1. As the enhanced regulations on the use of personal data in direct marketing will soon come into force , the Office of the Privacy Commissioner for Personal Data ("PCPD") urged all organisations that are involved in direct marketing activities to take steps to ensure that the new requirements will be complied with.
New Requirements: Notification and Consent
2. The Personal Data (Privacy) (Amendment) Ordinance 2012 (the "Amendment Ordinance") has introduced, among other changes, a new regulatory regime on direct marketing, under which a data user is strictly prohibited from using or providing personal data to others for direct marketing purpose unless :
High Penalties for Non-Compliance
3. A failure to undertake the requisite actions or to use personal data in direct marketing without the data subject's consent is a criminal offence punishable by a fine of up to HK$500,000 and imprisonment for up to 3 years. If the data is provided to a third party for its use in direct marketing in exchange for gain, non-compliance may result in a maximum penalty of a fine of HK$1 million and 5 years' imprisonment.
4. The Privacy Commissioner for Personal Data Mr. Allan Chiang reminds both businesses and consumers to get prepared for the new requirements before the commencement date. "It is common for businesses to use the personal data of their clients or potential clients in direct marketing activities. To ensure compliance with the new notification and consent requirements, all should ‘get their houses in order', review or develop standard Personal Information Collection Statement, and internal policies and procedures on the use or provision of personal data for direct marketing activities, including their customer relationship management systems. Ignorance of the law is no defence to the criminal offence. "
5. "Consumers should be aware of their personal data privacy right when they provide their personal data to corporate data users in exchange for convenience or benefits offered such as shopping discounts under customer loyalty schemes. Awareness helps save one from abuse or unfair sold-out of privacy and unsolicited marketing messages."
6. "Consumers should note that silence does not constitute consent. Hence a non-response to the direct marketer's notification would not enable its use of their personal data. However, under the Amendment Ordinance, "consent" includes an indication of "no objection". Hence if a consumer filling in a service application form does not tick the box provided by the direct marketer to indicate his objection to the use of his personal data in direct marketing, and sign the form to signify his acceptance to the terms on the form, he would be regarded as having consented to such use of his personal data," Mr. Chiang emphasised.
Guidance to Help Businesses
7. The PCPD has published the "New Guidance on Direct Marketing"(Jan 2013 edition), explaining the requirements under the new regime and providing practical guidance to data users. The PCPD will also organise professional workshops to familiarise organisations with the new provisions and compliance measures. Targeted audience are data protection officers, compliance professionals, lawyers and marketing personnel.
Guidance for Consumers
8. When a data subject's personal data is used in direct marketing for the first time, a data user must inform the data subject that he or she has the right to request the data user to cease to use the data for direct marketing purpose. Data subjects may also exercise their opt-out right at any time irrespective of any prior consent given. Upon receiving an opt-out request, the data user must cease using the data.
9. To guide consumers to indicate their consent to the use or provision of their personal data in direct marketing and exercise their opt-out right, the PCPD has published a leaflet titled "Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance".
Guidance and Leaflet:
www.pcpd.org.hk/english/resources_centre/publications/files/GN_DM_e.pdf; or obtain a copy at PCPD office (12/F, Sunlight Tower, 248 Queen's Road East, Wan Chai)
Professional Workshops:
For enquiries/registration, please call 2827 2827
http://www.pcpd.org.hk/english/activities/workshop.html
Exemptions
10. There are two exemptions under the regime. Under a grandfathering arrangement and subject to fulfillment of certain conditions, the new requirements will not apply to personal data legitimately collected and used in direct marketing before the commencement date.
11. In addition, the direct marketing provisions under the Ordinance do not apply to the offering, or advertising of the availability of certain social and healthcare services unless the personal data is provided to others for use in direct marketing for gain.
Prescribed information includes :
A data user who intends to provide the personal data to a third party for use in direct marketing is required to meet additional requirements:-
- End -