Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Spam Control Act: 4 best practices organizations must consider

Spam Control Act
Know more about the Spam Control Act!

Spam Control Act, a closer look

Under the revised edition of Act 21 of 2007, the Spam Control Act is defined as an Act to provide for the control of spam, which is unsolicited commercial communications sent in bulk by electronic mail or by text or multi-media messaging to mobile telephone numbers, and to provide for matters connected therewith.

Some might say that the Spam Control Act is similar to the Do Not Call regime in the PDPA, but in comparison, the Spam Control Act is about sending unsolicited messages in bulk to users through e-mail or mobile numbers, while the Do Not Call provision is about sending specified telemarketing messages to Singaporean telephone or mobile number without checking the Do Not Call Register or getting an unambiguous or clear consent.

Like the Do Not Call provision in the PDPA, when it can be proven that an individual suffers a loss or damage as a result of a contravention of the Spam Control Act, a fine can be imposed, ranging from a penalty of 25 SGD per message, which can be up to 1,000,000 SGD. To avoid this, here are the best practices organizations should consider:

Best Practices for Organizations

A message is considered spam if someone received unsolicited commercial electronic messages in bulk who did not give their informed consent to receiving such a message. Those who follow these electronic marketing guidelines will be considered to have made proper or legitimate use of this critical communication channel.

Spam Control Act
Spam Control Act for Organizations

Also Read: How does Do Not Call (DNC Registry) Affect Marketing 2020

Electronic marketing guidelines

Requirements for compliance with spam control regime

1. The Spam Control Act regime provides a framework for spammers to follow, whether for mobile phones or through e-mail. This framework tells the spammers that they must offer users an unsubscribe option, and they must put labels to mark a message as spam.

Furthermore, under this regime, the use of dictionary attacks in spam or address harvesting software is prohibited.

With this, failure to follow these guidelines and prohibitions may lead to civil penalties for the spammer.

2. Unsubscribe facility

In the compliance with the Spam Control Act regime, the individual spam must have the following:

  • Contact information – This can be in the form of a telephone number, a facsimile number, an Internet location address, an e-mail address, or a postal address that the recipients of the spam messages can submit their unsubscribe requests to. It is suggested that this contact information should be within the spam e-mail or the mobile spam message where the users can unsubscribe.
  • Clear statement – There should be a statement that tells the recipient that they can use the contacts in the spam e-mail to unsubscribe the spam if they want to, which should be written mainly in English. This could be in two or more other languages, but at least one is in the English language.

The contacts included in the spam e-mails should be valid for at least 30 days. This means that the spammer should be able to receive unsubscribe requests from the recipients within that period. Furthermore, the recipients should not be charged extra for sending such unsubscribe requests more than the typical cost.

Once the recipient sends an unsubscribe request within ten (10) days, the spammer should remove the recipient’s electronic mail address or mobile phone number from the mailing list. Any spammer who receives the unsubscribe request should not disclose the recipient’s personal information except when permitted by the recipient.

3. Labelling and other requirements
The simple courtesy of correctly informing the recipients about the content of the message is responsible marketing. With this, each spam sent to the recipients should have:

  • If the message has a subject field, it has a correct and non-misleading title in the message’s subject field.
  • There’s a before the message’s title, which indicates that the e-mail is for advertisement. In cases where there is no subject field, there should be a before the actual content of the message.
  • Non-misleading and Correct header information where applicable.
  • An accurate and functional telephone number or e-mail address where the recipient can easily contact the spammer.

4. Do Not Call (DNC) Registry and the Spam Control Act

Phone and telephone numbers registered under the Do Not Call (DNC) Registry should not be disturbed with spam or other telemarketing messages in the form of voice calls, text or fax messages. Organizations must make sure that they comply with the DNC Provisions in Part IX of the Personal Data Protection Act 2012 or face a fine.

Also Read: The DNC Registry Singapore: 5 Things You Must Know

Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.

PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us