Legal Update: Privacy considerations for online shopping platforms


In June 2023, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published a report (“Report”) on the privacy settings of ten common online shopping platforms in Hong Kong, including Baby Kingdom (“BKmall”), Carousell, eBay, Fortress, HKTVmall,, PlayStation App,, Samsung and Taobao (together, the “Reviewed Platforms”).

The PCPD compared privacy aspects of the Reviewed Platforms and made a series of recommendations. In summary:

1.       Privacy policies

All Reviewed Platforms had published privacy policies. The data collected by the Reviewed Platforms ranges from 12 to 23 types of data. The Reviewed Platforms commonly tracked the users’ device and location information, and transaction and browsing history.

The privacy policies specified that they transfer personal data to third parties, such as affiliates, related companies, business and advertising partners, and other external service providers.

PlayStation App, eBay and Carousell received a high readability rating for their privacy policies.


Online shopping platforms should provide a comprehensive privacy policy, with concise and understandable information to increase readability.  They should also notify users of activity tracking, the purpose of tracking and provide options for users to accept or deny such tracking.

Users should retain sufficient control of their personal data privacy, such as options controlling the privacy settings of preferences of messages received, tracking, record deletion of transactions and searches and non-registration shopping methods.

Online shopping platforms should appoint a Data Protection Officer to ensure compliance with the Personal Data Privacy Ordinance and establish a Personal Data Privacy Management Programme to implement the PCPD’s recommendations.

2.       Payment and Purchases

Most of the Reviewed Platforms allowed payment through third-party platforms. eBay,, BKmall and Samsung accepted purchases without account registration with their Platform.


Online shopping platforms should use secure payment methods and channels. Platforms assess and ensure the reliability of third party payment services in respect of privacy protection and information security.

Online shopping platforms should consider allowing users to shop as guests, and only collect necessary personal data to process transactions.

3.       User registration

The Reviewed Platforms generally require users to provide their name, mobile phone number or email address for user registration. The majority of the Reviewed Platforms set an 18+ age restriction for user registration. However, some Reviewed Platforms like, Carousell, and Fortress have no suitable measures to inhibit registration by users under 18. In contrast, HKTVmall and eBay require users to confirm that they are over 18 during registration. Samsung and Playstation App gather data from users in relation to their date of birth to confirm their age.

Taobao, BKmall and do not designate a minimum age restriction for registration.


Online shopping platforms should allow consumers to shop without account registration as guests, and to gather only relevant data to operate transactions. As younger children and teenagers may be able to register an account in certain platforms, the PCPD recommended parents provide appropriate guidance to their children on privacy protection.

4.       Advertising or promotional messages

Samsung, Carousell, Fortress and BKmall supply options during account registration, allowing users to select whether they accept promotional messages. For PlayStation App, HKTVmall, eBay and the default setting is “agreed”.

Taobao does not provide similar options but instead authorises users to activate and deactivate these personalised recommendations in their settings. does not have a mechanism to obtain user consent for advertising or promotional messages.


Users should be able to accept or deny the use of their personal data for direct marketing, advertising and promotional messages. The default option for direct marketing consent should not be “agreed”. In addition, all privacy-related options should be set to protect user privacy by default.

5.       Account deletion

All Reviewed Platforms allow for account deletion. Furthermore,,, Carousell and eBay provide clear and coherent means for account deletion.


Users should be able to easily delete their accounts. This will minimize data retention for users who no longer use the relevant Platform.

The PCPD also published a leaflet titled Tips for Users of Online Shopping Platforms for users to increase vigilance for online shopping safety and decrease risks posed to consumers. The PCPD offered tips to users of online shopping platforms to:

  • supply the minimum amount of data required;
  • be aware of the direct marketing settings;
  • adjust privacy settings to eliminate unnecessary tracking or access to data;
  • only use reliable third-party payment channels;
  • read and understand the privacy policies;
  • delete unused accounts to protect personal data privacy;
  • verify the authenticity of the relevant Platform;
  • employ strong passwords;
  • avoid using public Wi-Fi in transactions;
  • avoid providing personal data arbitrarily;
  • report to the PCPD or the Hong Kong Police if there is a suspicion of fraud.

The report on “Privacy Protection in the Digital Age: A Comparison of the Privacy Settings of 10 Online Shopping Platforms” (Chinese version only) can be found here. The Leaflet on Tips for Users of Online Shopping Platforms of the Office of the PCPD (in Chinese) can be found here.

Pádraig Walsh and Christy Cheung

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 3 July 2023.