Why this applies to your ads specifically
The moment a Meta lead form or your landing-page form captures someone's name and phone number, you are collecting personal data — and how you then store it, use it and follow up is within PDPA's scope. The two highest-risk points for advertisers are the capture (did you tell them what you'll do with their data and get consent?) and the follow-up (are you contacting them for things they agreed to?). Get those two right and you have handled the bulk of practical risk.
The practical checklist
| Obligation | What it means in practice |
|---|---|
| Consent notice at capture | A clear line on the form stating what data you collect and how you'll use it (e.g. to contact them about their enquiry). |
| Purpose limitation | Use the data for what you said — not to spam unrelated offers. |
| Reasonable security | Store lead data securely; limit who can access it; don't leave it in open spreadsheets. |
| Access & correction | Be able to honour a request to see or correct someone's data. |
| Retention discipline | Don't keep personal data longer than you need it. |
Consent wording that does the job
You do not need legalese. A short, plain line on the form — stating that you'll use the details to respond to their enquiry and how they can opt out — covers the practical intent of consent far better than a buried policy nobody reads. For clinics collecting health-adjacent interest, be especially clear, since that data is more sensitive. Link to a fuller privacy policy for the detail.
The follow-up trap
The most common practical slip is follow-up creep: someone enquires about one treatment and ends up on a broadcast list for unrelated promotions they never agreed to. Keep follow-up tied to what they enquired about, honour opt-outs promptly, and if you serve Singapore too, note that Singapore adds the DNC Registry on top of PDPA (SG) — a separate, stricter regime for calls and SMS.
What we do differently in client accounts
We build a consent line into every lead form we create, keep follow-up sequences tied to the enquiry purpose, and store lead data with sensible access limits — practical PDPA hygiene as a default, not an afterthought. For clients running MY and SG, we handle the DNC/PDPA (SG) layer separately (covered in our Singapore programmes). None of this is legal advice — for anything contentious we point clients to a qualified adviser.
What to do about it
- Add a clear consent line to every lead form (what you collect, how you'll use it, how to opt out).
- Keep follow-up tied to the enquiry purpose; honour opt-outs promptly.
- Store lead data securely with limited access; don't over-retain.
- Confirm current PDPA requirements (and any recent amendments) with a qualified adviser.