All Blog Posts

Hong Kong PDPO

In this blogpost, we will break down Hong Kong’s PDPO so you know what it means for your website’s use of cookies – and how you can become compliant.

Published October 1, 2021.

Hong Kong’s Personal Data Privacy Ordinance was enacted in 1996 and amended in 2012. As is the case with many other data privacy laws, it prescribes measures for how to handle individuals’ personal data safely, thus protecting their privacy rights.

Hong Kong’s PDPO considers consent a keystone in its legislation. It requires you to receive a prescribed consent from your users before using the collected personal data for another purpose than the one it was originally collected for. This, among other things, is why Cookiebot CMP is the optimal solution if you are looking for help to ensure that your website is not in violation of the PDPO Hong Kong.

PDPO Hong Kong, quick Summary

Hong Kong’s Personal Data Privacy Ordinance, condensed

Hong Kong’s Personal Data Privacy Ordinance was enacted in 1996 as one of the first data privacy laws of its kind and was amended in 2012 with talks of a new amendment on the horizon. The purpose of Hong Kong’s PDPO is to protect the privacy rights of the data subjects, which are the individuals who are the subject of the personal data. This is similar to many other data privacy laws around the world.

The PDPO Hong Kong applies to data users, which are people who, either alone or jointly, control the collection, holding, processing or use of data, and its scope differs between personal, territorial and material scope. The personal scope applies to the collection, processing, holding and use of personal data by data users, for example a website owner using the data for measurement and conversion tracking, while the territorial scope applies when collecting and processing the personal information, as long as it is being handled by a data user within Hong Kong. Lastly, the material scope applies to any information considered to be personal.

Regarding consent, PDPO Hong Kong requires prescribed consent, which is an express consent of the data subject given voluntarily, if you are using the collected personal data for another purpose than the one it was originally collected for. Additionally, the PDPO requires prior consent from the data subjects if their data is employed by data users for marketing purposes.

The penalties for breaching the PDPO differ. Failure to comply with the PDPO Hong Kong by a data user could lead to fines of up to HKD 100,000 (approx. € 10,600) or imprisonment for two years. The penalties can be more severe if data users use data subject’s personal data in direct marketing and/or share it with third parties for the same purpose without their consent. This is punishable by a fine of up to HKD 1 million (approx. € 106,000) or imprisonment for five years.

Illustration of Hong Kong Aqua Luna boat on a phone - Cookiebot
Hong Kong’s PDPO aims to protect the privacy rights of the data subjects.

PDPO Hong Kong – quick breakdown

  • PDPO Hong Kong went into effect in 1996 as one of the first data privacy regulations in the world.
  • In 2012, the PDPO Hong Kong was amended to incorporate strict regulation when obtaining consent to use personal data in direct marketing with severe penalties for infringement.
  • PDPO Hong Kong has, not unlike many other data privacy laws, the purpose of protecting the privacy rights of the data subjects.
  • PDPO Hong Kong applies to data users and the scope differs between personal, territorial and material scope.
  • PDPO Hong Kong does not impose direct regulations on data processors, who are therefore not within the range of the PDPO
  • PDPO Hong Kong requires prescribed consent if you are using the collected personal data for another purpose than the one it was originally collected for.
  • PDPO Hong Kong also requires prior consent from the data subjects if you use their personal data for marketing purposes.
  • Non-compliance with PDPO Hong Kong does not constitute a criminal offence, but the Privacy Commissioner for Personal Data (PCPD) can start an investigation resulting in an enforcement notice upon the data user. Failure to comply could lead to fines of up to HKD 100,000 (approx. € 10,600) or imprisonment for two years.
  • However, if the data users use data subjects’ personal data in direct marketing without their consent it is punishable by a fine of HDK 500,000 (approx. € 53,000) and imprisonment for three years while sharing personal data with third parties for direct marketing could lead to a fine of HKD 1 million (approx. € 106,000) and imprisonment for five years.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot consent management platform (CMP) for free

PDPO Hong Kong compliance with Cookiebot CMP

Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.

This guarantees you that your website complies with all the main data privacy laws around the world, including Hong Kong’s PDPO, EU’s GDPR, UK’s GDPR, California’s CCPA, Thailand’s PDPA, Brazil’s LGPD and South Korea’s PIPA.

Hong Kong’s PDPO, like many other data privacy laws, requires consent from the users in Hong Kong, before you can use cookies and trackers as a part of your website.

Our unrivaled website scanner detects all cookies and trackers while delivering an exhaustive report on all personal data processing on your website.

For that reason, among others, Cookiebot CMP is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.

Illustration of the flag of Hong Kong with USB symbols in the petals - Cookiebot
Implement Cookiebot CMP to comply with Hong Kong’s PDPO

What is Cookiebot CMP?

Simply put, Cookiebot CMP is a plug-and-play consent management solution that automatically keeps your website cookies and tracking compliant with the PDPO in Hong Kong.

Cookiebot CMP provides you with a detailed monthly scan report of your website, including all necessary details about the cookies and trackers on your domain, such as their purpose, their provider, their duration and what third parties they share the end-users’ data with.

Finally, Cookiebot CMP helps you to safely store all end-users’ consents, and to renew them on a regular basis.

Cookieboot Pop Up Banner - Cookiebot
Consent banner by Cookiebot CMP for PDPO compliance

Cookiebot CMP works to make end-user privacy protection an integrated part of each website and, by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP enables compliance with Hong Kong’s PDPO and many other data privacy regulations around the world.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for compliance with Hong Kong’s PDPO

PDPO – Hong Kong’s Personal Data Privacy Ordinance, in detail

With the quick overview of Hong Kong’s PDPO fresh in mind, the blogpost will now take a closer look at the key characteristics of Hong Kong’s data privacy law. This will help you better understand what it means for you and your website.

PDPO Hong Kong – key definitions

Hong Kong’s PDPO uses certain key definitions. This section will explain the ones who simplify the legislation.

Data controllers are not directly defined in the PDPO, because it uses the term ‘data user’, but it is the same as a data controller, which is the term most commonly used in the data privacy world. A data user is ‘a person who, either alone or jointly or in common with persons, controls the collection, holding, processing or use of data’.

For a person to be a data user they must control the process of handling the data received from clients.

Data processors are defined as persons who process personal data on behalf of another person and do not process the data for any of the person’s own purposes. In other words, they do not gain anything from having the data, but simply process it for another party.

Personal data means data relating either directly or indirectly to a living person that can identify the individual, again either directly or indirectly. Additionally, it needs to be in a form in which access to or processing of the data is practicable.

Consent is often considered a keystone in data privacy laws, and it is no different with the PDPO Hong Kong. If data users have the intention of using the collected personal data for another purpose than the one it is originally collected for, they need a ‘prescribed consent’ of the data subject.

In PDPO Hong Kong, a ‘prescribed consent’ is an express consent of the data subject given voluntarily. The PDPO does not require it to be in writing, but it would be advisable. For data subjects under the age of 18, a person with parental responsibility can give the ‘prescribed consent’ on their behalf.

Regarding marketing, data users must obtain the consent of the data subjects prior to using their personal data for direct marketing purposes. This consent should be in writing but, if it is given orally, the data user needs to send a written confirmation within two weeks to confirm the consent.

Cookiebot CMP helps you to safely store all end-user consents, making it the optimal solution if you have customers in Hong Kong. By offering a comprehensive overview of all tracking on your website, Cookiebot CMP enables compliance with the PDPO.

Illustration of Buddah with a laptop - Cookiebot
Hong Kong’s PDPO has territorial, but not extra-territorial scope

Scope of application of the PDPO Hong Kong

The application of the PDPO Hong Kong can roughly be divided into three different scopes which combined constitute the full scope of application of the PDPO Hong Kong. They are:

  1. Personal scope
  2. Material scope
  3. Territorial scope

Firstly, the personal scope applies to the collection, processing, holding and/or use of personal data by data users. Data users are, in other words, responsible for managing any information that can be accessed and processed and relates directly or indirectly to a living person from which it is possible to identity the individual.

Secondly, the territorial scope applies when collecting and processing personal data irrespective of where in the world such actions occurred. It is important to notice that, for the application to be in effect, the personal data needs to be controlled by a data user in Hong Kong. This means that the PDPO Hong Kong has territorial scope, but not extra-territorial scope, unlike Thailand’s PDPA and EU’s GDPR, just to name a few.

Thirdly, the PDPO has material scope. Basically, any information that is considered to be ‘personal’ is protected under the PDPO, meaning that data users who control, hold, process or use personal data will be subject to the requirements set by the PDPO.

Interestingly, the case is different with data processors, who are not directly regulated and thus do not fall within the range of the PDPO. This is the case since they process the data on behalf of the data user who is the responsible one.

The PCPD’s responsibilities

The privacy commissioner for personal data (PCPD) of Hong Kong is an independent statutory body established with the purpose of overseeing the enforcement of the PDPO Hong Kong.

According to the official website, its main responsibilities include securing the protection of privacy of individuals with respect to personal data through the promotion, monitoring and supervision of compliance with the PDPO.

The PCPD has the power to investigate relevant data users when it receives a complaint or sees suspicious behavior that could violate the PDPO.

The PCPD also has the power to inspect any personal information used by a data user. This would help the PCPD give recommendations for compliance with the PDPO. In both of these cases it is important to note that the PCPD needs to notify the data user beforehand.

If the investigations show signs of violating behavior, the PCPD has the power to serve an enforcement notice and, if the data user does not comply with the enforcement notice, this could ultimately constitute a criminal offence.

Illustration of a bullet train - Cookiebot
The PCPD has many important responsibilities

Rights of the data subjects

The data subjects have certain rights under Hong Kong’s PDPO. A lot of these rights resemble the ones known from the EU’s GDPR (https://www.cookiebot.com/en/gdpr/).

  1. Right to be informed – Data users must take all feasible steps to guarantee that data subjects are explicitly or implicitly informed, on or before the collection of their data. This includes the purpose of collection, the right to request access to the personal data and information about the individual who will handle such requests.
  2. Right to access – Data subjects are authorized to lodge a formal data access request with the purpose of being informed about the extent of personal information held by the data user and to receive a copy of any such data.
  3. Right to rectification – if the data subjects discover any inaccuracies in their personal data, they may make a request to have their data corrected.

Sanctions

Non-compliance with Hong Kong’s PDPO does not constitute a criminal offence, but the PCPD can start an investigation resulting in an enforcement notice upon the data user.

If the data user is unable or unwilling to comply with such a notice, the offence can result in a fine or imprisonment. If it’s the first conviction it could potentially be a maximum fine of HKD 50,000 (approx. € 5,300) or imprisonment for two years. For subsequent convictions the fine could be of up to HKD 100,000 (approx. € 10,600).

Illustration of USB cable plugged into a laptop with a cable car on the wire - Cookiebot
Infringement of Hong Kong’s PDPO can lead to big fines and even imprisonment

However, if a data user uses data subjects’ personal data in direct marketing without their consent, this action is punishable by a fine of HKD 500,000 (approx. € 53,000) and imprisonment for three years. Additionally, data users providing personal data to third parties for the purpose of direct marketing will be liable to a fine of HKD 1 million (approx. € 106,000) and imprisonment for five years.

Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for PDPO compliance in Hong Kong

Summary of PDPO, Hong Kong’s Personal Data Privacy Ordinance

Hong Kong’s Personal Data Privacy Ordinance (PDPO) is one of the many data privacy laws around the world with the purpose of protecting an individual’s privacy rights and interests. It was approved and enacted in 1996 and amended in 2012.

It applies to data users and is divided into three different scopes: personal, material and territorial. Prescribed consent is a keystone in the PDPO and is needed if the collected personal data is used for other purposes than the one it was originally collected for.

If the data is used for marketing purposes, it requires consent prior to collecting. Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including Hong Kong’s PDPO to make sure that your website is not in violation of the PDPO Hong Kong.

Try Cookiebot CMP for PDPO compliance

FAQ

What is Hong Kong’s PDPO?

Hong Kong’s Personal Data Privacy Ordinance (PDPO) is one of the many data privacy laws around the world. Its purpose is to protect an individual’s privacy rights and interests, by making sure that companies or organizations do not abuse the data subject’s personal data. It was approved and enacted in 1996 and amended in 2012.

Learn more about Hong Kong’s PDPO

How can my website be in compliance with Hong Kong’s PDPO?

To comply with Hong Kong’s PDPO on your website, you are required to get prescribed consent if you are using the collected personal data for another purpose than the one it was originally collected for. You also need to have prior consent from the data subjects if you use their personal data for marketing purposes.

Though not specifically stated, it is also important to give your users the option of accessing their personal data whenever they wish to.

Try our free website scanner for compliance with Hong Kong’s PDPO

Who does Hong Kong’s PDPO apply to?

Hong Kong’s PDPO is applicable to a data user, such as a website owner. It is divided into three different scopes: personal, material and territorial. All three types of scope have separate applications but, combined, they constitute the full scope of application of the PDPO Hong Kong.

Try our free website scanner to see if Hong Kong’s PDPO applies to you.

What is the penalty for breaching Hong Kong’s PDPO?

Non-compliance with Hong Kong’s PDPO does not constitute a criminal offence, but the PCPD can start an investigation resulting in an enforcement notice upon the data user. Failure to comply could lead to fines of up to HKD 100.000 (approx. € 10,600) or imprisonment for two years.

If the data users use data subjects’ personal data in direct marketing without their consent it is punishable by a fine of HDK 500,000 and imprisonment for three years while sharing personal data with third parties for direct marketing could lead to a fine of HKD 1 million (approx. € 106,000) and imprisonment for five years.

Don’t want to breach the PDPO? Try our free website scanner

How can I scan my website for cookies and trackers?

By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.

Try the Cookiebot CMP website scanner for free

Resources

See the full Hong Kong Personal Data Privacy Ordinance

Learn more about the PCPD and its responsibilities

Get started with Cookiebot CMP and Google Consent Mode

Learn more about EU’s GDPR

Learn about the EU’s GDPR and consent

Learn more about Cookiebot CMP

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.