Direct marketing – which is essentially mass marketing via email, text messages, mail, etc. – has been an area of focus for the Privacy Commissioner for Personal Data (“Privacy Commissioner”) for some time now. The Personal Data (Privacy) Ordinance (“PDPO”) was amended last year and the direct marketing provisions will take effect on 1 April 2013. For our previous alert on the amendments, please click here.
The Privacy Commissioner, in line with the start of the new regime, released a new guidance note (“Guidance Note”), which provides practical tips and insight to assist organisations in complying with the regime. A complete copy of the guidance note can be found here.
In this alert, we look at key issues from the Guidance Note, such as:
consent, including :
- the concept of an “indication of no objection”, where some welcome flexibility is shown in the definition of consent;
- “bundled” consent, which is not valid consent; and
- the differences between general or selective consent, both which are acceptable.
clarification of key definitions, including:
- “marketing subject” (this should be a specific description of the goods or services, including reference to distinctive features); and
- “response channel”, which is required to allow subjects to communicate their consent or objection to the use of their data for direct marketing.
- direct marketing to a company’s employees, where it is addressed to the employee in his official capacity, which is not likely to be the focus of enforcement;
- guidance on the collection and use of personal data for direct marketing; and
- practical tips and examples of what will fall within the provisions. For example, an SMS sent to a mobile phone of a named individual, will be direct marketing, whereas direct mail addressed to the “Occupant” is not.
I do? The all important question of consent
Indication of no objection
The concept of consent has been one of the more vexed issues for organisations trying to ensure compliance with the direct marketing provisions. It is important to remember that the PDPO requires consent to be expressly provided – total inaction or silence on the part of the individual will not be sufficient for the purposes of consent. However, there is some flexibility in how the consent is obtained because the PDPO states that consent can include “an indication of no objection.” Exactly what was meant by that was unclear.
The Privacy Commissioner has now given clear guidance on what he thinks is required to constitute adequate consent. It is clear that silence will not be sufficient; however the Privacy Commissioner goes on to say what is required is an explicit indication that the data user does not object to the use of their personal data for direct marketing. This is a slightly lower standard than explicit consent to the use of personal data and this is a small, but key, difference as some limited form of inaction by the data subject may still amount to valid consent (see the example below).
Some examples mentioned in the Guidance Note are:
Click here to view table.
Even where consent has been provided, it is still open to customers to opt-out of direct marketing and they cannot be charged for the data user complying with that request. The Privacy Commissioner recommends the use of an opt-out list to ensure that customers who exercise their right to opt-out are not contacted again for direct marketing purposes.
Data users are warned against “bundled” consent when collecting personal data. An example of bundled consent would be where a customer is required to consent to the collection of data for direct marketing in order to obtain other services from an organisation. The Commissioner’s view is that this would be unfair collection of personal data in breach of Data Protection Principle 1(2) which requires that data be collected in a fair manner.
Selective consent must be allowed
The PDPO also allow for consent to be general or selective. Selective consent means that the data subject can tailor-make their consent; for example, they could consent to the use of only certain personal data or could consent to the use of their personal data for specific marketing subjects only. In relation to this issue, the Guidance Note:
- suggests that data users advise customers they can provide selective consent if they wish. This is only best practice as the PDPO does not require customers to be given the option. Although, given the suggestion is in the Guidance Note, doing this will no doubt be looked upon more favourably by the Privacy Commissioner;
- reminds data users that if general consent is sought (covering the use of all personal data and all specified classes or marketing subjects and classes of persons), but not obtained, there is then no consent for any use of the personal data; and
- recommends that for selective consent, customers should be provided with separate means by which to indicate:
- each type of information to which they consent to the use of for direct marketing; and
- each class of marketing service in relation to which they consent to receive information.
The Guidance Notice contains examples of notifications, one using the general consent option and another suggesting how selective consent could be sought.
How much data can be collected?
Data users should not collect more data than is necessary for the purpose of direct marketing. The Guidance Note suggests that the name and contact details of an individual should be sufficient for the purposes of direct marketing and information such as a Hong Kong Identity Card Number would not normally be required. The collection of HKID numbers is a topical issue in light of recent debate about whether it is personal data that should be protected. It is clear from the Guidance Note that the Privacy Commissioner’s view is that HKID numbers are not necessary for direct marketing purposes and collection of them should only be on a voluntary basis. That is not to say that they cannot be collected for another purpose at the same time as consent for direct marketing is sought, e.g. on opening of a bank account.
Direct marketing to corporations
A welcome concession has been offered where direct marketing is aimed at a company, and not an individual. Although not entirely clear, it has always been our view that:
- personal data of an employee which is obtained or provided in his official capacity within the company (for example, an authorised signatory, a director, a designated contact person, etc.) is nevertheless personal data to which the PDPO applies, and
- such personal data should not be the focus of regulatory scrutiny in the absence of serious abuse (for example, using the data for a purpose not related to the employee’s official capacity).
The Privacy Commissioner has indicated that he will take a pragmatic approach to this issue and that in clear-cut cases where the personal data is collected from individuals in their official capacities and the product or service being marketed is meant for the exclusive use of the corporation, his view is that “it would not be appropriate to enforce” the direct marketing provisions.
The Guidance Note gives the following examples:
Click here to view table.
The new provisions require data users to provide very specific notice to individuals when they intend to use the data for direct marketing (this applies, even where the data is provided by a third party). The following should be included in the notice to individuals:
Click here to view table.
In addition to this, data users are also required to notify individuals that they are not entitled to use their personal data without consent. This is a separate requirement in the provision, which data users must include in the notice. It will not be sufficient to rely on an implication that consent is required and that is why it is being sought.
There is some reprieve for organisation that already hold personal data and have used it for direct marketing purposes. In that situation the new notification and consent requirements do not apply to the continued used of that data, but there are conditions:
- You must have already informed the individual (in an easily readable form) of the intended use of the data, including the marketing subjects that it will be used in relation to in;
- You have used that data already;
- The individual has not requested that you stop using the data for direct marketing; and
- You have not contravened any other provision of the PDPO which was in force at the time, i.e. you have not used the data in contravention of the PDPO.
This is a limited grandfathering provision in that it only applies in respect of marketing classes already notified to the individual, you cannot use the data you already have to market new goods or services. It also doesn’t apply to the provision of data to third parties – the new regime must be complied with in that situation.
What it does cover is the updating of personal information by an individual, so if you already hold data, say an email address, and an individual informs you that they have a new email address, the fact that they have updated their personal data held by you does not mean you have to comply with the new notification requirements. However, if you haven’t previously held a particular piece of information, say you had an individuals’ name and phone number, but not a mailing address and you subsequently obtain the mailing address, you would need to comply with the new notification requirements before you used that mailing address for direct marketing purposes.
Provision of data to third parties
As indicated above there are slightly different notification requirements where you intend to provide data to a third party. You need to tell the individual that as part of the notification and if the provision of the data is for gain you must specifically state that. The concept of gain is likely to cause some concern for data users in this context.
Gain means the provision of data in return for money or other property and so would capture not only situations were a third party pays for the provision of the data, but also where the third party agrees to provide a commission based on the use of the data. The guidance on this issue is limited compared with other issues, but given the Commissioner’s concern about the misuse of personal data for direct marketing we anticipate he will take a broad view as to what could constitute “gain”. It is important to remember that the penalties for contravening the provisions in relation to the provision of data are significantly higher where the data was provided for gain.
Sharing data within a group of companies
The Guidance Note warns against the misconception that exists about the sharing of information between parent companies and subsidiaries. Specific consent to the provision of information in this manner will be required for the purposes of direct marketing and if you are aware of companies within the group that you intend to provide data to it is advisable to name them in the notice given to the individual.
What do you need to do?
There is less than a month to go before the new regime takes effect, so procedures should now be in place or well on the way to being finalised to be implemented before 1 April 2013. Some tips for final preparations are:
- Have you updated your PICS to take account of the new provisions?
- If you intend to rely on the grandfathering provision, do you have adequate proof that you meet the necessary conditions?
- Do you have procedures in place for dealing with opt-out requests? Will you use an opt-out list and who will be responsible for updating that?
- Do you need to run internal training to ensure that staff understand the new requirements and the procedures your organisation has in place to comply with them?
- Finally, it is worthwhile taking the time to read through the Guidance Note, even if you have already looked at it before, to check if there are areas you may not have considered before.
We regularly advise clients in relation to their obligations under the PDPO and can assist with any questions in relation to the new direct marketing regime.