There are no specific cookie-related laws in force in Singapore. To the extent that personal data is collected using cookies or similar technologies, such activity will be regulated under the Personal Data Protection Act 2012 (“PDPA”).
Unless an exception applies, consent will be required where a cookie or similar technology collects personal data. Where cookies do not collect personal data, consent is not required.
Yes. The above data protection rules are followed in practice.
Yes.
The data controller may be able to rely on the legitimate interest’s exception under the PDPA, provided that the data controller complies with the relevant requirements.
In addition to the legitimate interest’s exception, the PDPA provides several other exceptions to the requirement for consent. However, these generally apply only in specific contexts and/ or are subject to specific conditions. It is unlikely that a data controller will be able to rely on these exceptions for cookies which are placed by a publicly accessible website.
Cookies may be placed automatically where they do not collect personal data, or if they do collect personal data, where consent may be deemed or implied.
As Singapore does not have a specific cookie-related law, the classification of cookies provided here may not neatly map to the requirements under the PDPA.
In general, where cookies are strictly necessary for the functioning of a website, it is likely that consent may be implied or deemed. On the other hand, where the collection of personal data might be more extensive, such as for Social Media cookies, it may be more difficult to rely on implied or deemed consent for automatic placement of such cookies. The extent to which Analytics or Advertising cookies require consent will depend on whether the data which such cookies collect is considered personal data.
Yes. Depending on the circumstances, a user may be deemed or implied to have consented to the collection of data by cookies.
A user may be deemed or implied to have consented to the placement of cookies by continuing to browse a website. In general, deemed consent applies where it would be reasonable for a user to have voluntarily provided the data collected by the cookies, and implied consent operates where a user has notice of the purposes for which the cookies collect data and by continuing to browse the site provides such implied consent.
The Personal Data Protection Commission (“PDPC”) has provided guidance in its Advisory Guidelines on the PDPA for Selected Topics of situations where consent may be deemed or implied. Consent may be implied where cookies provide a functionality which the user has requested, the user is aware of the purposes for the collection, use and disclosure of his/ her personal data, and the user provides the data voluntarily.
Consent may be deemed where an activity cannot take place without cookies that collect, use, and disclose personal data, the user voluntarily provides his/ her data for the purposes of the activity, and it is objectively reasonable for the user to do so.
For example, where a cookie is required for the operation of a web form to facilitate an online purchase, there is no requirement for separate consent to be obtained specifically for the functioning of that cookie as the collection of data through the cookie may be implied and/ or deemed.
Consent may also be implied from the way a user configures his/ her browser to accept certain cookies but reject others. The reliance on such settings alone may not however provide valid consent in all circumstances. The PDPC cautions that the mere failure of an individual to actively manage his/ her browser settings does not imply that the individual has consented to collection, use and disclosure of his/ her personal data by all websites.
Yes. There is no mandatory requirement to have a cookie notice. However, if the cookies used on a website collect personal data, information on the purposes for which the personal data is collected, used, and disclosed should be included in a privacy notice if no cookie notice is published. This is because an individual has not given consent (whether implied or express) unless they have been notified of the purpose(s) for which their personal data will be processed and thereafter, provided consent for the same purpose(s).
Yes. There is no mandatory requirement for the use of a cookie banner or management tool.
However, providing users with a cookie banner is best practice.
There are no specific rules which prohibit the use of cookie walls. However, there may be issues with the validity of consent where cookie walls are used to deny access to users.
Under section 14(2)(a) of the PDPA, data controllers may not, as a condition of providing a product or service, require a data subject to consent to the collection, use or disclosure of personal data about the data subject beyond what is reasonable to provide the product or service to that data subject. Where such a condition is imposed, the consent received will be invalid. Thus, where a data controller requires that large amounts of personal data be collected through cookies beyond what is reasonable for providing a product or service, the use of cookie walls may run the risk of invalidating consent.
There have been no reported cases where the PDPC has taken enforcement action against an entity for breaches specifically in relation to cookies.
No, we are not aware of any.
There are no anticipated changes to the rules and there have been no changes to attitudes in the market relating to cookies and similar tracking technologies. However, organisations should closely monitor this area for further developments as there has been an increased regulatory focus on child safety, since the enactment of the Online Safety (Miscellaneous Amendments) Act, which could impact the use of cookies and similar tracking technologies on minors.