Direct marketing is a common business practice in Hong Kong. It often involves collection and use of personal data by an organisation for direct marketing itself and in some cases, the provision of such data by the organisation to another person for use in direct marketing. In the process, compliance with the requirements under the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (“PDPO”) is essential.
The PDPO does not regulate all types of direct marketing activities. It defines “direct marketing” as:
"(a) the offering, or advertising of the availability, of goods, facilities or services; or
(b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes, through direct marketing means.”
"Direct marketing means" is further defined to mean:
“(a) sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or (b) making telephone calls to specific persons.”
Hence, “direct marketing” under the PDPO does not include unsolicited business electronic messages sent to telephones, fax machines or email addresses without being addressed to specific persons by name, and person-to-person calls being made to phone numbers randomly generated (this is regulated by the Unsolicited Electronic Messages Ordinance (Chapter 593 of the Laws of Hong Kong).
A data user who intends to use a data subject’s personal data in direct marketing must take specific actions which include:
- inform the data subject of the data user’s intention to use the personal data in direct marketing;
- provide the data subject with the prescribed information;
- not to use the personal data in direct marketing without the data subject's consent;
- notify the data subject of his/her right to request the data user to cease to use the data in direct marketing when using his/her personal data for the first time;
- cease to use personal data in direct marketing when so requested by the data subject; and
- retention of opt-out lists and records of consent.
In the complaint case no. 2014C11, the Complainant engaged the storage service of Company A and provided it with his personal data including his name, credit card number, mobile phone number, company email address managed by him and current residential address. Subsequently, Company A ceased its business in Hong Kong, and the business was taken over by Company B which provided a similar storage service. Thereafter, Company B sent a direct marketing email to the Complainant addressing the Complainant by his name and enclosing a storage service quotation with the terms and conditions of the service. The Complainant had no prior dealings with Company B and he had not been informed of, or given consent to, Company B’s use of his personal data in direct marketing. Company B was charged with the offence of using the personal data of the Complainant in direct marketing without taking the specified actions, contrary to section 35C(2) of the PDPO. Company B pleaded guilty to the charge and was fined HK$10,000.