June 7, 2018, is the deadline to submit public comments to the Personal Data Protection Commission of Singapore (PDPC) on its April 27 proposal to combine the Spam Control Act and the Do Not Call provisions of its broader data protection law into one single piece of legislation in the Personal Data Protection Act (PDPA). Striving to adapt to the rapid technological advancement and changes in marketing practices, the proposed merger, if implemented, will streamline compliance requirements for direct marketing, especially for sending direct marketing messages over instant messaging services and social media platforms.

The proposal

Currently, the Do Not Call provisions regulate direct marketing messages that are transmitted by text, fax or call to phone numbers in Singapore while the Spam Control Act applies to bulk electronic messages sent for marketing purposes. The proposal further expands the reach to cover unsolicited marketing messages sent to instant messaging identifiers on social media platforms and messaging services.

The new proposal also unifies the time period (10 days) for businesses to respond to consumers’ requests to withdraw consent to receive marketing communications. Currently, the Spam Control Act requires a 10-day time frame and the Do Not Call provisions require a 30-day time frame. Businesses that have been responding to the longer deadline in the Do Not Call provisions will need to facilitate their consent withdrawal response procedure to meet the shorter requirement.

The proposal further prohibits the use of random number generators and email address-harvesting software to send marketing messages in an effort to better safeguard individuals from spamming or bulk emailing. Random number generators automatically produce email addresses by using permutations that combine identifiers such as names, letters, numbers and symbols. Email address-harvesting softwaree can collect a large number of email addresses through various methods such as from web pages and web forms.

Finally, the proposal authorizes the PDPC to offer practical guidance to businesses looking to verify whether certain marketing practices comply with the PDPA.


Businesses conducting marketing activities in Singapore should take a proactive approach by reviewing their current direct marketing practices in light of the proposal. Special attention should be paid to the use of instant messaging services for sending marketing messages, use of random number generators and address-harvesting software for sending marketing emails, and the shortened time within which businesses must adhere to consumers’ requests to withdraw their consent from receiving marketing communications. Businesses should maintain an “unsubscribe” list for each form of media it uses to communicate with marketing prospects, including instant messaging and social media platforms.

Violations of existing requirements such as the duty to check the Do Not Call registry prior to placing a marketing call and the duty to not conceal the caller identity are currently enforced as criminal offenses. The new proposal, if adopted, is expected to draw the regulator’s fresh attention to the existing requirements.