Personal Data and Direct Marketing: Key Takeaways from the Credit Base Conviction

Introduction

Credit Base (HK) Limited ("Credit Base"), a Hong Kong-based debt collection agency, was recently convicted of two direct marketing offences under the Personal Data (Privacy) Ordinance ("PDPO"). The West Kowloon Magistrates’ Court imposed fines totaling HKD 5,000 for these violations. The Privacy Commissioner for Personal Data ("PCPD") welcomed the court’s ruling.

Background

In November 2023, Credit Base sent a marketing letter to the complainant that included the complainant’s Chinese full name and residential address. After receiving the letter, the complainant contacted Credit Base and noted that his personal data was obtained from his District Court filings. Credit Base used this data to send an unsolicited letter to the complainant by post, promoting its debt collection services. Before the use of the complainant's personal data, Credit Base did not notify him of such use, and also failed to obtain his consent for using his personal data for direct marketing. Credit Base also did not inform the complainant of his right to opt out. Later that month, the complainant lodged a complaint with the PCPD.

The PCPD considered that there were violations of direct marketing requirements set out in the PDPO, and referred the case to the Police for criminal investigation and prosecution.

Statutory Framework

Section 35C of the PDPO sets out strict requirements for data users who intend to use personal data for direct marketing purposes. Before using a data subject’s personal data in direct marketing, the data user must take several specified actions. These include informing the data subject of the intention to use their data and making it clear that such use is not permitted without the data subject’s consent. The data user must also provide details about the types of personal data to be used and the categories of goods or services to be marketed. Moreover, the data user is required to offer a free and accessible channel for the data subjects to communicate their consent. These requirements apply regardless of whether the personal data is collected from the data subject by the data user. All information provided must be clear and easily understandable. Failure to comply with these obligations constitutes a criminal offence, punishable by a fine of up to HKD 500,000 and imprisonment for up to three years.

Section 35F of the PDPO imposes a specific obligation on data users when they use a data subject’s personal data in direct marketing for the first time. The data user must inform the data subject that they have the right to require the data user, at no cost, to cease using their personal data for direct marketing purposes. This requirement applies regardless of whether the personal data is collected from the data subject by the data user. Failure to provide this notification constitutes a criminal offence, punishable by a fine of up to HKD 500,000 and imprisonment for up to three years.

Convictions

The West Kowloon Magistrates’ Court convicted Credit Base of two breaches under Sections 35C(1) and 35F(1) of the PDPO, to which the agency pleaded guilty. For these offences, the Court imposed a fine of HKD 2,500 for each charge, amounting to a total of HKD 5,000.

Takeaways

The conviction of Credit Base highlights the critical obligation for companies, as data users, to provide clear and comprehensive notifications and to obtain informed consent from data subjects before using their personal data for direct marketing activities. In addition, when first using the personal data for direct marketing, companies are required to inform data subjects of their right to opt out of such communications without charge. To ensure compliance, companies should carefully review their existing privacy documentation to confirm that all necessary notifications and consent mechanisms, such as opt-in boxes and clear explanations of opt-out rights, are properly incorporated and prominently presented. Failure to meet these statutory requirements not only exposes organizations to legal penalties and criminal liability, but also poses significant reputational risks that can undermine customer trust.

The case also highlights the need for companies to implement staff training programs to ensure that all personnel, especially those involved in marketing and customer service, fully understand the requirements and implications of data privacy laws. In particular, it is essential that employees recognize that the use of personal data obtained from public sources is still subject to the same legal protection and obligations under the PDPO. Companies should regularly review and update their data handling and marketing practices to ensure compliance, including establishing clear procedures for providing notifications, obtaining consent, and promptly responding to opt-out requests, to mitigate the risk of regulatory breaches.

The authors would like to thank Charmian Chan, Legal Practice Assistant at Mayer Brown Hong Kong LLP, for her assistance with this article.