The Hong Kong Privacy Commissioner’s New Guidance on Direct Marketing

On January 15, 2013, the Privacy Commissioner for Personal Data (“Commissioner”) published New Guidance on Direct Marketing (“New Guidance”). The New Guidance sends a sharp message to businesses that, in order to avoid potential penalties of up to HK$1 million (U.S.$128,933) and imprisonment, they should “get their houses in order” before the scheduled commencement of the new direct marketing regime on April 1, 2013.

The New Guidance provides long-awaited practical guidelines and examples on compliance with the new regime.

This article focuses on three key areas covered in the New Guidance:

• the meaning of consent;

• the response channel; and

• the meaning of transferring personal data “for gain”.

This article also provides answers to a number of frequently asked questions about the new direct marketing regime.

The New Guidance was issued to provide clarity on compliance with the new direct marketing regime introduced by the Personal Data (Privacy) (Amendment) Ordinance (“Amendment Ordinance”), which was passed into law on June 27, 2012 (see analysis by Anna Gamvros, Aaron Bleasdale, and Jacqueline Wong, of Baker & McKenzie, Hong Kong, at WDPR, July 2012, page 4).

The New Guidance, like all Guidance Notes issued by the Commissioner, does not have the force of law. However, any contravention of a Guidance Note will be taken into consideration by the Commissioner in an investigation. To avoid the onerous penalties, companies are strongly advised to follow the recommendations in the New Guidance.

Consent

One of the major changes introduced by the Amendment Ordinance is that a data user must obtain the data subject’s consent before using or transferring data for direct marketing purposes. “Consent” is defined to include an “indication of no objection”. The New Guidance provides clarity on what the Commissioner considers to be an acceptable consent mechanism.

Form of Consent

The New Guidance provides that there must be “explicit” action taken on the part of the data subject to qualify as an “indication of no objection”. In other words, silence will not constitute consent.

The following examples of valid written consent are provided; each requires some action on the part of the data subject:

• Opt-in: Ticking the box “I do not object to the use of my personal data for direct marketing of [XXX] in an application form”; and

• Opt-out: Not checking the tick box indicating objection to receiving direct marketing material, but signing and returning to the data user an agreement to the effect that the data user’s notification regarding collection, use and provision of persona data has been read and understood.

The “opt-out later” or “deemed consent” approach that was acceptable in the past is no longer sufficient. For example, where a company informs a customer in writing of the use or provision of personal data for direct marketing and states that “any objection has to be made by sending back the objection slip”, such a non-response from the data subject would not amount to valid consent.

‘Bundled Consent’

“Bundled consent” is where direct marketing consent language is inseparable from other provisions in an application form or contract terms, and there is no option for the customer to object to the direct marketing use and still obtain the other services applied for.

The New Guidance reiterates that “bundled consent” should be avoided, and reminds data users not to design service application forms and contracts in a way which makes it impracticable for a customer to refuse the use of his or her personal data for direct marketing purposes (for example, by providing only one space to sign on an application form for a product/service).

General/Selective Consent

Consent may be given either generally or selectively. This means that, to keep the consent language short, data users are allowed to seek a general consent to cover the direct marketing use and transfer of all kinds of personal data, classes of marketing subjects and classes of persons to which the data is to be provided. The problem with this approach is that, if no consent is provided, the data user will not be allowed to use personal data for direct marketing purposes under any circumstances. To avoid a blanket refusal by data subjects, the New Guidance suggests that data users may:

• allow customers to indicate separately whether they agree to 1) the use, and 2) the provision of their personal data to others; and

• inform customers and provide a mechanism for them to give selective consent to 1) the kinds of personal data to be used; 2) the classes of marketing subjects; and 3) the classes of data transferees.

Response Channel

The Amendment Ordinance provides that data users are required to provide a data subject with a “response channel” through which the data subject may, without charge, communicate his or her consent to the intended use or transfer of personal data.

The following examples of appropriate response channels are provided in the New Guidance: a telephone hotline, a fax number, a designated email account, an online facility to allow data subjects to subscribe/unsubscribe, a specific address to collect written responses, or a designated person to handle the request through the above or other means.

It appears that any form of response channel is likely to be deemed acceptable if it allows effective communication of consent by the data subject.

Meaning of ‘For Gain’

Where a data user intends to provide personal data to a third party “for gain” for a direct marketing purpose, the Amendment Ordinance provides that the data user must 1) provide a written notice that personal data will be provided for gain, and 2) obtain written consent. “For gain” is defined in the Amendment Ordinance as the provision of personal data in return “for money or other property”. The requirements around gains for personal data transferred for direct marketing were introduced in direct response to events investigated in the Octopus case in 2010 (see report by Anna Gamvros and Jacqueline Wong, of Baker & McKenzie, Hong Kong, at WDPR, November 2010, page 20), and failure to comply carries the heaviest fine of up to HK$1 million (U.S.$128,933) and five years’ imprisonment.

Examples of “gains” in the New Guidance include commissions/fees in return for the transfer of personal data and the transfer of personal data to another business entity to “explore a business opportunity or to pursue a business cooperation”. It is not clear how the latter example falls within the definition of “money or other property”, and may in fact be broader than the definition in the Amendment Ordinance.

Frequently Asked Questions Answered by the New Guidance

Q: Do we need to comply with the new direct marketing requirements when we want to send promotional information to a contact after receiving his or her business card?

A: This depends on the nature of the marketing to the contact. The New Guidance draws a distinction between marketing targeted at individuals and marketing targeted at their employing corporations. This is significant, as it goes beyond the strict interpretation of the Personal Data (Privacy) Ordinance (“PDPO”). Where personal data is collected from individuals in their “official capacity” (for example, as in-house legal counsel) and the product or service is clearly meant for the exclusive use of the corporation by which the individual is employed, the Commissioner takes the view that the requirements of the new direct marketing regime will not apply. However, if that same individual is sent details of products or services targeted to him or her as an individual, the direct marketing requirements will apply.

Q: When describing the class of marketing subject, how specific should we be?

A: The examples provided in the New Guidance suggest that the description must be very specific. Companies should make reference to the distinctive features of the goods, facilities or services so that customers may ascertain the types of goods, facilities or services about which they may receive direct marketing with a “reasonable degree of certainty”. The New Guidance gives the example that “promotional offers in relation to telecommunications network services offered by ABC Company” would be acceptable. However, “retail services and products provided by ABC Company” would not be acceptable, as it is too broad for customers to comprehend the classes of goods, facilities or services. The specific type of retail services and products would need to be specified.

Q: Is it permissible to transfer personal data without consent for direct marketing purposes to other affiliate companies of our organization?

A: No. The New Guidance clarifies that it is a misconception that a data user may freely transfer personal data to its parent company and subsidiaries/associated companies for direct marketing purposes. Once the new direct marketing regime is in effect, a data user is required to obtain written consent from a data subject prior to providing personal data to any other person or entity for the purposes of direct marketing, including affiliates. There are no transitional provisions applicable to transfer of data for a third party’s direct marketing purposes.

Q: I understand we have to provide information on direct marketing that is “easily understandable” and “easily readable”. What exactly does this mean?

A: These terms are referred to in different places throughout the New Guidance. The emphasis is on simplicity and clarity, and a “reasonable man’s test” should be adopted when deciding what is easily readable and easily understandable. In particular, data users should:

• use simple rather than complicated words in the Personal Information Collection Statement (“PICS”) and avoid use of legal terms/convoluted phrases;

• avoid vague and loose terms, e.g., “such types of services and products as the company may from time to time think fit”;

• consider whether the layout and presentation of the PICS (including font size, spacing, use of headings, highlights) has been designed so the PICS is easily readable by customers with normal eyesight and taking into account the characteristics of the targeted customer (in terms of age, language, education level, etc.); and

• ensure that check boxes for consent are highlighted to attract customers’ attention.

Q: Do we have to comply with the new direct marketing requirements when we collect personal data from public registers or third parties?

A: Yes. The duty to inform the data subject of your intention to use the data subject’s personal data is “absolute” and irrespective of whether the personal data is collected from data subjects directly or from other sources.

Q: If we are already carrying out direct marketing to our existing customer base, does the new direct marketing regime apply?

A: Yes. However, if the company can benefit from the transitional/grandfathering provisions, it will not need to comply with the notice and consent requirements to use the data for direct marketing. Data users should note that the transitional provisions apply only to use of data, not to provision of data to a third party, for direct marketing. The New Guidance clarifies that the grandfathering arrangement also applies to “updates” of personal data held by a data user before the commencement date. However, it does not apply to new data acquired after the commencement date through 1) updating the data subject’s personal profile, and 2) new business deals with the data subject.

What Do We Need to Do Now?

On January 21, 2013, the commencement date for the new regime was set by the Secretary for Constitutional and Mainland Affairs as April 1, 2013. Therefore, companies that have not already done so should embark on a review of their direct marketing practices to:

• determine whether they can benefit from the transitional provisions;

• review their PICS, privacy policies, application forms and service contracts to ensure compliance with the new notice and consent requirements;

• review internal practices and policies with respect to the use, transfer and handling of data for direct marketing purposes; and

• ensure compliance prior to April 1, 2013, the commencement date of the new direct marketing regime.

Anna Gamvros is a Partner and Paolo Sbuttoni is a Registered Foreign Lawyer in the IT & Communications practice of Baker & McKenzie, Hong Kong. They may be contacted at anna.gamvros@bakermckenzie.com and paolo.sbuttoni@bakermckenzie.com.