The use and disclosure of personal data for direct marketing purposes is strictly regulated in Hong Kong under the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (the “PDPO”). Data users must ensure that they comply with the direct marketing regime in order to avoid significant fines and/or imprisonment for privacy breaches.
Direct marketing and the PDPO
Under the PDPO, “direct marketing” is the offering, or advertising of the availability of goods, facilities or services through direct marketing means (i.e. sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons). The PDPO further sets out a number of obligations that a data user must comply with before it may use a data subject’s personal data for direct marketing purposes. For example, one such requirement is that data users who intend to use a data subject’s personal data in direct marketing must, before using such personal data in direct marketing: (i) inform the data subject that the data user intends to so use the personal data and may not so use the data unless the data user has received the data subject’s consent to the intended use; (ii) provide the data subject with information in relation to the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used; and (iii) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subjects consent to the intended use.
The Privacy Commissioner has issued a Guidance Note issued in relation to direct marketing and how the Privacy Commissioner proposes to interpret the PDPO’s direct marketing provisions. According to the Guidance Note issued by the Privacy Commissioner and Privacy Commissioner cases, the kind of personal data to be used and the classes of marketing subjects in relation to which the data is to be used should be clearly specified with sufficient detail to enable data subjects to ascertain, with a reasonable degree of certainty, how, and by whom, their personal data could be used, and that loose and vague descriptions of purposes (e.g. “marketing goods and/or services”) and overly general descriptions of data transferees (e.g. “our affiliates”, “our subsidiaries”, “our partners” or “our third party vendors”) are not sufficient.
What is direct marketing consent?
As mentioned above, data users must also obtain the data subject’s “consent” to use personal data in direct marketing. The consent requirement is often the subject of contention, as the PDPO states that consent must be voluntary and not withdrawn, and includes an “indication of no objection”.
When deciding whether or not such consent is “voluntarily” given, the Privacy Commissioner will take into account such factors as to whether the data subject is, in fact, free to choose between giving and withholding consent without fear of any adverse consequence, and whether the consent is “bundled consent” (where the data subject has no real choice not to give consent). According to the Guidance Note, an example of such “bundled consent” is where a data subject is provided with only one place to sign/accept the form, thus giving the data subject the choice between: (a) giving up the application; or (b) giving his “bundled consent” by agreeing to the terms and conditions of the service as well as the use of his personal data for direct marketing purposes (even if, in fact, he finds such use objectionable). The Guidance Note goes on to provide that a data subject’s agreement to the terms and conditions of the relevant service should be separate from the data subject’s consent to use his personal data for direct marketing purposes. This has been supported in subsequent Privacy Commissioner’s cases.
However, even if such consent is kept separate, if a data subject arguably has no real choice as to whether or not to give consent to use his personal data for direct marketing purposes (e.g. if it is a condition to enter into a competition to consent to receiving marketing emails), this would mean that, in this author’s view, it would be unlikely that the Privacy Commissioner would find that such consent had been “voluntarily” given. This is because, in the case of the present example, consent must be given by the data subject to enter the competition.
The issue of ‘no objection’
What then is an “indication of no objection”? According to the Guidance Note, the data subject must have explicitly indicated that he/she does not object to the use and/or provision of his/her personal data for use in direct marketing, and so consent cannot be inferred by the data subject’s non-response (silence does not constitute consent). For example, if a data subject is required to accept/object to direct marketing in a paper or electronic form, then normally the best course of action is to provide the data subject with an opportunity to check a box stating that the data subject does not object to the user of his/her personal data for direct marketing (in which case silence would be in favour of the data subject in the event the data subject did not read the wording and did not check the box). Normally, it would not be valid consent to provide the opposite (i.e. a tick box stating that the data subject does object to the user of his/her personal data for direct marketing, in which case silence would be in favour of the data user), since, as mentioned above, silence does not constitute consent. However, if such a tick box is combined with another the data subject’s confirmation (e.g. signing and returning a form) which provides that the data subject has read and understood the data user’s notification regarding the collection, use, and provision or persona data, then this has been deemed acceptable.
Hefty fines for privacy breach
It is worth noting that, depending on the relevant breach of the PDPO’s direct marketing regime, the consequence of such breach can vary from fines as low as HK$10,000 (~US$1,300) and 6 months imprisonment, to as high as HK$1,000,000 (~US$130,000) and 5 years imprisonment. So before you send that email promoting your services, it’s worth bearing that in mind!