Privacy Advisor

New Privacy Requirements for Direct Marketing—Are You Compliant?

March 1, 2013


By Sara Or

Part VIA of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) sets out new direct marketing requirements. Part VIA will tentatively commence on 1 April. In anticipation of Part VIA commencing, the privacy commissioner for personal data (PCPD) has issued a Guidance Note on Direct Marketing. The guidance note will take effect when Part VIA commences.

It is essential to be aware of the new requirements under Part VIA of the PDPO when collecting personal data from clients for direct marketing. Failure to comply may result in offences and civil liability. The Guidance Note is intended to assist businesses to understand these requirements and how to comply.

In a nutshell, before using personal data in direct marketing, the data user must inform the data subject that it intends to use his personal data in direct marketing and inform of the kinds of personal data to be used, the types of service and products to be marketed and provide a response channel to enable the data subject to communicate consent or no objection, free of charge. If the data user intends to provide any personal data to another person for that person to use in direct marketing, the data user must inform the data subject that it intends to provide personal data to another person to use in direct marketing, the kinds of personal data to be provided, the classes of persons to whom the data may be provided, the types of service and products to be marketed, that the data is to be provided in return of money or other property—if that is the case—and provide a response channel to enable the data subject to communicate written consent or no objection, free of charge. In either case, the data user is not allowed to use or provide personal data for direct marketing unless it has received the data subject's consent or no objection.

Collecting personal data for direct marketing

  • Not to collect excessive personal data: Data Protection Principle (DDP) 1(1) provides that only necessary, adequate and not excessive personal data is to be collected for a lawful purpose directly related to a function or activity. Data users should only collect personal data necessary for a lawful purpose and collect additional data for direct marketing on a voluntary basis.

Example: It is not necessary for a bank to collect personal data about a customer’s marital status and education level when opening a bank account. If the bank wants to collect that data for marketing, it should inform the customer it is voluntary to provide this data.

  • Collection by means that are fair and lawful: DDP1(2) provides that personal data should be collected by means which are lawful and fair. The data user should not use deceptive means to collect personal data.

Example: It is not considered fair means of collection to offer free gifts to passerby to attract them to fill in questionnaires when the true purpose is to collect their personal data for direct marketing.

  • Data subject to be informed of the purposes and classes of transferees: DDP1(3) requires a data user to take all reasonably practicable steps to inform the data subject on or before collection the purposes for which the data may be used, whether it is voluntary or obligatory to provide the data—and, if obligatory, the consequences of not providing the data—and the classes of persons to whom the data may be transferred. It is prudent to provide this information by way of a written notice, often called a Personal Information Collection Statement (PICS).

To ensure that the PICS is validly communicated to data subjects, it should be written in language easy to understand, presented in a conspicuous manner and printed in a font size that is easy to read with normal eyesight.

  • Obtaining consent or no objection on application forms: It would be unfair if service application forms are designed in such a way that the customer is forced to choose between providing his personal data for direct marketing or giving up the service (“bundled consent” situations). The application forms should allow data subjects to indicate separately whether they agree to provide personal data for direct marketing on a voluntary basis.

Use of personal data in direct marketing by data user itself

  • When to inform? Data user should inform the data subject as early as possible of the intention to use his personal data for direct marketing. Where possible, this should be done on or before the personal data from the data subject is collected.
  • What to inform and provide? The data user must inform the data subject:
      • That the data user intends to use his personal data for direct marketing;
      • That the data user may not do so without the data subject’s consent or no objection;
      • The kinds of personal data to be used;
      • The kinds of products and services to be marketed, and
      • Provide a response channel free of charge to enable the data subject to communicate his consent or no objection.

It is acceptable to obtain the data subject’s no objection (opt-out).

Example: The data user can inform the data subject in a service application form that “we intend to use your name, telephone number and address for direct marketing of credit card and insurance products and services but we cannot so use your personal data without your consent or no objection. Please tick the box at the end of this form before your signature if you do not wish us to use your data in direct marketing.”

  • How to inform? The information must be presented in a manner that is easily understandable and, if in written form, easily readable.

Example: Do not use vague and loose terms like “marketing goods and/or services by us, our agent, our subsidiaries, or our partners” or bury the information in small print which is difficult to read with normal eyesight.

  • Not to use personal data in direct marketing without data subject’s consent or no objection: This requirement applies regardless of whether the data was collected directly from the data subject. Where consent or no objection is provided orally, it should be confirmed in writing within 14 days. Please note, however, that consent or no objection for a data user to provide data to another person for that person to use in direct marketing must be obtained in writing.
  • Using personal data in direct marketing for the first time: When using personal data in direct marketing for the first time, the data user must notify the data subject of the right to request the data user to cease using personal data for direct marketing free of charge.

Example: When sending marketing information to a data subject for the first time, the data user should highlight this opt-out right and provide a link for the data subject to make the request. In practice, data users often include the opt-out language in all marketing pamphlets to dispense with the need to record the first time of use with respect to each data subject. In any case, a data subject has the right to opt-out from direct marketing at any time notwithstanding any previous choice to give consent.

  • How to comply with opt-out rights: A data subject may at any time request the data user to stop using personal data in direct marketing. To comply with this requirement effectively, the data user should maintain an updated list of all customers who have opted-out and stop using their data in direct marketing.

Providing personal data to others for use in direct marketing

  • Informing the data subject: The data user must inform the data subject in writing of the intention to provide his personal data to another person for that person to use in direct marketing and must obtain his written consent or no objection. Verbal consent or objection is not sufficient for this purpose.
  • What is in the notice?  The written notice must include: 
      • The data user intends to provide the personal data to another person for use in direct marketing;
      • The data user may not do so without the data subject’s written consent or no objection;
      • The personal data is provided “for gain”; i.e., in return for money or other property, if that is the case;
      • The kinds of personal data to be provided;
      • The classes of persons to which the data may be provided;
      • The kinds of products and services to be marketed,and
      • Provide a response channel free-of-charge to enable the data subject to communicate written consent or no objection.
  • For gain: The data user must explicitly inform the data subject if personal data is provided to another person “for gain.” “For gain” means providing personal data in return for money or other property.

Example: It would be considered as providing data “for gain” if the data user may obtain a commission by providing the personal data to another person irrespective of whether the payment of commission is contingent on any condition.

  • Transfer to partners/associates: The requirements apply even if the personal data is transferred to a subsidiary or associated company. When transferring personal data to a partner company for cross marketing, the data user should ensure that it has obtained the data subject’s consent or no objection before transferring any personal data.
  • Exception: These requirements do not apply if personal data is provided by a data user to its agent for marketing on behalf of the data user.

In complying with the requirements of Part VIA, businesses should be open and transparent about the use or provision of data to others to use in direct marketing. They should clearly inform the data subjects of the matters prescribed in Part VIA—including the fact that data is provided to others for gain, if that is the case—to enable the data subjects to make an informed decision. They should also provide a free-of-charge response channel and obtain the data subjects' consent or no objection before using or providing their data to others for use in direct marketing.    

Sara Or is a partner of Mayer Brown JSM. She advises on securities, banking, commodities and insurance regulations, compliance, licensing and other regulatory matters including the use of electronic means for delivery of financial services.