Date: 8 January 2026
Response to media enquiry on PayMe's default privacy settings
Enquiry:
“I am writing to follow up on Payme's default privacy setting. Could you confirm the investigation (as a compliance review?) and what will be the potential result? Appreciate if you could advise the possible penalty for wrongdoings.”
Answers:
-
The Office of the Privacy Commissioner for Personal Data (PCPD) has commenced a compliance check into the matter in accordance with established procedures, and would look into all relevant issues, including legacy users’ vulnerability, and the need for in-app prompts.
-
Generally speaking, all data users must comply with the requirements of the Personal Data (Privacy) Ordinance (PDPO) and the relevant Data Protection Principles (DPPs) under the PDPO when they collect, hold, process or use personal data in Hong Kong.
-
With regard to the use of personal data, DPP3 provides that personal data shall be used (including the disclosure and transfer of relevant data) for a purpose which is the same as or directly related to the original purpose(s) of collection, except where voluntary and express consent has been obtained from the data subject.
-
Meanwhile, to safeguard users’ personal data privacy, the PCPD has provided the following recommendations to the relevant data user:-
a. service providers of mobile applications should adopt the principle of “privacy by default”, whereby the highest level of privacy protection is enabled as the default setting, and users would be required to take deliberate and informed action to opt in to any settings that lower their degree of privacy, such as permitting other users of the application to access their personal data; and
b. service providers of mobile applications should adopt appropriate measures to ensure that all users are aware of their rights and options for controlling their levels of privacy protection.
-
As the compliance check is ongoing, the PCPD would not comment on the case at this stage.