How to Comply with the Personal Data Privacy Ordinance (PDPO) for an Online Business?
Popular articles
Businesses often create websites to expand their reach, which typically involves collecting and using customer personal data, such as email addresses, names, purchase records, and search inquiries. This triggers obligations under data privacy laws, particularly the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in Hong Kong, applicable to both private and public sectors. Non-compliance can lead to:
- Hefty fines and penalties
- Damage to business reputation and brand value
- Loss of customer trust, as consumers value their data
- Customer complaints following data breaches
This guide helps online business owners comply with PDPO requirements.
A. Data Protection and Privacy
1. Key Terms You Need to Know
Understanding PDPO terminology is essential:
- Personal Data: Data that:
- Relates directly or indirectly to a living individual
- Allows the individual’s identity to be ascertained
- Is in a form where access or processing is practicable
Examples include customer names, email addresses, sex, and age.
- Data Subject: The individual whose data is collected.
- Data User: A person or entity controlling the collection, holding, processing, or use of data, alone or jointly.
2. The Six Data Protection Principles
The PDPO outlines six data protection principles (DPPs) governing how personal data is handled:
- DPP 1 – Purpose and Manner of Collection: Data users must collect only necessary, adequate, and non-excessive data for the intended purpose, lawfully and fairly. Inform customers:
- Whether providing data is obligatory or voluntary
- The purpose of data use
- Who the data may be transferred to
- Their rights and process for accessing/correcting data
- A Personal Information Collection Statement on the website
- A Cookie Policy detailing stored information and third-party cookies
Clearly label mandatory and optional fields in forms.
- DPP 2 – Accuracy and Duration of Retention: Ensure data accuracy and delete it when no longer needed (unless exempt). Non-compliance is an offense, punishable by a fine up to HK$10,000.
- DPP 3 – Use of Data: Use data only for the original collection purpose unless the customer consents otherwise. For online businesses:
- Inform customers if data will be displayed publicly (e.g., on the website)
- Anonymize displayed data to protect identities
- Limit public data use with a statement prohibiting other purposes
- DPP 4 – Data Security: Take all practicable steps to protect data from unauthorized access, erasure, loss, or use. If using a data processor, enter a contract to prevent breaches. Online businesses should:
- Adopt a Privacy by Design approach
- Conduct regular risk assessments
- Implement confidentiality policies and staff training
- Use encryption and strong passwords
- Establish a data breach response plan
- DPP 5 – Openness and Transparency: Make data practices and policies easily accessible, detailing the types of data held and their purposes. Online businesses should provide an accessible privacy policy.
- DPP 6 – Access and Correction: Customers have the right to access and correct their data. Online businesses must:
- Outline the process for data access/correction requests
- Handle requests within 40 days
- State any charges for access (not excessive; correction requests are free)
B. Important Policies for Your Online Business Website to Ensure PDPO Compliance
1. Privacy Policy
- What is a Privacy Policy?
A webpage explaining how customer personal information is handled. - What to Include in a Privacy Policy?
- Commitment to protecting customer privacy
- Types of data collected and their purposes
- Handling of minors’ data (avoid collecting data from those under 13 without parental consent)
- Use of cookies
- Measures for data accuracy
- Data retention period and deletion options
- Who accesses the data and restrictions on disclosure
- Use for direct marketing
- Security and confidentiality measures
- Process for data access/correction requests and charges
- Contact details of the data protection officer
- Where to Display Your Privacy Policy?
Place a link in a prominent location, such as the website footer, alongside Terms of Use and Cookie Policy. Include a link (with an unchecked checkbox) in forms collecting personal data.
2. Cookie Policy
- What is a Cookie Policy?
Cookies track online behavior, potentially collecting personal data, requiring PDPO compliance. If using cookies:- Notify users when cookies are collected
- State the data stored and its purpose
- Clarify if accepting cookies is mandatory for website access
- What to Include in the Cookie Policy?
- Definition of cookies
- How cookies are used
- Types of cookies
- Cookie management
- Setting reasonable cookie expiry dates
- Encrypting cookie contents when appropriate
- Avoiding techniques (e.g., Flash/zombie cookies) that ignore browser settings unless users can disable them
- Where to Display the Cookie Policy?
Include it within the privacy policy or as a separate, prominently published policy.
3. Personal Information Collection Statement
- What is a Personal Information Collection (PIC) Statement?
A statement provided before or during data collection online. - What to Include in a PIC Statement?
- Purpose of data use
- Whether providing data is obligatory or voluntary
- Types of organizations receiving the data
- Use for direct marketing (if applicable)
- Rights to access/correct data
- Contact details of the data protection officer
C. Direct Marketing and the PDPO
Using customer data for direct marketing requires strict PDPO compliance. The Office of the Privacy Commissioner’s New Guidance on Direct Marketing provides practical advice.
1. What Steps Do You Need to Take Before Using Customers’ Personal Data for Direct Marketing?
Inform customers:
- You intend to use their data for direct marketing
- Consent is required
- Types of data and marketing subjects involved
- A response channel for consent
Present this information clearly to enable informed choices.
2. Is Consent Required for Direct Marketing?
Yes, customer consent is mandatory. Customers must indicate no objection to data use for direct marketing. Oral consent requires written confirmation within 14 days.
3. Right to Opt-Out
For first-time direct marketing, notify customers of their opt-out right (e.g., via an email link to the data user’s address). If a customer opts out, stop using their data for marketing at no charge. Maintain an updated opt-out list and check it before marketing campaigns. Non-compliance is an offense, subject to fines.
Learn more in What is Direct Marketing?.
4. Can Personal Data Be Transferred to Third Parties for Direct Marketing?
Before transferring data to third parties for direct marketing, provide written notice including:
- Intent to transfer data
- Requirement for written consent
- Whether the transfer is for gain
- Types of data
- Recipients
- Marketing subjects
- A response channel for consent
The notice, which can be part of the PIC statement, must be clear. Without consent, data cannot be transferred. Customers may later demand you stop transfers and notify third parties to cease use, at no charge.
Learn more in Can I Transfer My Customers’ Personal Data to Third Parties for Direct Marketing?.
5. Can Personal Data Be Used to Send Unsolicited Emails to Customers?
Per the New Guidance on Direct Marketing, unsolicited emails to unidentified recipients (e.g., generic email addresses or random numbers) are not direct marketing. Such emails must comply with the Unsolicited Electronic Messages Ordinance (Cap. 593).
Learn more in Marketing or Unsolicited Spam Mail?.
D. What is GDPR, and Does It Apply to Your Business?
The EU General Data Protection Regulation (GDPR) is a stringent EU privacy law granting individuals enhanced rights to know what data is collected, its purpose, and where it’s sent. If your business collects or processes data of EU residents, GDPR applies. Non-compliance can result in fines up to €20 million or 4% of annual global revenue, whichever is higher.
Ensure your privacy and cookie policies comply with GDPR if applicable. The Office of the Privacy Commissioner’s Update on GDPR provides guidance for Hong Kong businesses.
Please note that this is a general summary of the position under the Laws of Hong Kong SAR and does not constitute legal advice.
