First conviction in Hong Kong since the introduction of the new Direct Marketing Rules

By Michelle Chan, Clarice Yue


On 9 September 2015, just slightly over a month after the new Privacy Commissioner for Personal Data, Mr. Stephen Wong took office, Hong Kong Broadband Network ("HK Broadband") was convicted under section 35G of the Personal Data (Privacy) Ordinance ("PDPO") for not following a customer's request and using his personal data in direct marketing activities. This resulted in a fine of HK$30,000 imposed against HK Broadband, being the first company to be convicted since the relevant provision in the PDPO regarding the use of personal data in direct marketing was first introduced back in 2013.

The customer in this case notified HK Broadband via email and mail, informing them that he did not want his personal information to be used in direct marketing. Nonetheless, HK Broadband left a voice message telling him his telephone contract will expire soon and he should renew his contract with HK Broadband.

During trial, HK Broadband argued that the call was a reminder for the customer that the discount offer for renewing his contract will expire soon. However, this was rejected by the magistrate, as contacting the customer for more than six months in advance was not considered as a reminder, but a marketing activity.

The maximum penalty for breaching direct marketing related provisions is a fine of HK$500,000 and imprisonment for 3 years. Companies that engage in direct marketing should be aware of the potential risks and the respective penalties involved when dealing with client opt-out requests.

Here are some of our practical suggestions for companies which conduct direct marketing to consider so as to effectively deal with customers' opt-out requests.

Opt-out List

Companies should maintain a direct marketing "opt-out list" and should update the list regularly. Maintaining an opt-out list can prevent companies from contacting customers who have requested the companies to cease using or transferring their personal data for direct marketing purposes.

Companies should be aware that they may receive opt-out requests in various forms. Verbal requests made by customers in promotion calls are regarded as an opt-out request and should not be ignored.

Customer contacts for opt-out request

Companies may consider in setting up a separate contact to encourage customers to submit their opt-out requests through designated hotlines or mailboxes, which allows companies to collate requests received from customers more effectively.

Internal Procedure & Employee Training

Companies should implement standard internal procedures for employees to follow when processing opt-out requests in order to maintain an up-to-date opt-out list and prevent overseeing any received request.

Sufficient training should also be arranged for frontline staffs to raise their personal data protection awareness and knowledge in direct marketing related rules and regulations.