Can I use information from public registers or search engines to send promotional materials?
Yes, you can use public register data for marketing in Hong Kong, BUT only if you obtain the users’ consent. This applies even for personal data that is publicly available. Here’s what startups, SMEs, and marketers need to know about Hong Kong’s Personal Data (Privacy) Ordinance (PDPO).
- What Is Direct Marketing?
Direct marketing refers to promotional communications targeting specific individuals, including:
- Emails or SMS offering products/services
- Cold calls soliciting donations
- Mail addressed to a named person
Even if that person is not referred to by name, the promotion will be seen as direct marketing if it specifically selects and contacts a person using their personal data.
Under PDPO Section 35C, these activities are strictly regulated regardless of how you obtain the contact details — including from publicly available information.
- What Is Personal Data?
The PDPO defines personal data as any information that can identify a living individual, such as:
- Names with contact details (email/phone)
- Professional profiles from public registries
- Digital footprints that reveal identity when combined
Crucially, the data source (public/private) doesn’t affect its classification under Hong Kong law.
- Using Publicly Available Information: Is It Still Personal Data?
Under DPP3 of the PDPO:
The PDPO does not exclude publicly available data from its scope.
Under Data Protection Principle 3 (DPP3) in Schedule 1:
Personal data shall not, without the prescribed consent of the data subject, be used for a purpose other than the purpose for which the data was to be used at the time of collection, or a directly related purpose.
Public availability does not remove the requirement for prescribed consent if the data is used for a new purpose. There are statutory exemptions (e.g. prevention/detection of crime – s 58, news activities – s 61, statistics/research – s 62) but they must be applied case-by-case.
The PCPD has confirmed that even if data is openly accessible, it can still be “personal data” if it meets the definition. The critical factors are identifiability and purpose of use.
Application:
● Example: Taking names and phone numbers from a public website and using them for marketing without consent would likely breach DPP3.
● Example: Using public social media posts to compile a profile database for commercial purposes without consent would be regulated and potentially unlawful unless an exemption applied.
Conclusion:
Yes — publicly available information can still be “personal data” under the PDPO if it identifies a living individual and is in a practicable form. Public accessibility does not remove compliance obligations. Any new use requires prescribed consent or must fall under a statutory exemption.
- Penalties for Non-Compliance
Using someone’s personal data without following the PDPO provisions is a criminal offence. Violating PDPO rules can result in:
- Fines up to HKD 500,000
- For serious offences, imprisonment for up to 3 years
- Reputational damage, particularly harmful for SMEs
Learn how to use AI tools to mitigate risks in our guide to Hong Kong’s data breach regulations
- What Steps Must You Take Before Using Personal Data for Direct Marketing?
Per section 53C of the PDPO, here is the compliance checklist:
- Inform the individual: Disclose your intent to use their data for marketing
- Obtain explicit consent: Opt-in must be voluntary and documented
- First-use notice: Send a reminder before initial contact
- Provide opt-out: Include unsubscribe mechanisms in all communications, free of charge
Need help navigating this issue? Check out Ask.Legal (https://ask.legal/) — Free AI Legal Platform is ready to help 24/7.
Ask.Legal:A Free Legal Platform can be your AI Legal Assistant providing fast and cost effective legal analysis.
