B. Provision of personal data to third parties for use in direct marketing
In addition to the regulation on the use of personal data by data users for their own direct marketing purposes, the Ordinance contains more stringent regulations on providing personal data to third parties for use in direct marketing, including the sale of personal data.
When data users intend to provide personal data to third parties for use in direct marketing, the data users must follow a procedure similar to that outlined above in part A. Additionally, they must inform the data subjects of two other kinds of information in relation to the intended use (section 35J):
- whether the data is to be provided for gain; and
- the classes of persons to whom the data is to be provided.
The form of notification and response of the data subject must be in writing. Furthermore, the data users must not provide personal data to a third party unless the data users have received written consent from the data subject. (section 35K)
Data subjects may at any time and irrespective of whether they have previously given consent to the provision of their personal data to a third party require the data user—
- to stop providing the data subjects’ personal data to a third party for use by that party in direct marketing; and
- to notify any third party to whom the data has been so provided to stop using the data in direct marketing.
Accordingly, data users who receive these instructions must, without charge to the data subjects, comply with them. The notification made by the data users to the third party must be in writing. Any third party who receives such a notification from the data user must stop using the personal data in direct marketing in accordance with the notification. (section 35L)
Contraventions of the requirements in relation to the provision of personal data to third parties for use in direct marketing are offences. For contraventions involving the provision of personal data for gain (including the sale of personal data), the maximum penalty is a fine of $1,000,000 and imprisonment for five years. For other contraventions, the maximum penalty is a fine of $500,000 and imprisonment for three years.
Unlike the use of personal data for the data users’ own direct marketing purposes, the provision of personal data to third parties for use in direct marketing is not subject to a “Grandfather arrangement” (i.e. when an old rule continues to apply to certain existing cases, while a new rule applies to all future cases). In other words, any provision of personal data to third parties, whether it happened before or after 1 April 2013, must comply with the requirements of the Ordinance.
With regard to cold-calling (note), staff members of the data user are recommended to give an opt-out message along the following lines:We are not allowed to use your personal data in direct marketing without your consent. If you do not wish to receive marketing calls from us, please tell me anytime and we will not call again." If the data user fails to inform a data subject of his opt-out right or other information required by sections 35C-35F as mentioned above, a data subject may lodge a complaint with the Office of the Privacy Commissioner for Personal Data. (Note: Cold-calling is the practice of making a marketing approach by telephone to a potential customer with whom the caller has had no previous dealings.)
The PCPD published a leaflet that introduces the ways for individuals to exercise their right of consent to opt-out of direct marketing activities under the Ordinance.