Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
In general, the age of majority in Singapore is 21 years old as provided by common law. However, various statutes in Singapore do have different age thresholds in their definitions of a “child”, minor or young person, depending on the subject matter of the statute. For example, the Civil Law Act 1909 generally provides that those 18 and above have the capacity to enter into contracts, whilst the Employment Act defines a child as one below 15 years of age, and the guidance issued by the Personal Data Protection Commission generally considers consent from those aged 13 and above to be valid in respect of personal data protection matters.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
There is no incorporation of the UNCRC into Singapore law by way of legislation. However, Singapore acceded to UNCRC in October 1995, and the Inter-Ministry Committee on the UNCRC serves as an inter-agency platform to monitor Singapore's progress in implementing the UNCRC.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
No.
There is no ombudsperson / commissioner for children in Singapore.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
N/A.
N/A.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
The Singapore Personal Data Protection Act 2012 (PDPA) generally requires in section 13 that organisations obtain consent in order to process personal data. Under section 14(4), consent can also be obtained from a person validly acting on the data subject’s behalf. In the Advisory Guidelines on the PDPA for Selected Topics and the Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment issued by the Personal Data Protection Commission (PDPC), the guidance is that the PDPC generally considers that minors aged 13 and above are able to give consent themselves as long as the policies on the processing of their data are readily understandable by them.
For those under the age of 13, then the guidelines indicate that parental consent must be obtained to process the child’s personal data.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Please see the response to this question. Please note that this is not statutorily prescribed but is contained in guidance from the Personal Data Protection Commission. The age threshold is also not a firm one, and if an organisation considers that a higher age of consent is more appropriate in its business context or has reason to believe that a child above 13 years of age does not have sufficient understanding of the nature and consequences of giving consent, then parental consent should still be obtained.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
No.
There are no specific requirements in relation to the collection and/or verification of parental consent concerning the processing of a child’s personal data.
However, the Guidelines on the Singapore Personal Data Protection Act 2012 (PDPA) for Children’s Personal Data in the Digital Environment state that the Personal Data Protection Commission supports the use of age assurance methods for the purpose of conforming to the Guidelines, including age verification or estimation methods to ascertain the user’s age, so that organisations can implement relevant safeguards when the user is a child.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
No.
The general requirements under section 20 of the Singapore Personal Data Protection Act 2012 to notify data subjects of the purpose of processing apply.
If consent is being obtained directly from the child, the notices must be in language that is readily understandable by the child so that they understand the consequences of providing and withdrawing consent. For further information, see the response to this question.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
There is nothing prohibiting a child from submitting an access or correction request under sections 21 and 22 of the Singapore Personal Data Protection Act 2012 (PDPA) in respect of their personal data.
For completeness, the Advisory Guidelines on Key Concepts in the PDPA clarify that a third party (who is not the data subject) may make an access request on behalf of a data subject where they have legal authority to validly act on the data subject’s behalf.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
There is no statutory right to make a complaint to the Personal Data Protection Commission (PDPC), under the Singapore Personal Data Protection Act 2012. Nevertheless, there is nothing prohibiting a child from making a complaint to the PDPC themselves.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
The general requirement to only process personal data that a reasonable person would consider appropriate in the circumstances under section 18 of the Singapore Personal Data Protection Act 2012 (PDPA) and which the data subject has been notified of under section 20 of the PDPA and consented to (unless exceptions apply) under section 13 applies.
The Personal Data Protection Commission (PDPC) has said in the Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment (Guidelines on Children) that it will continue to adopt a principles-based approach to consider what is reasonable when processing a child’s personal data.
Notwithstanding the above, the Guidelines on Children state that the PDPC does not consider it reasonable to use a child’s personal data or profile to target harmful or inappropriate content (as defined in the Info-Comm Media Development Authority’s Code of Practice for Online Safety) at a child. In addition, data minimisation policies to limit the collection and sharing of children’s personal data is advised and it is recommended that the account information of children not be made public and searchable by default.
In addition the Advisory Guidelines on the PDPA for National Registration Identity Cards (NRIC) and other National Identification Numbers, which broadly prohibits the processing of national identification numbers (including passport, employment pass and birth certificate numbers) except in very limited situations, generally applies.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
There has been enforcement action by the Personal Data Protection Commission in relation to breaches of the consent obligation under section 13 of the Singapore Personal Data Protection Act 2012 (PDPA) and the protection obligation under section 24 of the PDPA in respect of the personal data of minors:
- Breach of the Protection Obligation by an education company [2019] SGPDPC 31: A financial penalty of $60,000 was imposed on the company for failing to put in place reasonable measures to protect the personal data of students, students’ parents and staff of various schools.
- Breach of Protection Obligation by a software consultancy company [2019] SGPDPC 11: A financial penalty of $30,000 was imposed on the company for failing to put in place reasonable security arrangements to prevent unauthorised access and modification to an IT system provided to a school. The failure resulted in unauthorised access and modification of students’ personal data.
- Breach of Consent and Purpose Limitation Obligations by a private education institution [2018] SGPDPC 15: the institution failed to notify and obtain consent from the parents of young students before disclosing online the students’ personal data for marketing purposes. Directions were issued to institution.
- Breach of the Protection Obligation by an international school: A financial penalty of $10,000 was imposed on the School for failing to put in place reasonable security arrangements to prevent the unauthorised access of its student applicants’ personal data residing in a website directory folder.
- Breach of Protection Obligation by the natinal governing body for taekwondo [2018] SGPDPC 17: A financial penalty of $30,000 was imposed on the body for failing to make reasonable security arrangements to prevent the unauthorised disclosure of minors’ National Registration Identity Card numbers on its website. Directions were also issued to the organisation to appoint a data protection officer and to put in place a data protection policy.
Are there specific rules concerning electronic direct marketing to children?
No.
The Spam Control Act 2007 and the Singapore Personal Data Protection Act 2012 together regulate electronic direct marketing in Singapore, but there are no specific rules in relation to children.
However, please note that the non-binding industry code, the Singapore Code of Advertising Practice (SCAP) issued by the Advertising Standards Authority of Singapore, is generally followed in Singapore and sets out general parameters for advertising in Singapore, including content in advertisements addressed to children.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
The general requirements under the Singapore Personal Data Protection Act 2012 apply to the use of personal data in respect of such activities, and the parameters in the Singapore Code of Advertising Practice applies to the content of any such advertising.
Please note that the Code of Practice for Online Safety, which only applies to specifically designated social media services, does mention that children must not be targeted to receive content (including advertisements, promoted content and content recommendations) that the social media service is reasonably aware to be detrimental to their physical or mental well-being, including specific categories of harmful and/or inappropriate content prescribed in the code (namely, sexual content, violent content, suicide and self-harm content, cyberbullying content, content endangering public health, and content facilitating vice and organised crime).
Are there specific rules concerning online contextual advertising to children?
No.
Please see the response to this question.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
Section 35 of the Civil Law Act 1909 clarifies that contracts entered into by a minor who has reached 18 years of age are generally valid as if he were of full age. This would apply to contracts for the use of digital services.
Do consumer protection rules apply to children?
Yes.
There are no carve outs for children under the various consumer protection related laws in Singapore, such as the Consumer Protection (Fair Trading) Act 2003 and Unfair Contract Terms Act.
Are there any consumer protection rules which are specific to children only?
No.
N/A
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services?
No.
N/A
Are there any age-related restrictions on when children can legally access online/ digital services?
No.
While there are no age restrictions on when children can legally access online digital services, please refer to this question on the minimum age for contracts, this question for the minimum age to be able to provide consent for the collection, use and disclosure of personal data, and this question for age verification restrictions relating to video streaming content.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Online Safety Code, which only applies to designated social media services, includes requirements relating to online safety for children. For further information, see the response to this question.
The Info-Comm Media Development Authority introduced a new Code of Practice for Online Safety - App Distribution Services which came into effect on 31 March 2025 (“ADS Code”). The ADS Code requires designated app distribution services to implement proactive measures aimed at enhancing online safety, including age assurance measures to protect those under 18 years old from harmful content on apps made available on their service.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
In relation to online video streaming content, the Info-Comm Media Development Authority’s Content Code for Over-the-Top, Video-on-Demand and Niche Services requires such services to implement a reliable age verification mechanism before offering video content rated R21 and above.
There are no other more general specific age verification / age assurance requirements, although, the Personal Data Protection Commission’s (PDPC) Guidelines on Children mention that the PDPC supports the use of age assurance methods for the purpose of conforming to the Guidelines, including age verification or estimation methods to ascertain the user’s age, so that organisations can implement relevant safeguards when the user is a child.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
The Code of Practice for Online Safety, which only applies to designated social media services, requires that such social media services provide children or their parents with access to tools that enable them to manage children's safety, and effectively minimise children’s exposure to, and mitigate the impact of, harmful and/or inappropriate content and unwanted interactions on the service. In addition, unless the service restricts access by children, children must be provided with differentiated accounts whereby the settings for the tools to minimise exposure and mitigate impact of harmful and/or inappropriate content and unwanted interactions are robust and set to more restrictive levels that are age appropriate by default. Children or their parents must be provided clear warnings of implications if they opt out of the default settings.
Has there been any regulatory enforcement action concerning online/ digital safety?
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
No.
However, to the extent that AI involves the processing of personal data, the Personal Data Protection Act and the guidelines issued by the Personal Data Protection Commission (including the Guidelines on Children mentioned in here) would apply.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
No.
N/A
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services?
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
No.
In relation to online streaming video services, the Info-Comm Media Development Authority’s Content Code for Over-the-Top, Video-on-Demand and Niche Services requires that such content be rated according to the Film Classification Guidelines and that any content rated NC16 (no children below 16 years of age) or higher only be provided behind parental locks.
