Hong Kong Cookies Regulation


Partner Pádraig Walsh provides the following overview on Hong Kong Cookies Regulation as part of a coordinated international review published in PIN CODE.

Citation: Gary CYWIE, Charles MORGAN, Fabrice PERBOST, Alexander BRANDT, Padraig WALSH, Jun YANG and Eduardo USTARAN, ‘Cookies Regulations: An International Outlook’, Revue internationale de la propriété intellectuelle et du droit du numérique, 13 (Luxembourg, Legitech, 2023), 1-11. PDF copy available for download here.

The primary legislation in Hong Kong that regulates cookies is the Personal Data (Privacy) Ordinance (“PDPO” Cap. 486). Also, the Privacy Commissioner for Personal Data (“PCPD”) has issued guidance notes that provide helpful guidance to the public about personal data protection and use of cookies. PCPD guidance notes are not mandatory but are recommended practices for practitioners to follow.

1) Personal data in Hong Kong

The PDPO regulates how data users collect, process and use personal data.

A “data user”, in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. It is the term under Hong Kong law that most closely approximates to data controllers. The PDPO defines “personal data” as any data that:

  1. relates directly or indirectly to a living individual;
  2. is practicable to ascertain the identity of the individual; and
  3. is in a form in which access to or processing of the data is practicable.

Not all cookies are considered as processing personal data. If a cookie contains data that can identify a person uniquely, then the cookie will be considered personal data. An example would be information containing a name or telephone number. However, if the cookie does not uniquely identify a person, then the cookie may not be considered personal data and may fall outside the scope of protection under the PDPO. For example, an IP address was held not to be personal data as it was information about an inanimate computer, not an individual. The username “huoyan_1989” for a free email service provider was also not considered personal data as it was insufficient to ascertain the user’s identity. These are interesting points of contrast to the position in the European Economic Area under the General
Data Protection Regulation, where a different definition of personal data is used and email addresses
and IP addresses would likely be considered personal data.

2) Are consent statements required?

Hong Kong follows a practice of informed but implied consent upon collection of personal data, except if direct marketing is intended. This practice must be followed for cookies processing personal data.

On or before collection of the personal data of a data subject, a data user must inform the data subject of:

  1. the personal data that will be collected;
  2. the purposes for which the personal data will be used;
  3. the classes of transferees to which the personal data may be transferred or shared;
  4. whether it is obligatory or voluntary for the data subject to supply his personal data;
  5. whether the personal data will be used for direct marketing; and
  6. his right to access and correct his personal data and the contact details to do so.

These obligations are met by providing the data subject a personal information collection statement on or before collection of the personal data. Once this requirement is fulfilled, then express or written consent of the data subject is only required if the data user changes the purposes for which the personal data may be used (including the classes of transferees). The position is different if cookies contain personal data and their use will be for direct marketing purposes. In this situation, the express, voluntary,
specific and separate consent of the data subject must be obtained on or before collection of the personal data by the relevant cookie.

3) What should data users do?

The PCPD has issued guidance notes that apply to cookies and provide information, recommendations and practices that data users should adopt. These recommendations include:

  1. website owners should explicitly state what kind of information is stored in the cookies, regardless of whether personal data is involved.
  2. pre-set a reasonable expiry date for cookies.
  3. encrypt the contents of cookies whenever appropriate.
  4. do not deploy techniques such as super cookies that ignore browser settings on cookies unless the website owner can offer an option to disable or reject the use of such cookies.
  5. inform website users about the purpose of collecting the information and obtain express and voluntary consent for any change to the purpose of use.
  6. take steps to protect the collected information from unauthorised access, disclosure or loss.
  7. if third-party cookies are deployed, the website owner should also clearly state the type of information collected and to whom such information may be transferred to.
  8. if the acceptance of the use of cookies is mandatory, then this requirement should be clearly stated on the website.
  9. if acceptance of use of cookies is voluntary, the website should provide users with an option to accept or decline the use of cookies, and clear information of the consequences if users decline the use of cookies (for example loss of certain functionality).

Pádraig Walsh, Tara Chan, and Julian Chan

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.