As reported in our previous Newsflash (available here), the Personal Data (Privacy) Amendment Ordinance (the "Amendment Ordinance") was passed on 27 June 2012. The Amendment Ordinance contains a number of new provisions regulating the use of personal data in connection with direct marketing activities, which tighten the regulation of direct marketing activities in Hong Kong.
While most of the provisions in the Amendment Ordinance have already been implemented, the provisions relating to direct marketing are set to come into effect on 1 April 2013 (the "Commencement Date"). In order to provide guidance for organisations on compliance with the new direct marketing provisions, the Privacy Commissioner for Personal Data (the "Commissioner") published a guidance note on 15 January 2013, titled "New Guidance on Direct Marketing" (the "Guidance Note").
To a large extent the Guidance Note follows the recommendations contained in the Direct Marketing Guidance Note issued by the Commissioner in 2010 (and revised in 2012). There are a number of important differences, the most significant of which relate to the consent and notification requirements under the new direct marketing provisions. The Amendment Ordinance requires organisations that collect personal data ("data users") to communicate to individuals from whom they collect such data ("data subjects") certain information together with an opt-out facility before they use such data for direct marketing. Further, in a change which is set to affect the data collection practices of many data users in Hong Kong, the Guidance Note makes it clear that consent must be explicit and cannot be inferred from silence or inaction on the part of the data subject.
We highlight below the major recommendations set out in the Guidance Note, and discuss the implications for organisations that conduct direct marketing in Hong Kong.
What constitutes direct marketing?
Not all marketing activities will fall under the definition of "direct marketing". Marketing communications will only be classified as "direct marketing" where they are addressed to a specific person by name or where a phone call is made to a specific person. Marketing activities such as door to door sales, direct mail sent to the "householder" or cold calls to unidentified individuals do not fall under the definition of "direct marketing" and are not regulated under the Personal Data (Privacy) Ordinance.
Before using personal data for direct marketing purposes, the Amendment Ordinance requires that data users provide the following notification to the relevant data subjects:
- that the data user intends to use the data subject's personal data for direct marketing purposes and that it cannot do so without the data subject's consent;
- the types of personal data they will use for direct marketing purposes (e.g. name, phone number, residential address, email address etc.); and
- the categories of goods/services that will be marketed (e.g. financial services, insurance services, telecommunications services etc.).
Data users should avoid using vague and loose terms which prevent the data subject from ascertaining the goods/services to be marketed, or the classes of transferees, with a reasonable degree of certainty. The Guidance Note makes it clear that descriptions such as "retail services and products", "all goods and services offered by X Company" or "goods and services provided by X and its related parties, agents, contracts and suppliers" would not be sufficiently specific so as to satisfy the notification requirement.
While the Amendment Ordinance does not prescribe any particular method for providing the necessary notification to data subjects, it is usual practice for the notification to be contained in a written Personal Information Collection Statement ("PICS"). The Amendment Ordinance requires the notification to be easily understandable and where the notification is provided in writing, easily readable. Data users should therefore ensure that the PICS is drafted in clear and simple language, and is displayed in a manner which makes it easy to identify and read (e.g. with clear headings, a reasonable font size and not buried amongst other terms and conditions).
While data users are only required to inform data subjects of the above information before using their personal data for direct marketing purposes, the Guidance Note recommends data users send this notification to data subjects as early as possible (ideally at the time of collection).
Provided that the personal data will not be transferred or sold to a third party for direct marketing purposes, the notification can be provided orally or in writing. Where a data user intends to transfer/sell personal data to a third party for direct marketing purposes, data users must provide data subjects with written notification of:
- the data user's intention to transfer the data subject's personal data for direct marketing purposes (and that it cannot do so without consent);
- the type of personal data to be transferred;
- the classes of transferees;
- the categories of goods and services that may be marketed by the transferee(s); and
- their intention to sell the personal data or otherwise transfer such data for gain (where applicable).
Data users must also provide a response facility through which data subjects can indicate their consent (or otherwise) to their personal data being used for direct marketing, e.g. a tick box or website for data subjects to opt-out/in of direct marketing, or a specific address or telephone number that data subjects may use to opt-out (as discussed in more detail in relation to consent below).
The existing requirement for data users to inform data subjects of their right to withdraw consent when using personal data for direct marketing for the first time has been retained. Data users must therefore provide notification twice – once before the data is used for direct marketing purposes, and once when the data is used for such purposes for the first time.
In addition to providing the requisite notification to data subjects outlined above, data users must also obtain consent (which includes an indication of no objection) from data subjects before using personal data for direct marketing. There was much uncertainty following the passing of the Amendment Ordinance as to whether the consent required would take the form of an opt-out or opt-in provision. The Commissioner has made it clear in the Guidance Note that consent cannot be implied by silence and an explicit indication of consent/no objection must be obtained. For example, consent would be obtained where a data subject does not tick an opt-out box on a form that is signed and returned to the data user, or where during a phone call, the data subject states that he/she is interested in the products/services offered and would like the data user to send further information to an address. Consent would not be obtained where a data user sends a notification and opt-out facility to a data subject and does not receive a response for the data subject.
Consent can either be given generally (i.e. for all direct marketing activities), or selectively (i.e. only in relation to marketing via one or more means or only particular categories of personal information can be used). Although not mandatory, the Guidance Note recommends that data users design their response facility to allow data subjects to provide selective consent.
Data users should avoid "bundled consent" (e.g. not including a separate direct marketing opt-out/opt-in tick box, or signature panel, so that data subjects are forced to choose between giving up the goods/services offered, or agreeing to the use of his/her personal data as prescribed by the data user).
The form of the consent depends on whether the data user intends to transfer/sell the personal data to a third party. Consent can be obtained either orally or in writing if the data user intends to use the personal data for its own direct marketing purposes, but written consent must be obtained if the data user intends to transfer/sell the personal data to a third party for use by the third party for marketing purposes. Where consent has been obtained orally, data users must write to data subjects within 14 days of receiving such consent to confirm:
- the timing of the consent;
- the personal data that the consent relates to; and
- the classes of goods/services that may be marketed.
Should the data user fail to deliver the written confirmation (including where the written confirmation was returned undelivered), the oral consent would not satisfy the requirement for consent under the Amendment Ordinance. While not a requirement under the Amendment Ordinance, the Guidance Note recommends that data users include their contact information in such confirmation, to enable the data subject to dispute the confirmation, and wait for some time (e.g. 14 days) to allow the data user to object before using such data for direct marketing purposes.
Data users are only permitted to use the personal data in a manner and for purposes as described in the notification. Fresh consent must be obtained if the personal data is to be used in a manner which is outside the scope of the original notification/consent (e.g. where the data user intends to market different goods/services).
Existing personal data – grandfathering arrangement
The notification and consent requirements for direct marketing under the Amendment Ordinance do not operate on a retrospective basis. Personal data collected before the Commencement Date shall be exempt from these new direct marketing requirements provided that:
- the data subject was explicitly informed (in an easily understandable/easily readable manner) of the intended use of his/her personal data for direct marketing purposes for specific categories of goods/services;
- the data user will have used the data for such direct marketing purposes before the Commencement Date;
- the data subject has not withdrawn consent to such use; and
- the use is not in contravention of the existing requirements under the Personal Data (Privacy) Ordinance at the time of such use.
The burden of proof in establishing that the above requirements have been met falls with the data user seeking to rely on the grandfathering provision. It is therefore important that appropriate evidence as to the satisfaction of the requirements is retained by data users.
Data users should note the limitations of the grandfathering arrangement as it only applies to the extent that existing data is used to market the same class of goods/services following the introduction of the Amendment Ordinance, and does not apply where existing data is to be transferred/sold to a third party. In addition, while the arrangement applies to minor updates to existing personal data (such as updating the residential address of a data subject), it is unlikely that it will apply to more significant amendments (e.g. acquiring new data when updating the data subject's customer profile).
Breaches of the new direct marketing provisions attract significantly higher penalties than those applicable before. Maximum penalties of a HK$ 500,000 fine and 3 years' imprisonment apply where the data user uses personal data for its own direct marketing purposes, or transfers personal data to a third party for direct marketing purposes, in contravention of the new requirements. Where the data user sells (or otherwise transfers for gain) the personal data to a third party for direct marketing purposes in contravention of the new requirements, the maximum penalty increases to a HK$ 1,000,000 fine and 5 years' imprisonment. This represents a significant increase from the maximum fine of HK$ 10,000 applicable for breaches of the direct marketing requirements, under the previous regime.
Implications for businesses
The new direct marketing requirements introduced by the Amendment Ordinance will have serious implications for the way in which data users in Hong Kong handle personal data of customers when conducting direct marketing. Now that the Commissioner has issued guidance setting out how his office intends to interpret and enforce the new direct marketing requirements, this is a good time for data users to review their practices relating to direct marketing to ensure that they comply with the new requirements (e.g. revising personal information collection statements, forms used to collect personal data and opt-out/opt-in facilities).
Data users should carefully review their practices and consider whether the grandfathering arrangement would apply to them. The grandfathering arrangement requires that data subjects have been explicitly informed of the data user's intention to use the data subjects' personal data for direct marketing in relation to specific class(es) of goods/services. On a strict reading of this requirement a notification stating that the data subjects' personal data may be used for direct marketing purposes (without specifying the categories of goods/services to be marketed) would not satisfy this requirement. There is also a requirement for the notification to have been easily understandable, and if in writing easily readable, which means that the grandfathering arrangement may not apply where a Personal Information Collection Statement has been provided in very small font or buried amongst other terms and conditions. The Commissioner has not issued any guidance in this respect and it remains to be seen how these requirements will be applied in practice. If the requirements are strictly interpreted, it is quite likely that many data users in Hong Kong will not be able to rely on the grandfathering arrangement and will be required to comply with the new direct marketing requirements in respect of all personal data (whether for new or existing clients/customers).
In order for data users to comply with the new requirements for new clients/customers, they will need to ensure that the forms used to collect personal data comply with the new notification requirements (e.g. providing a PICS setting out the information outlined above as well as an opt-out facility) and that their direct marketing activities do not extend beyond the scope of such notification/consent (e.g. that they do not market different categories of goods and services, or continue marketing to a data subject that has opted-out). Where a form containing the necessary notification and an opt-out facility is provided to a customer and the customer returns the form without exercising his/her right to opt-out, the requirements will have been complied with and the data user will be able to use the personal data for direct marketing purposes as set out in the notification.
The situation becomes more complicated when attempting to comply with the new requirements for existing customers (e.g. where the grandfathering arrangement does not apply). The Guidance Note makes it clear that a positive indication of consent/no objection is required and consent may not be deemed from silence or inaction. This means that in order to comply with the new requirements for existing data, data users will need to send a notification and opt-out facility to existing customers and may only use the personal data of such customers if they receive a reply from the customer indicating that they consent/do not object to such use. This presents huge practical difficulties given that a large percentage of existing customers are unlikely to respond, which would potentially significantly reduce the data user's marketing pool. Steps may be taken to increase the likelihood of existing customers providing a response (e.g. providing a pre-paid return envelope or some form of discount or incentive for customers to reply), but such steps are unlikely to be effective in all cases.
In the event that the grandfathering arrangement applies, data users will have to implement and manage 2 systems for handling personal data (1 for pre-existing data and 1 for new data), which creates an administrative burden and may result in confusion as to how a particular piece of personal data should be treated. Marketing activities using pre-existing data would have to be carefully monitored to ensure that no new goods/services are marketed using such data without first complying with the notification/consent requirements under the Amendment Ordinance.
In order to minimise the risk associated with the grandfathering arrangement, data users may wish to take steps to comply with the new requirements for existing customers so as to avoid having to rely on the grandfathering arrangement (e.g. placing a notification/opt-out facility on all forms sent to existing customers (e.g. change of details forms, membership renewal forms etc.); and/or sending out a notification/opt-out facility to existing customers along with a pre-paid reply envelope and a discount for those customers who respond).
It is expected that the Commissioner will pay close attention to compliance with the new direct marketing requirements following their implementation. Given this and the higher penalties applicable to such requirements, data users should take the time to review their direct marketing practices and implement the necessary changes to ensure compliance with the new requirements prior to the Commencement Date.