Keywords: privacy laws, direct marketing, compliance
Part VIA of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) sets out new direct marketing requirements. Part VIA will tentatively commence on 1 April 2013. In anticipation of its commencement, the Privacy Commissioner for Personal Data (PCPD) has issued a Guidance Note on Direct Marketing (Guidance Note). The Guidance Note will take effect when Part VIA commences.
It is essential to be aware of the new requirements under Part VIA of the PDPO when collecting personal data from clients for direct marketing. Failure to comply may result in offences and civil liability. The Guidance Note is intended to assist businesses to understand these requirements and how to comply. A full copy of the Guidance Note is available here.
In a nutshell, before using personal data in direct marketing, the data user must inform data subjects that it intends to use their personal data in direct marketing, and inform them of the kinds of personal data to be used as well as the types of service and products to be marketed. It must also provide a response channel to enable data subjects to communicate their consent or to register a 'no objection', free of charge. If the data user intends to provide any personal data to another person to use in direct marketing, the data user must inform the data subject before so doing. It must also inform the data subject of the kinds of personal data to be provided, the classes of persons to whom the data may be provided, the types of service and products to be marketed, and whether the data is to be provided in exchange for money (or for other property, if that is the case). Additionally, it must provide a response channel to enable data subjects to communicate their WRITTEN consent or to register 'no objection', free of charge. In either case, the data user is not allowed to use or to provide personal data for direct marketing unless it has received the data subject's consent or 'no objection'.
Collecting personal data for direct marketing
Collection of that which is excessive to requirements is not permitted
Data Protection Principle (DDP) 1(1) provides that only necessary, adequate and not excessive personal data is to be collected for a lawful purpose directly related to a function or activity. Data users should only collect personal data necessary for a lawful purpose, and only collect additional data for direct marketing that is provided on a voluntary basis. Example: It is not necessary for a bank to collect personal data about a customer's marital status and education level when the customer is opening a bank account. If the bank wants to collect that data for marketing, it should inform the customer it is voluntary to provide this data.
Collection must be by means that are fair and lawful
DDP1(2) provides that personal data should be collected by means which are lawful and fair. The data user should not use deceptive means to collect personal data.
Example: It is not considered fair means of collection to offer free gifts to passers-by to attract them to fill in questionnaires when the true purpose behind persuading them to do so is to collect their personal data for direct marketing.
The data subject must be informed of the purposes and classes of transferees
DDP1(3) requires a data user to take all reasonably practicable steps to inform the data subject, at the time of or before the collection of the data, the purposes for which the data may be used, whether it is voluntary or obligatory to provide the data (and, if obligatory, the consequences of not providing the data), and the classes of persons to whom the data may be transferred. It is prudent to provide this information by way of a written notice, which is often called a "Personal Information Collection Statement" (PICS).
To ensure that the PICS is validly communicated to data subjects, it should be written in language that is easy to understand, presented in a conspicuous manner and printed in a font size that is easy to read with normal eyesight.
Obtaining consent or 'no objection' on application forms
It would be unfair if service application forms were designed in such a way as to force customers to choose between providing their personal data for direct marketing or giving up the service ("bundled consent" situations). The application forms should allow data subjects to indicate separately whether they agree to provide personal data for direct marketing on a voluntary basis.
Use of personal data in direct marketing by data user itself
When to inform the data subject
The data user should inform the data subjects as early as possible of its intention to use their personal data for direct marketing. Where possible, this should be done when (or before) the personal data from the data subject is collected.
What to inform the data subject of
The data user must inform data subjects:
- That the data user intends to use their personal data for direct marketing.
- That the data user cannot use personal data for direct marketing without the data subject's consent or 'no objection'.
- The kinds of personal data to be used.
- The kinds of products and services to be marketed.
Furthermore, a response channel must be provided free of charge to enable data subjects to communicate their consent or to register 'no objection'.
It is acceptable to obtain the data subject's 'no objection' (opt-out).
Example: The data user can inform the data subject in a service application form that "we intend to use your name, telephone number and address for direct marketing of credit card and insurance products and services but we cannot so use your personal data without your consent or 'no objection'. Please tick the box at the end of this form before your signature if you DO NOT wish us to use your data in direct marketing."
How to inform the data subject
The information must be presented in a manner that is easily understandable and, if in written form, easily readable.
Example: Do not use vague and loose terms like "marketing goods and/or services by us, our agent, our subsidiaries, or our partners" or bury the information in small print which is difficult to read with normal eyesight.
Not using personal data in direct marketing without the data subject's consent or 'no objection'
This requirement applies regardless of whether or not the data was collected directly from the data subject. Where consent or 'no objection' is provided orally, it should be confirmed in writing within 14 days. Please note, however, that consent or 'no objection' for a data user to provide data to another person for that person to use in direct marketing must be obtained IN WRITING.
Using personal data in direct marketing for the first time
When using personal data in direct marketing for the first time, the data user must notify the data subject of their right to request the data user to cease using their personal data for direct marketing free of charge.
Example: When sending marketing information to a data subject for the first time, the data user should highlight this opt-out right and provide a link for the data subject to make the request. (In practice, data users often include the opt-out language in all marketing pamphlets to dispense with the need to record the first time of use with respect to each data subject. In any case, a data subject has the right to opt out from direct marketing at any time notwithstanding any previous choice to give consent.)
How to comply with opt-out rights
A data subject may at any time request the data user to stop using their personal data in direct marketing. To comply with this requirement effectively, the data user should maintain an updated list of all customers who have opted out and stop using their data in direct marketing.
Providing personal data to others for use in direct marketing
Informing the data subject
The data user must inform the data subject in writing of its intention to provide their personal data to another person to use in direct marketing, and must obtain their written consent or 'no objection'. Verbal consent or 'no objection' is not sufficient for this purpose.
What must the notice include
The written notice must specify:
- That the data user intends to provide the personal data to another person for use in direct marketing.
- That the data user cannot do so without the data subject's written consent or 'no objection'.
- Whether the personal data is to be provided "for gain", i.e., in exchange for money (or for other property, if that is the case).
- The kinds of personal data to be provided.
- The classes of persons to which the data may be provided.
- The kinds of products and services to be marketed.
- That the data user must provide a response channel free of charge to enable the data subject to communicate written consent or 'no objection'.
The data user must explicitly inform the data subject if their personal data is to be provided to another person "for gain". "For gain" means providing personal data in exchange for money or other property.
Example: If the data user were to obtain a commission for providing the personal data to another person (irrespective of whether payment of the commission is contingent on any condition), this would be considered to be providing data "for gain".
Transfer to partners/associates
The requirements apply even if the personal data is transferred to a subsidiary or associated company. When transferring personal data to a partner company for cross marketing, the data user should ensure that it has obtained the data subject's consent or 'no objection' before transferring any personal data.
These requirements do not apply if personal data is provided by a data user to its agent for marketing on behalf of the data user.
In complying with the requirements of Part VIA, businesses should be open and transparent about the use or provision of data to others to use in direct marketing. They should clearly inform the data subjects of the matters prescribed in Part VIA (including the fact that data is provided to others for gain, if that is the case) to enable the data subjects to make an informed decision. They should also provide a free-of-charge response channel and obtain the data subjects' consent or 'no objection' before using or providing their data to others for use in direct marketing.
For information about the amendments to the PDPO, please refer to our previous Legal Update, entitled Personal Data (Privacy) (Amendment) 2012.
Originally published 19 February 2013
Visit us at www.mayerbrownjsm.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2013. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.