Did you know?
It is a criminal offence, punishable by fine and imprisonment, to use a customer’s personal data for direct marketing without their consent. It is also an offence to transfer customers’ personal data to third-party business partners for the purposes of direct marketing, whether or not for payment, without the data subject’s consent.
The direct marketing provisions under the Hong Kong Personal Data (Privacy) Ordinance (PDPO) are unique compared with other data protection laws in the world, such as the GDPR. The Hong Kong Privacy Commissioner takes breaches of the PDPO, such as breach of the direct marketing provisions, very seriously. Recent convictions for direct marketing offences are a reminder of the risks that businesses run if they ignore the rules on direct marketing.
Breach of certain provisions of the PDPO relating to direct marketing is punishable by a fine of up to HK$1 million, and imprisonment of up to five years, depending on the nature of the breach.
Why does this matter to you?
Many businesses are not in compliance with the law even though direct marketing is a common business practice in Hong Kong. Businesses collect and use personal data for the purpose of offering, or advertising the availability of goods, facilities or services. In addition, the data may often be transferred to third parties for direct marketing purposes. The sharing or transferring of personal data from a company to its parent, subsidiary, affiliated, related or other company within the same group of companies, whether located in or outside of Hong Kong, will still be regarded as “transferring to third parties” and, as such, such transfer will still need to comply with the requirements of the PDPO.
It is important to note that the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, is also regarded as direct marketing under the law.
Before you use your customers’ personal data for direct marketing purposes, it is important to be aware that you must obtain the customer’s prior explicit consent and the law requires you to provide certain specified information to them.
“Consent” must be an explicit agreement by the customer that he consents, or does not object to the use or provision of his personal data for use in direct marketing.
Of course, not every marketing activity falls within these provisions, but many do. The PDPO defines “direct marketing” as sending information or goods by mail, fax, electronic mail or other means of communication to specific persons addressed by name, or making telephone calls to specific persons. Therefore, a telecommunications service provider telephoning existing customers to offer upgraded services, or a beauty salon calling a specific person with a free beauty treatment offer, are examples of direct marketing. As the law is very broad, it is important to note that website behavioural tracking may in some cases be considered as direct marketing.
Last year, a telecommunications company was convicted of failing to comply with a request from a data subject to cease using his personal data in direct marketing. A car company was also convicted of failure to notify two data subjects, and obtain their consent, before using their personal data in direct marketing. The data had actually been obtained from the records of the Transport Department. The company also committed an offence by failing to inform the data subjects of their right to request that their personal data should not be used in direct marketing.
Increasing public awareness of data privacy issues, and customer fatigue with unwanted marketing approaches, mean that there is a higher risk of complaints being made. Businesses should review their practices to ensure that they are compliant with the direct marketing requirements and other provisions of the PDPO.
Please contact Deacons if you wish to know more about how your company can comply with the PDPO’s direct marketing legal requirements.
