Case Notes

Personal data collection in shopping mall membership programmes and online promotion activities – DPP 1 – purpose and manner of collection of personal data

Background

In order to understand the collection of personal data by shopping mall operators in Hong Kong, and in response to the concerns about personal data collection during online promotion activities, PCPD visited 100 shopping malls and reviewed 300 webpages requesting personal data in exchange for benefits in 2018, and subsequently initiated compliance checks against 41 shopping malls that had membership programmes and 19 website operators that appeared to have excessive collection of personal data.

Shopping mall membership programmes

The results of the compliance checks on shopping malls revealed that 31 membership programmes (60% of a total of 522 membership programmes found in the site visits) adopted a “the more the merrier” approach when collecting personal data including contact information, sensitive personal data and information relating to personal and family status, contrary to the no excessive data collection principle under the Ordinance and the practice of collecting minimum information for the purpose of data collection.

The results also showed that:

1. Apart from collecting basic contact information (e.g. name, telephone number, address and email address), some shopping mall membership programmes also collected sensitive personal data (e.g. date of birth, age, Hong Kong Identity Card number) and personal data relating to personal and family status (e.g. monthly income, marital status, whether a car owner or not and vehicle registration mark);
2. Three membership programmes (6% of the 52 membership programmes) required collection of 18 personal data items;
3. 20 membership programmes (38% of the 52 membership programmes) required compulsory provision of unnecessary personal data; and
4. The design of eight membership programmes (15% of the 52 membership programmes) forced customers to agree that the relevant organisations could use their personal data for direct marketing purposes, leaving individual customers with no choice at all.

The said “bundled consent” design and practice obtained no meaningful and real consent, and practically constituted unfair collection of personal data. Such practice therefore should be discontinued, and the malls concerned had rectified the situation accordingly.

With regard to personal data collected by shopping mall membership programmes, in general, the Privacy Commissioner accepts the collection of contact information for the purposes of identification and communication. However, the collection of HKID Card number by membership programmes is generally considered excessive because HKID Card number is sensitive in nature, and improper processing of this data may cause unnecessary risks such as identity theft, etc. Meanwhile, collection of personal data relating to personal and family status is generally acceptable for the purposes of market analyses and provision of suitable offers, but members should be given a choice of not providing such information.

Concerning the personal data related to HKID Card number as well as personal and family information, the Privacy Commissioner was pleased to note that:

1. 45 membership programmes (87% of the 52 membership programmes) did not collect HKID Card number; and
2. 32 membership programmes (62% of the 52 membership programmes) either provided members with an option not to provide certain personal information (such as age, working district, occupation, etc.) and family status or did not request such information at all.

Online promotion activities

For online promotion activities, the results of the compliance checks revealed that:

1. Beauty, education institutions as well as health products and services industry used more online promotion activities than other industries did, accounting for 44%, 18% and 8% of the 300 webpages reviewed respectively; and
2. Given that the purpose was simply to attract customers for promotional offers, only 20 online promotion activities (6% of the 300 webpages) involved excessive collection of personal data, such as HKID Card number, date of birth, age and monthly income.

Remedial Measures

With the PCPD’s advice, the shopping malls and website operators in question had ceased to collect personal data that was considered excessive, destroyed all such data collected previously, and revised the application forms and Personal Information Collection Statement to comply with the data collection requirements under the Ordinance.

Lesson Learnt

With the development and increasing application of big data, and information and communications technology, the resulting network security risks have elevated to an unprecedented high level and will only become more serious over time. The more personal data collected, the greater the risk associated. The Privacy Commissioner advocates and facilitates the legitimate use of big data without compromising individuals’ privacy right, and highly recommends the practice of minimum collection of personal data.

Organisations should also embrace personal data protection as part of their corporate governance responsibilities and apply the programme as a business imperative throughout the organisation, starting from the boardroom. The Privacy Commissioner further recommends that organisations should incorporate data governance, stewardship and ethics – being respectful, beneficial and fair, as part of corporate governance and a long-term solution for personal data protection.

(Uploaded in July 2022)