Do I need written consent to share my customer list with a marketing partner?

Do I need written consent to share my customer list with a marketing partner?

Yes. A data user should not provide personal data to another person for use by that person in direct marketing unless the data subject’s written consent is obtained. This requirement applies to all transfers of personal data, including those to a parent company, subsidiary, or associated company.

‍

Under the Personal Data (Privacy) Ordinance (Cap. 486), a data user who intends to provide the data subject’s personal data to another person is required to provide the data subject with the prescribed information in writing and obtain his/her written consent. Verbal consent

is not sufficient. In addition, if the personal data is transferred for gain (i.e., in return for money or other property), data subjects must also be explicitly informed in writing about this.

Not sure whether your email marketing campaign complies with data privacy laws? Take a look at our Guide to Email Advertising Management!

What to Include in the Written Notice?

1. The data user intends to provide the personal data of the data subject to another person for use by that person in direct marketing
2. The data user may not so provide the data unless it has received the data subject’s written consent to the intended provision
3. The provision of the data is for gain (if applicable)
4. The kinds of personal data to be provided (e.g., name, email, phone number)
5. The classes of persons to whom the data are to be provided
6. The classes of marketing subjects (e.g., beauty products) in relation to which the data is to be used
7. The response channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended provision in writing.

‍

Example

A customer applied for an account with a bank and consented to the bank’s use of his/her personal data for marketing its banking products. If an insurance company which belongs to the same holding company wants to use the customer’s personal data for direct marketing, a new consent has to be obtained.

‍

Summary

Always get explicit written consent before sharing personal data for direct marketing. Non-compliance can result in fines of up to HKD 1 million and imprisonment for up to five years. 

Need help navigating this issue? Check out Ask.Legal — our AI-powered legal assistant is ready to help 24/7.

‍