What is direct marketing? Can I use my customers’ personal data for the purpose of direct marketing?

Direct marketing is a common business practice. Businesses and companies often promote their goods and services directly by contacting existing customers or targeting potential customers via email, phone calls and so on. 

In Hong Kong, direct marketing is regulated by the Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”). As a business, you can use customers’ personal data in direct marketing in strict compliance with the requirements set out in the PDPO. 

In this article, you will understand (a) the meaning of direct marketing; and  (b) the steps you need to take before using personal data for direct marketing. 


Direct Marketing

Under section 35A of the Ordinance, “direct marketing” means “(a) the offering, or advertising of the availability, of goods, facilities or services; or (b) the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes” 

For instance, offering free services/upgraded services by telephone to a specific customer constitutes direct marketing. However, informing your customer by SMS that their trial period will be expiring soon does not constitute direct marketing.

Unsolicited Commercial Messages 

In Hong Kong, the Unsolicited Electronic Messages Ordinance (Cap. 593) (“UEMO”) governs the rules that restrict businesses’ use of  unsolicited electronic marketing messages with a commercial purpose sent over a public telecommunications service that have a “Hong Kong link”. This means that the UEMO applies if the sender or the recipient of a commercial electronic message is located in Hong Kong. Direct marketing through “cold calling” and hard copy promotional materials distributed by post or by hand are not regulated by the UEMO. 

What steps organisations need to take before using customer’s personal data in direct marketing?

According to the PDPO, you must inform your customers (orally or in writing):

  • ​​that you intend to use their personal data for direct marketing: and that without the customers’ consent, you may not so use the data.
  • the intended use of the personal data, including the types of personal data to be used and the classes of marketing subjects regarding which the data is to be used
  • a free channel through which they can communicate their consent to the intended use

It is important to provide the said information in a manner that can be easily understood by the customers so that they can make an informed choice. 

In January 2013, the Office of the Privacy Commissioner for Personal Data published the New Guidance on Direct Marketing in light of the amendments made to the Ordinance. Accordingly, it is good practice to observe six principles when you handle personal data in direct marketing:

  1. Respect your customers’ right of self-determination of their own data
  2. Be open, transparent and accountable when handling personal data
  3. Provide an informed choice to individuals to decide whether their personal data can be used in direct marketing
  4. Provide information to your customers regarding the use, collection or provision of their personal data in an easily understandable manner: If the information is provided in written form, it should be easily readable.
  5. Honour and update your customers’ request to cease the use of their personal data in a timely and professional manner
  6. Be inclusive to cater for the minorities’ special needs: For instance, you can adopt a universal design for websites so that information can be provided in large prints to those with impaired vision and the aged.

Right to Opt-out

If you are using the personal data for direct marketing for the first time, you must notify your customers of their right to opt out. If they opt out, you must stop using their data for the purpose of direct marketing without charging them. You must also comply with your customers’ request, made at any time, to stop using their personal data in direct marketing without charging them (section 35G of the Ordinance). In addition, you must maintain a list of all customers who have opted-out/indicated their request to not to receive further marketing approaches and inform your staff to ensure compliance with such requests. 

How do I obtain customers consent for using personal data in direct marketing?

You, as a data user, can only use your customers’ personal data in direct marketing if you have received their consent to the intended use of their data. In this context, consent includes an indication of no objection to the provision or use of their personal data (section 35A of the Ordinance). Such consent must be explicitly given by the customer. For instance, you can provide a tick box in an application form as follows:

“☐ I object to use of my personal data for direct marketing of XX services”

If your customers choose to consent orally, you must within 14 days from the receipt of their consent (section 35E of the Ordinance) seek confirmation in writing on:

  1. the date of receipt of the consent; (b) the permitted kind of personal data; and (c) the permitted class of marketing subjects.

Breach of the direct marketing provisions under the PDPO

If you contravene any of these requirements, you may have committed an offence. You may then be liable on conviction to a maximum imprisonment of three years and a maximum fine of HK$500,000.

If personal data is to be transferred to a third party for use in direct marketing, you must take certain steps in protecting your customers’ personal data. For more details, you may read “Can I transfer my customers’ personal data to third parties for use in direct marketing?”

How to avoid infringing the PDPO? 

As a business, you must have a well drafted Privacy Policy that outlines:

(a) Definition of Personal Data

(b)Why the company collects and processes personal data

(c) What data is collected and processed

(d) How is the data stored?

(e) Who has access to the data?

(f) User’s rights and control mechanism

If you have a website, you can easily incorporate a Privacy Policy page on your website by following our Privacy Policy templates and tailoring it to your needs.

Key takeaways
  • Unsolicited electronic commercial messages are regulated by the UEMO. 
  • You can only use your customers’ personal data in direct marketing if you have obtained their consent in compliance with the requirements set out in the PDPO.
  • Failure to comply with the requirements on direct marketing is a criminal offence and can result in imprisonment and/or fine.

Bibliography:

  1. Office of the Privacy Commissioner for Personal Data, ‘Guidance for Data Users on the Collection and Use of Personal Data through the Internet’: https://www.pcpd.org.hk//english/resources_centre/publications/files/guidance_internet_e.pdf
  2. Office of the Privacy Commissioner for Personal Data, ‘Exercising Your Right of Consent to and Opt-out from Direct Marketing Activities under the Personal Data (Privacy) Ordinance’: https://www.pcpd.org.hk//english/resources_centre/publications/files/opt_out2015_e.pdf
  3. Privacy Commissioner for Personal Data, ‘New Guidance on Direct Marketing’: https://www.pcpd.org.hk/english/publications/files/GN_DM_e.pdf
  4. Privacy Commissioner for Personal Data, ‘Data Protection & Business Facilitation Guiding Principles for Small and Medium Enterprises’: https://www.pcpd.org.hk/english/resources_centre/publications/files/sme_e.pdf