V. Privacy regarding direct marketing
The Amendment Ordinance 2012 introduced a new regime governing the use of personal information in direct marketing, which took effect on 1 April 2013. The new regime provides stronger protection for individuals. When data users intend to use or provide an individual’s personal data in direct marketing, they are required to inform the individuals of the prescribed information and obtain their consent.
Under section 35A of the Ordinance, “direct marketing” (in the context of personal data privacy) means:
- offering or advertising the availability of goods, facilities or services; or
- soliciting donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes,
by means of:
- information or goods sent to specific persons by mail, facsimile transmission, electronic mail, or other similar means of communication, where the information or goods are addressed to a specific person or specific persons by name; or
- telephone calls made to specific persons.
Corresponding to the amendment of the Ordinance, the Commissioner published guidance notes entitled New Guidance on Direct Marketing in January 2013.
A. Use of personal data for the data user’s own direct marketing purposes
With reference to section 35C of the amended Ordinance, before using personal data in direct marketing, data users must follow the specific steps listed below:
1. Data users must inform the data subjects of their intention to use the data subjects’ personal data for direct marketing, and they may not so use the data unless they have the data subjects’ consent.
2. Data users must provide the data subjects with information on the intended use of the data, including the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used.
3. Data users must provide the data subjects with a free-of-charge channel through which the data subjects may communicate their consent to the intended use.
4. In order to help data subjects make an informed choice, the information provided by data users must be presented in a manner that is easily understandable and, if in written form, easily readable.
In addition, according to section 35F , if data users are using the data in direct marketing for the first time , they must notify the data subjects of their op-out right, and the data users must, without charge to the data subjects, stop using the data in direct marketing if the data subjects opt out.
Data users can use the personal data in direct marketing only after they have received the data subjects’ consent to the intended use of the personal data. Consent, in this context, includes an indication of no objection to the use or provision of the personal data ( section 35A(1) ). If the data subjects give their consent orally, the data users must confirm in writing to the data subjects within 14 days from receiving their consent the permitted kind of personal data and the permitted class of marketing subjects ( section 35E ).
Data users must comply with the data subjects’ request at any time to stop using the data subjects’ personal data in direct marketing without charge to the data subject ( section 35G ).
Data users who contravene any of the requirements in the sections mentioned above commit an offence. For each offence, the data user is liable on conviction to a maximum fine of $500,000 and to a maximum imprisonment of three years.
In contrast to this new regime which is an “opt-in” regime, the old regime offered data subjects only a limited “opt-out” option: i.e., when data users used data subjects’ personal data in direct marketing for the first time, the users had to inform the subjects that they could request the data user to cease using their personal data for direct marketing purposes. If data subjects made such a request, the data users had to stop using the data; if the data subjects made no such request, their personal data could be used without any further notice. It should be noted that the old regime still applies to personal data that was used in direct marketing before the new amendment took effect, pursuant to section 35D of the amended Ordinance (also called a “Grandfather arrangement”: i.e. an old rule continues to apply to certain existing cases, while a new rule applies to all future cases). In other words, if before 1 April 2013 a data user used the personal data in direct marketing in compliance with the existing requirements of the Ordinance, that data user could continue to do so on or after 1 April 2013, in relation to the same class of marketing subjects, without being subject to the obligations imposed under the new regime.
B. Provision of personal data to third parties for use in direct marketing
In addition to the regulation on the use of personal data by data users for their own direct marketing purposes, the amended Ordinance introduces more stringent regulations on providing personal data to third parties for use in direct marketing, including the sale of personal data.
When data users intend to provide personal data to third parties for use in direct marketing, the data users must follow a procedure similar to that outlined above in part A. Additionally, they must inform the data subjects of two other kinds of information in relation to the intended use ( section 35J ):
- whether the data is to be provided for gain; and
- the classes of persons to whom the data is to be provided.
The form of notification and response of the data subject must be in writing . Furthermore, the data users must not provide personal data to a third party unless the data users have received written consent from the data subject. ( section 35K )
Data subjects may at any time and irrespective of whether they have previously given consent to the provision of their personal data to a third party require the data user—
- to stop providing the data subjects’ personal data to a third party for use by that party in direct marketing; and
- to notify any third party to whom the data has been so provided to stop using the data in direct marketing.
Accordingly, data users who receive these instructions must, without charge to the data subjects, comply with them. The notification made by the data users to the third party must be in writing . Any third party who receives such a notification from the data user must stop using the personal data in direct marketing in accordance with the notification. ( section 35L )
Contraventions of the requirements in relation to the provision of personal data to third parties for use in direct marketing are offences. For contraventions involving the provision of personal data for gain (including the sale of personal data), the maximum penalty is a fine of $1,000,000 and imprisonment for five years. For other contraventions, the maximum penalty is a fine of $500,000 and imprisonment for three years.
Unlike the use of personal data for the data users’ own direct marketing purposes, the provision of personal data to third parties for use in direct marketing is not subject to a “Grandfather arrangement” (i.e. when an old rule continues to apply to certain existing cases, while a new rule applies to all future cases). In other words, any provision of personal data to third parties, whether it happened before or after 1 April 2013, must comply with the requirements of the amended Ordinance.
With regard to cold-calling (note), staff members of the data user are recommended to give an opt-out message along the following lines: We are not allowed to use your personal data in direct marketing without your consent. If you do not wish to receive marketing calls from us, please tell me anytime and we will not call again.” If the data user fails to inform a data subject of his opt-out right or other information required by sections 35C – 35F as mentioned above, a data subject may lodge a complaint with the Office of the Privacy Commissioner for Personal Data. (Note: Cold-calling is the practice of making a marketing approach by telephone to a potential customer with whom the caller has had no previous dealings.)
The PPCD published a leaflet that introduces the ways for individuals to exercise their right of consent to opt-out of direct marketing activities under the amended Ordinance.