Can I use my customers’ phone numbers or email addresses to send them promotions?
Popular articles
Can I use my customers’ phone numbers or email addresses to send them promotions?
Yes, but only if you follow the notification and consent requirements under the Personal Data (Privacy) Ordinance (Cap. 486). Failing to do so can lead to significant penalties, including fines up to HKD 1 million and imprisonment up to 5 years.
Not sure whether your email marketing campaign complies with data privacy laws? Take a look at our Guide to Email Advertising Management!
What are the rules for using personal data for direct marketing?
Sending promotional messages using your customers’ contact details is considered “direct marketing” under PDPO. To do this legally, you must:
- Provide your customers with certain prescribed information
- Obtain their consent before using their personal data for marketing purposes
What information must I provide to my customers?
When notifying your customers about direct marketing, you need to include:
- That you intend to use their personal data for direct marketing
- That you cannot use their data unless they give consent
- The kinds of personal data to be used (e.g., name, email, phone number)
- The classes of marketing subjects (e.g. beauty products) in relation to which the personal data is to be used
- The response channel through which the data subject may communicate the data subject’s consent to the intended use free of charge.
When should I provide this information?
The PCPD recommends informing your customers as soon as you plan to use their data for marketing, ideally at the time of data collection or before you send any promotional messages.
How do I obtain valid consent?
You must not use personal data for direct marketing unless the customer has given clear consent, which can be:
- An indication of no objection to the use or provision of the personal data (e.g., where the opt-out checkbox is left unchecked on the notification form)
- An oral or written indication of consent
If consent is given orally, you must send a written confirmation within 14 days, including:
- The date you received the consent
- The types of personal data permitted
- The permitted class of marketing subjects
How do I handle opt-out requests?
Customers have the right to stop receiving marketing messages at any time. You must:
- Cease using their personal data for direct marketing immediately upon request
- Accept opt-out requests in any manner (orally or in writing)
- Make it easy for customers to opt out, such as by including an opt-out link in emails or a hotline in SMS messages
Need help navigating this issue? Check out Ask.Legal — our AI-powered legal assistant is ready to help 24/7.
