The New Guidance on Direct Marketing issued by the Privacy Commissioner for Personal Data provides practical guidance on data users’ compliance with the new regulatory requirements for direct marketing under the new Part VIA of Hong Kong’s Personal Data (Privacy) Ordinance which came into effect on 1 April 2013. In compliance with the new requirements in the Ordinance, many businesses are now seeking consent from clients and contacts to the receipt of future marketing material. We set out below an update summary of the requirements under the new regime.
“Direct marketing” refers to the offering or advertising of the availability of goods, facilities or services as well as the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes through direct marketing means. “Direct marketing means” is defined as sending information or goods by mail, fax, electronic mail or other means of communication to specific persons addressed by name or making telephone calls to specific persons.
From the definitions above, not all marketing activities will fall under the definition of direct marketing. Marketing communication will fall under the ambit of the Personal Data (Privacy) Ordinance only if they are addressed to a specific person by name or a telephone call is made to a specific person.
Where personal data is collected from individuals in their official capacities and the individual is approached by a direct marketer at his office telephone or address for selling products or services targeted for the exclusive use of the corporation, the Commissioner would take the view that the direct marketing provisions would not apply.
Under the new regime, before personal data (such as contact details by telephone or address) is used for direct marketing purposes, data users are required to notify the data subject of the intention to use the data subject’s personal data for direct marketing. The obligation to notify applies regardless whether the data user has collected the personal data directly from the data subject or from a third party. The notification should be done as early as possible, ideally on or before the personal data is collected.
A data user who intends to provide a data subject’s personal data to another person for use in direct marketing must also provide written notice to the data subject of his intention to do so and obtain written consent from the data subject to the intended provision. The notice must expressly indicate if the transfer of the personal data is being made for gain.
The data user must present information regarding the collection, use or provision of the personal data in the notification in a manner that is easily readable and understandable. The notice must specify, amongst others, the kinds of personal data to be used or provided and the types of goods or services it relates to. The use of vague and loose terms should be avoided, such as “marketing goods and/or services by us, our agent, subsidiaries, or our partners” or “such types of services and products as the company may from time to time think fit”. In the case of transfer of data, the classes of persons to which the data is to be provided must also be specified.
Notwithstanding notification being given, no personal data may be used in direct marketing or be transferred without the data subject’s consent. The notification by the data user must provide a “response channel”, namely, the means for the data subject to communicate his consent to the intended use or provision for use of his personal data. The channel could be by way of telephone, fax, email or any other means.
“Consent” means an indication of no objection. The guidance note provides that there must be explicit indication that the data subject does not object to the use and/or provision of his/her personal data to another for use in direct marketing. Such consent cannot be inferred from mere silence.
A consent is thus valid, for example, by ticking a box “I do not object to the use of my personal data for direct marketing of [XXX] in an application form”, or by not checking the tick box indicating objection to receive direct marketing materials but the data subject has signed and returned to the data user an agreement to the effect that the data user’s notification regarding collection, use and provision of personal data has been understood.
A data subject may provide consent verbally or in writing. Where an oral consent is obtained, a written confirmation must be sent to the data subject not later than 14 days after the oral consent was given to confirm the date of receipt of the consent, the personal data the consent relates to and the class of goods or services that may be marketed. In the case of transfer of data to another person, only written consent will permitted.
Once consent is given to use the personal data for a particular purpose, the data user cannot use the personal data for another purpose without getting further consent from the data subject.
A data subject may at any time require a data user to cease to use his personal data in direct marketing and the data user, must without charge to the data subject, cease to use the personal data concerned upon receipt of such notification.
Breach of the new direct marketing provisions constitutes an offence and on conviction may attract a fine or imprisonment. Where a data user uses personal data for its own direct marketing purposes in breach of the Ordinance, a maximum fine of HK$500,000 and 3 years’ imprisonment may be imposed. Where a data user provides personal data to a third party for use in direct marketing in exchange for gain in contravention of the provisions, a maximum fine of HK$1,000,000 and 5 years’ imprisonment may be imposed.
The Commissioner has urged all businesses to “get their house in order” by reviewing and developing standards and policies and procedures on the use or provision of personal data for direct marketing activities, including their customer relationship management systems, to ensure compliance with the new regulations.
Experienced lawyers in our litigation practice are able to advise and provide more detailed guidance in relation to the compliance with and/or obligations under the Personal Data (Privacy) Ordinance.