A. Use of personal data for the data user’s own direct marketing purposes
With reference to section 35C of the amended Ordinance, before using personal data in direct marketing, data users must follow the specific steps listed below:
1. Data users must inform the data subjects of their intention to use the data subjects’ personal data for direct marketing, and they may not so use the data unless they have the data subjects’ consent.
2. Data users must provide the data subjects with information on the intended use of the data, including the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used.
3. Data users must provide the data subjects with a free-of-charge channel through which the data subjects may communicate their consent to the intended use.
4. In order to help data subjects make an informed choice, the information provided by data users must be presented in a manner that is easily understandable and, if in written form, easily readable.
In addition, according to section 35F, if data users are using the data in direct marketing for the first time, they must notify the data subjects of their op-out right, and the data users must, without charge to the data subjects, stop using the data in direct marketing if the data subjects opt out.
Data users can use the personal data in direct marketing only after they have received the data subjects’ consent to the intended use of the personal data. Consent, in this context, includes an indication of no objection to the use or provision of the personal data (section 35A(1)). If the data subjects give their consent orally, the data users must confirm in writing to the data subjects within 14 days from receiving their consent the permitted kind of personal data and the permitted class of marketing subjects (section 35E).
Data users must comply with the data subjects’ request at any time to stop using the data subjects’ personal data in direct marketing without charge to the data subject (section 35G).
Data users who contravene any of the requirements in the sections mentioned above commit an offence. For each offence, the data user is liable on conviction to a maximum fine of $500,000 and to a maximum imprisonment of three years.
In contrast to this new regime which is an “opt-in” regime, the old regime offered data subjects only a limited “opt-out” option: i.e., when data users used data subjects’ personal data in direct marketing for the first time, the users had to inform the subjects that they could request the data user to cease using their personal data for direct marketing purposes. If data subjects made such a request, the data users had to stop using the data; if the data subjects made no such request, their personal data could be used without any further notice. It should be noted that the old regime still applies to personal data that was used in direct marketing before the new amendment took effect, pursuant to section 35D of the amended Ordinance (also called a “Grandfather arrangement”: i.e. an old rule continues to apply to certain existing cases, while a new rule applies to all future cases). In other words, if before 1 April 2013 a data user used the personal data in direct marketing in compliance with the existing requirements of the Ordinance, that data user could continue to do so on or after 1 April 2013, in relation to the same class of marketing subjects, without being subject to the obligations imposed under the new regime.