Marketers face rising data liability as Singapore eyes AI rules
Proposed guidance would require AI-specific notices whilst keeping brands accountable for customer data handled by vendors.
Singapore’s proposed generative artificial intelligence guidelines could raise the compliance burden on marketers by tightening expectations around consent, customer notices and accountability for third-party vendors.
Marketing teams using transaction histories, viewing habits or other personal information to train AI models or personalise services would first need to establish whether customers had consented to that specific use.
“Did we obtain consent from the consumer in question before we can use their data?” said Steve Tan, Steve Tan, Deputy Head of Technology, Media, and Telecommunications at Rajah & Tann Singapore LLP.
Broad privacy notices covering marketing preferences may no longer be sufficient. Under the proposed approach, brands would be expected to tell customers when an AI system will process their information and whether the data will be used for model training or to deliver a product or service.
Tan said Singapore’s data protection authority favours just-in-time notifications that appear when customer information is about to enter an AI system. These notices could supplement existing privacy policies and allow users to make an informed choice or withdraw consent.
The greater exposure, however, lies in accountability. Brands may use third-party AI models, software platforms or data-processing providers, but responsibility for protecting customer information remains with the company that collected it.
“That responsibility and risk in terms of the need to protect that personal data of your customer does not lie with that particular model developer,” Tan said. “It lies with you, the brand company.”
A cyberattack on a vendor’s network could therefore still trigger regulatory scrutiny of the brand. Contracts may allow companies to recover losses or penalties caused by vendor negligence, but they do not remove the brand’s obligations under data protection law.
Tan added that companies must also determine when customer information and AI-generated insights should be retained, destroyed or securely deleted.
The proposed guidance shifts the marketing debate beyond whether AI improves targeting. It also puts greater emphasis on whether brands can explain, secure and account for the data behind their campaigns.
Commentary
Singapore’s AI ambition has an intelligence problem
Singapore is deploying AI at speed – and security risks are catching up
Precious metal boom is a stress test for Singapore’s gold ambitions
Singapore’s global dispute fault lines
‘Tokenmaxxing’ – The wrong AI race to run in Singapore
To outsmart modern fraud, we must first know the enemy
Why Singapore SMEs cannot wait for quantum cyber risk to arrive before securing data
Is Singapore's emphasis on long-term security and stability hindering purpose-driven employees?
When Singapore's agentic AI ‘chefs’ arrive, will the kitchen be ready for them?