The Privacy Commissioner for Personal Data issued the latest guidance note on the new direct marketing rules (“Guidance Note”) under the Personal Data (Privacy) (Amendment) Ordinance (“Amendment Ordinance”), which will come into effect on 1 April 2013. Michelle Chan, Tim Mak and Clarice Yue offer practical guidance on compliance under the new regime.
New direct marketing rules
As discussed in our previous publication, there are key changes made to the direct marketing regime under the Amendment Ordinance. In particular, the new direct marketing rules require data users to obtain the consent of data subjects and provide specific information to data subjects prior to the use of personal data in direct marketing. The Guidance Note replaces the previous guidance issued in November 2012 and sets out practical guidance on the collection of personal data for direct marketing, the use of personal data for direct marketing, and the provision of personal data to third parties for use in direct marketing.
The Guidance Note provides practical guidance and examples on compliance under the new direct marketing regime. They are summarised below:
Examples of direct marketing
- A marketing SMS sent to the mobile number of a named individual is direct marketing.
- Direct mail sent to an address or the “occupant” of an address, or a marketing call to the unidentified owner of a particular number is not direct marketing.
- Marketing goods for a company’s exclusive use by using personal data collected from company officials in their official capacity is not regarded as direct marketing.
What is valid consent?
- Ticking the box “I do not object to the use of my personal data for direct marketing of XXX” in an application form is a valid consent.
- The absence of response from the customers to an objection slip attached to a written notification of the use or provision of their personal data for use in direct marketing is regarded as an invalid consent.
- Consent for the use and/or provision of personal data to others should be separated from the acceptance of the terms and conditions of provision of the data user’s services (eg, providing a separate signature or tick box to indicate agreement or no objection to the prescribed use of personal data).
Excessive collection of personal data
- If a range of personal data is collected for multiple purposes, data users should inform the customers of their specific purposes of use of each type of personal data.
- For instance, a bank should inform the customer that “education level” and “marital status” for the opening of a savings account are only intended for business promotion, which is to be provided on an entirely voluntary basis.
Drafting tips for Personal Information Collection Statement (“PICS”)
- PICS should serve as evidence that the requisite information have been communicated to the data subjects effectively, and accordingly, vague and loose terms should therefore not be adopted.
- For instance, in defining the purpose of use of personal information and the class of transferees, “such purposes as the Company may from time to time prescribe”, or “all business partners or such other agents as the company may from time to time appoint” should be avoided.
- PICS should be presented in a stand-alone section and its contents should be separate from the terms and conditions of the service agreement.
In addition, the Guidance Note also provides clarification on areas which were previously considered to be unclear, including:
Consent: Silence does not constitute consent of data subjects for the use of personal data for direct marketing. In other words, for consent to be validly given, the data subject must explicitly indicate a non-objection to the use or provision of personal data.
The grandfathering arrangement:
- Under the grandfathering arrangement, the new direct marketing rules would not apply to pre-existing data held by a data user before the commencement date of the new regime. However, the grandfathering arrangement would not apply to the use of pre-existing personal data in relation to direct marketing to different classes of marketing subjects, and applies only to the use of personal data by the data user for its own direct marketing.
- The grandfathering arrangement applies to updates of personal data held by a data user before the commencement date of the new regime.
Transfer of personal data to third parties:
- The restrictions on third-party transfer would be applicable to a transfer by a data user to its parent company and its subsidiary or associated companies for use in direct marketing.
- The restrictions would not be applicable if personal data provided to another person in the event of a merger or business amalgamation involving a sale of business or shares is not for use in direct marketing (unless the provision to a third party for use in direct marketing is disguised under a merger or acquisition).
On the whole, the Guidance Note is a useful guide to data users to help review existing direct marketing procedures and documentation, and to revise and update policies to take into account of the new provisions. The level of detail and breadth of examples provided in the Guidance Note well illustrate the issues that data users must account for in setting up relevant procedures to ensure compliance with the new provisions under the Amendment Ordinance.