawal easy. Tell clients they can reply "stop" at any time. Have a process — automated or manual — that catches and acts on withdrawal within 30 days.
  4. Minimise data. Store only what you need. For birthday vouchers, month and year are enough. Do not store NRIC or card numbers.
  5. Host data in Singapore. If your CRM provider offers Singapore data residency, use it. It simplifies the transfer limitation obligation and signals good faith to the PDPC.
  6. Limit access. Only people who need to see client data should have access. Revoke access when staff leave.
  7. Have a breach plan. Know how you would notify affected clients and the PDPC within 3 business days if your data were compromised.
  8. Respect the DNC registry if you also use SMS or calls for telemarketing. Check the registry or rely on documented written consent.

How AICRMGenius handles this

AICRMGenius was built with PDPA in mind from the start. The design choices map directly to the obligations above:

  • Consent tracking: every client record includes a consent status, opt-in timestamp, and source. You can demonstrate consent to the PDPC or the client on demand.
  • Automatic withdrawal: when a client is marked consent-withdrawn, all outbound voucher sends and broadcasts to that number are blocked automatically. No manual spreadsheet updates to forget.
  • Data minimisation: only birth month and year are stored — never the full birth date. NRIC and card numbers are never collected.
  • Singapore-hosted: data residency in Singapore, simplifying the transfer limitation obligation.
  • Access controls: role-based access means staff see only the data their role requires.
  • Access and correction: clients can request their data and corrections through the partner, and the system supports export.

No tool can guarantee zero regulatory risk — compliance is a shared responsibility between the software and how you use it. But the default settings and data model in AICRMGenius are designed so that the easy path is also the compliant path.

Frequently asked questions

Is WhatsApp marketing covered by PDPA in Singapore?

Yes. Any use of personal data (including a phone number) to send marketing messages is governed by the PDPA consent obligations. The DNC registry specifically covers telemarketing calls, SMS, and fax — its application to WhatsApp is not explicitly settled, but the PDPA consent principles apply regardless of channel.

Do I need written consent to send WhatsApp vouchers to my clients?

You need clear, informed consent — the individual must know they are agreeing to receive marketing messages and understand the purpose. Written consent is not strictly required, but you must be able to demonstrate that consent was given. AICRMGenius records an opt-in timestamp and source for each client.

What happens if a client withdraws consent?

You must stop sending marketing messages and inform any related parties who received the data from you. AICRMGenius marks the client as consent-withdrawn and blocks all outbound voucher and broadcast sends to that number automatically.

Can I store my clients' full birth dates for birthday vouchers?

You can, but you should not unless you need to. PDPA requires data minimisation — collect only what you need for the stated purpose. For birthday vouchers, birth month and year are sufficient. AICRMGenius stores only birth month and year, never the full date.

Is AICRMGenius PDPA-compliant?

AICRMGenius is built around PDPA obligations: Singapore-hosted data, consent tracking with timestamps, automatic withdrawal handling, data minimisation (birth month/year only), and access/correction support. No system can guarantee zero regulatory risk, but the design choices map directly to PDPA obligations.

Start free — 10 clients, no card

AICRMGenius remembers your clients' preferences and sends well-timed vouchers from our verified WhatsApp Business number. Built for financial advisors, realtors, and independent professionals in Singapore.

Start free