How to Comply with the Personal Data Privacy Ordinance (PDPO) for an Online Business?

Businesses often set up their own websites to expand their outreach. Once you have an online presence then it is likely that you will collect and use customer personal data

such as the customer’s email address, name, purchase records, search enquiries etc. This implies that the data privacy laws will apply to your business and you need to understand your obligations to protect customer personal data to ensure compliance. Any failure to comply with the data privacy regulations can:

• result in hefty fines and penalties
• damage our business’s reputation and brand value.  
• cause damage to your business as consumers are aware of the value of their personal data and failure to protect will make customers lose their trust in your business
• result in complaints from customers in the event of data breach

The law governing personal data and privacy in Hong Kong is the Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”).  It is applicable to both the private and the public sectors. This article provides guidance to the online business owners on complying with the requirements under the PDPO.

A. Data Protection and Privacy

1. Key Terms You Need to Know

Before we go any further, it is important to understand basic terminologies used in the PDPO:

(a) Personal Data means any data

relating directly or indirectly to a living individual; 

from which it is practicable, directly or indirectly, to ascertain the the identity of the individual; and 

in a form in which access to or processing of the data is practicable

Some common examples of customer personal data collected in an online business and subject to the PDPO are customer’s name, email address, sex, age etc.

(b) Data Subject refers to an individual who is the subject of the data

(c) Data User refers to a person who, either alone or jointly controls the collection, holding, processing or use of the data.

2.  The Six  Data Protection Principles

The PDPO provides for six data protection principles to regulate the ways that personal data is collected, retained, used, secured, accessed and corrected. 

The six data protection principles are as follows:

1. DPP 1 – Purpose and manner of collection: As per the DPP1, as a data user you should collect information that is necessary for the purpose. The collected data should be adequate and not excessive for the purpose it is to be used. Also, the collection of data should be lawful and fair. 

As a data user, you need to inform your customers:

• whether it is an obligation or voluntary to supply the data;
• the purpose of using the customer data;
• the classes of person to whom the data will be transferred; and
• the right and process for requesting access to and correction of their data.

When operating an online business, customer data is often collected via website forms or e-mails. In such a case, you need to provide the above information to your customers. This can be done by providing:

• Personal Information Collection Statement on the website
• Cookie Policy to inform what kind of information is stored in the cookies and whether the website deploys third-party cookies

It is important to label the information that is mandatory and optional for the customer to provide in the online forms

2. DPP 2 – Accuracy and duration of retention: This requires the data user to take all steps to ensure that the personal data is accurate and is not kept for longer than necessary to meet the purpose for which the data is used. It imposes the obligation for deleting the personal data when it is no longer required (unless exempted). Any non-compliance with this provision is an offence punishable by a fine of up to HK$10,000.

3.  DPP 3 – Use of data: As per the DPP3, any use of customer personal data for purposes other than for which it was originally collected is prohibited, unless prior consent of the customer was obtained by the data user.  

When operating an online business and collecting customer data, you need to:

• Inform the customer at the time of collection that the personal data will be displayed on the website or elsewhere. In absence of such notice to the customer, you will need to obtain customers consent before displaying the personal data on the website or elsewhere.
• Anonymise the personal data when displaying it so that the identity of the customer cannot be ascertained. The personal data should be displayed only to the extent necessary to achieve the purpose.
• Limit the purpose of use of personal data displayed on the website or elsewhere by putting a statement to the effect that such data should not be used for any other purpose.

4. DPP 4 – Data security: As per the DPP4, all practicable steps must be taken to protect the personal data against any unauthorised or accidental access, erasure, loss or use. In the event a data processor is engaged to process the personal data then as a data user you must enter into an agreement / contract with the data processor to prevent data breach.

With online businesses, you need to implement security measures to safeguard customer personal data and prevent data breaches.As per the guidance note issued by the Privacy Commissioner, you can:

• implement a Privacy by design approach to ensure protection of personal data
• carry out risk assessments from time to time on the various kinds of customer personal data collected and stored by you
• implement the necessary policies and procedures required to outline measures to keep the data confidential and define the accountability of the persons who have access to such personal data.
• set out policies on handling of personal data and provide training to the staff to ensure compliance
• Implement security measures to prevent access to the data by third parties such as encrypting personal data when transmitted, set complexity requirements for passwords to prevent them from being compromised etc.
• Set up a data breach response plan to mitigate the loss and damage to the affected customers

5. DPP 5 – Openness and transparency: The DPP5 provides that the personal data practices and policies of your business must be easily available and must outline the kind of personal data held and the purpose of holding it

For an online business, you need to make your privacy policy accessible or easily downloadable by the customers. For details on how to prepare a privacy policy for your website, refer to Section B hereinbelow.

6. DPP 6 – Access and correction: DPP 6 provides that your customers have the right to request access to and correction to their personal data. 

In the case of an online business, you can outline the means and process for the customer to make the data access/ correction request to you. The PDPO provides that such requests must be handled within a period of 40 days. If you are charging to comply with such requests then you must state your charges, which should not be excessive. Also, no charges can be levied for correction requests by the customers.

In this regard, the Office of the Privacy Commissioner for Personal Data has issued the following guidelines:

• Proper Handling of Data Correction Request by Data Users
• Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users

B.  Important policies for your online business website to ensure PDPO compliance

1. Privacy Policy

• What is a Privacy Policy

Privacy Policy is essentially a page on your business website that explains how you will handle personal information of the customer

• What to include in a Privacy Policy?

A privacy policy should include information on:

(i) the overall commitment of the business to protect the privacy of the customers

(ii) the type of personal data collected and the purpose it will be used for. 

(iii) the process of handling personal data of minors if your website content is of interest to minors. It is recommended to not to collect any personal data from minors especially under the age of 13 years without the prior consent of the parent / guardian.

(iv) use of cookies to collect information without notice to the customer.

(v) measures adopted to ensure accuracy of the personal data 

(vi) how long the information will be retained and whether the customer has any option to delete this information held by you

(vii) who has access to the personal data? If you are disclosing personal information to any other party then you must make it clear in the privacy policy. Also, outline the measures adopted to restrict access to such information.

(viii) whether the information will be used for direct marketing or not

(ix) state the measures adopted to ensure the security and confidentiality of the personal data

(x) procedure for handling requests by the customers for data access and correction and the charges (if any). 

(xi) contact details of the company’s data protection officer to respond to any queries relating to the privacy policy and practices. 

You can easily incorporate a Privacy Policy page on your website by following our Privacy Policy template and tailoring it to your needs.

• Where to display your privacy policy?

The privacy policy should be easily accessible on your website. It is recommended to place a link to the policy at a prominent place such as in your website footer. It is generally placed together with the Terms of Use and Cookie Policy. Also, provide a link to the privacy policy in any online form used to collect the personal information of the user. For instance, you can include a separate checkbox (unchecked) with a link to the privacy policy in the registration form on the website.

2. Cookie Policy

• What is a Cookie Policy?

Use of cookies on the website often raises privacy concerns as they track online behavior of the customers which may involve the collection of user’s personal data. So, if you are using cookies on the website then you must ensure compliance with six data protection principles listed herein above. Also when using Cookies, it is recommended to: 

1. notify the end user and individuals when cookies are collected.
2. state the kind of personal data stored in the cookies and its purpose
3. state whether it is mandatory for users and individuals to accept the use of cookies to access the website

• What to include in the cookie policy?

It is recommended to have a cookie policy to inform the customers about the cookies active on the website. In the cookie policy, you can include:

(a) What are cookies?

(b) How are the cookies used?

(c) What type of cookies are used?

(d) How do you  manage the cookies?

In this regard, the Office of the Privacy Commissioner for Personal Data has issued the guideline on Online Behavioural Tracking and outlines the following best practices for website owners when using cookies:

1. pre-set a reasonable expiry date for cookies; 

4. encrypt the contents of cookies whenever appropriate; and 
5. Not to deploy any techniques (e.g. Flash/zombie) that ignore browser settings on cookies unless you the customer has been provided with an option to disable or reject such cookies 

You can easily incorporate a Cookie Policy page on your website by following our Cookie Policy template and tailoring it to your needs.

• Where to display the cookie policy on the Website?

The policy can be a part of the privacy policy or as a separate policy published prominently on the website

3. Personal Information Collection Statement

• What is a Personal Information Collection (PIC) Statement?

If you are collecting personal data online from the customers, then you need to provide a PIC statement on or before the collection of personal data.

• What to include in a PIC statement?

A PIC statement will:

(i) state the purpose for which the information will be used;

(ii) whether it is obligatory or voluntary for the individuals to supply their personal data

(iii) the type of organisations to  whom such personal data will be disclosed

(iv) information about the use and/or provision of personal data for direct marketing (if applicable),

(v) inform the user of the right to request access to and correction of their personal data

(vi) contact details of the data protection officer to handle such requests for data access or correction of personal data

C. Direct Marketing and the PDPO

Customer’s personal data obtained via website can be used for direct marketing strictly in compliance with the PDPO. In this regard, the Office of the Privacy Commissioner for Personal Data has issued the ‘New Guidance on Direct Marketing’ to provide practical guidance to data users to ensure compliance with the regulations for direct marketing. 

1. What steps do you need to take before using customers’ personal data for direct marketing?

According to the PDPO, you must inform your customers:

• ​​that you intend to use their personal data for direct marketing;
• that the personal data will not be used without the customers’ consent
• the intended use of the personal data, including the types of personal data to be used and the classes of marketing subjects regarding which the data is to be used
• a response channel through which the user may communicate its consent to the indented use

It is important to provide the said information in a manner that can be easily understood by the customers so that they can make an informed choice. 

2. Is consent required for direct marketing?

Yes, you can use your customer’s personal data in direct marketing only after obtaining the consent to use the personal data for the intended purpose. The customer must indicate no object to the use of personal data for direct marketing purposes. If such consent is given orally, then you need to receive a confirmation in writing within 14 days from receiving their consent

3. Right to Opt-out

If you are using the customer’s data in direct marketing for the first time then you must notify the customers of their opt-out right.  For instance, in the case of marketing via email, the marketing material should provide a link to the e-mail address of the data user to enable the customer to exercise the opt-out right. 

If any customer chooses to opt-out then you must stop using their data for direct marketing without charge to the customer. In addition you must prepare a list of customers who have opted-out and check the latest opt-out list before making any direct marketing approaches. Failure to comply with these requirements is an offence and renders the offender liable on conviction to a fine. 

To know more about direct marketing, read our article What is direct marketing? Can I use my customers’ personal data for the purpose of direct marketing?

4. Can personal data be transferred to third parties for direct marketing?

As per the PDPO, you must inform the user in writing before transferring the user’s personal data to a third party for use in direct marketing. The written notice must include the following information:

• That it intends to transfer the personal data
• The personal data will not be transferred without user’s written consent
• Whether the data is transferred for gain
• the kinds of personal data to be provided 
• the classes of persons to whom the data will be provided
• the classes of marketing subjects in relation to which the data is to be used; and
• a response channel through which the user may communicate its consent in writing to the indented data transfer

The information must be provided in a clear and easily understandable manner.   It can be incorporated in the PIC statement.

Without customer’s consent to transfer the personal data for direct marketing, you are not allowed to transfer such data to third parties.  Even after providing such consent, the customer may at any time require you to:

1. stop providing their personal data to third party for use in direct marketing; and
2. Notify the third party to stop using their data in direct marketing.

Once you have received these instructions, you must ensure compliance without charge to the customer.

To know more about direct marketing, read our article Can I transfer my customers’ personal data to third parties for use in direct marketing?

5. Can personal data be used to send unsolicited emails to the customers?

As per the New Guidance on Direct Marketing issued by the Privacy Commissioner, “direct marketing” does not include unsolicited business electronic messages that are sent to email addresses, telephones or fax machines without addressing to specific persons by their names and person-to-person calls that are made to phone numbers generated randomly. Therefore, any marketing email sent to an unidentified owner is not direct marketing. 

Hence, a business can send unsolicited emails without identifying the recipient by name. Such messages must be in compliance with the  Unsolicited Electronic Messages Ordinance (Cap. 593) 

To know more about sending unsolicited electronic messages, read our blog Marketing or Unsolicited Spam Mail? Guide to Email Advertising Management

D. What is GDPR, and does it apply to your business?

The EU General Data Protection Regulation (“GDPR”) is a complex and strict privacy law drafted and passed by the European Union. In general, the EU law grants enhanced rights to have detailed, up-to-date information on what data is recorded about them, the purpose for doing so, and where their personal data is sent.

As a business, you are responsible for complying with the GDPR if you are collecting or processing data concerning people living in the European Union. If the GDPR regulations apply to your business then your privacy policy and cookie policy must be updated to ensure compliance with the GDPR. Non-compliance with GDPR may be fined up to €20 million or four percent of your company’s annual revenues, whichever is greater

The Office of the Privacy Commissioner of Hong Kong has issued a comprehensive booklet titled ‘An Update on European Union General Data Protection Regulation 2016’ to understand about GDPR and its relevance for Hong Kong organizations and businesses. 

Please note that this is a general summary of the position under the Laws of Hong Kong SAR and does not constitute legal advice.