Yes. Consent would not be required for placing cookies and similar technologies on a device, subject to the below.
There is no specific cookie-related regulation in Hong Kong and therefore, the answer to this question will mainly be considered from data protection perspective. If a data user in Hong Kong places cookies/ other similar technologies on a device which will collect personal data of individuals, the Personal Data (Privacy) Ordinance (“PDPO”), the main data protection law in Hong Kong, will apply. The PDPO does not have extraterritorial effect and applies to a data user that controls the collection, holding, processing or use of personal data in Hong Kong. “Personal data” is defined under the PDPO to refer to data in which the identity of an individual can be directly or indirectly ascertained.
Even if personal data will be collected by the cookies/ similar technologies, consent is not required except in three specific scenarios, i.e., where personal data collected by cookies will be used: (i) for direct marketing; (ii) in relation to a matching procedure; or (iii) for a purpose that is different from, or not directly related to, the original purpose(s) of collection.
“Direct marketing” is defined to mean, among others, the offering, or advertising of the availability, of goods, facilities, or services through sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication. In general, advertising cookies are unlikely to be regarded as “direct marketing” as they are unlikely to satisfy the requirement addressing specific persons by name. However, if the data user knows the identity of the web user, for example, due to other information it holds, it would be prudent to obtain consent from the web user as best practice.
“Matching procedure” is defined to mean any procedure whereby personal data collected for 1 or more purposes in respect of 10 or more data subjects is compared (except by manual means) with personal data collected for any other purpose in respect of those data subjects where the end result of the comparison may be used for the purpose of taking adverse action against any of those data subjects. “Adverse action” is defined as any action that may adversely affect an individual’s rights, benefits, privileges, obligations or interests (including legitimate expectations).
Yes. While there are no specific cookie rules currently available in HK, PDPO requirements are followed and enforced in practice.
As stated under question 1 above, consent is generally not required except for a few specific scenarios.
Yes, except the limited circumstances where consent would be required (see response to question 1 above). For example, to the extent that the advertising cookies constitute direct marketing as defined under the PDPO, informed consent would be required.
Consent for the purposes of direct marketing is defined under the PDPO as including “an indication of no objection to the use or provision” of personal data. According to the guidance issued by the Privacy Commissioner for Personal Data (“PCPD”), not checking the tick box indicating objection to receive direct marketing materials would be sufficient to indicate valid consent, provided that the individual also signed the agreement to indicate that he/she has clearly read and understood the data user’s notification regarding collection, use and provision of personal data. However, consideration on whether consent is valid would also be subject to the way the information is presented (e.g. whether the tick box is conspicuous, etc.) The guidance issued by PCPO is not itself legally binding but serves as a reference point for compliance.
Please refer to question 4 for requirements of valid consent.
Yes. There is no requirement for a separate cookie notice. If cookies collect personal data, data users will usually describe the function of cookies in the “purposes of processing of personal information” section in the privacy policy or include a separate paragraph on cookies in privacy policy.
Yes.
Yes.
N/A.
As stated above, there are no cookie-specific regulations. We are not aware of any enforcement actions taken against breaches of the PDPO in respect of the use of cookies.
None that we are aware of.
No, we are not aware of any at the moment. While there have been proposed changes to the PDPO, it is unlikely that any proposed changes will have any direct impact on cookies practice.
