The use and disclosure of personal data for direct marketing purposes is strictly regulated in Hong Kong under the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (the “PDPO”). Data users must ensure that they comply with the direct marketing regime in order to avoid significant fines and/or imprisonment for privacy breaches.
Direct marketing and the PDPO
Under the PDPO, “direct marketing” is the offering, or advertising of the availability of goods, facilities or services through direct marketing means (i.e. sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons). The PDPO further sets out a number of obligations that a data user must comply with before it may use a data subject’s personal data for direct marketing purposes. For example, one such requirement is that data users who intend to use a data subject’s personal data in direct marketing must, before using such personal data in direct marketing: (i) inform the data subject that the data user intends to so use the personal data and may not so use the data unless the data user has received the data subject’s consent to the intended use; (ii) provide the data subject with information in relation to the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used; and (iii) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subjects consent to the intended use.
The Privacy Commissioner has issued a Guidance Note issued in relation to direct marketing and how the Privacy Commissioner proposes to interpret the PDPO’s direct marketing provisions. According to the Guidance Note issued by the Privacy Commissioner and Privacy Commissioner cases, the kind of personal data to be used and the classes of marketing subjects in relation to which the data is to be used should be clearly specified with sufficient detail to enable data subjects to ascertain, with a reasonable degree of certainty, how, and by whom, their personal data could be used, and that loose and vague descriptions of purposes (e.g. “marketing goods and/or services”) and overly general descriptions of data transferees (e.g. “our affiliates”, “our subsidiaries”, “our partners” or “our third party vendors”) are not sufficient.
What is direct marketing consent?
As mentioned above, data users must also obtain the data subject’s “consent” to use personal data in direct marketing. The consent requirement is often the subject of contention, as the PDPO states that consent must be voluntary and not withdrawn, and includes an “indication of no objection”.