A bank improved its personal data update webpage by adopting a setting that respects privacy to ensure that the bank has obtained customers’ valid consent before using their personal data for direct marketing - Sections 35C and 35G of PDPO
The Complaint
The complainant was a customer of a bank. He updated his contact information through its online banking service. When he input his new contact information on the personal data update webpage, he was asked whether he “do not accept the use of customer’s personal data for direct marketing by the bank”. As the complainant had previously made a written opt-out request to the bank, he believed that he did not need to tick the box to confirm that he did not consent to the use of his personal data for direct marketing by the bank. As the complainant had not ticked the above-mentioned box, the bank considered that he had cancelled his previous opt-out request and regarded the complainant as a customer who consented to the use of his personal data for direct marketing. The bank later gave the complainant a direct marketing call. The complainant then complained to PCPD that the bank did not comply with his opt-out request.
Outcome
PCPD reiterated to the bank that the complainant did not consent to the use of his personal data for direct marketing by the bank, and the bank confirmed that no direct marketing message would be sent to the complainant anymore. Moreover, PCPD urged the bank to review its personal data update webpage to ensure that customers are given a clear and genuine choice to decide whether to accept the use of their personal data for direct marketing.
The bank agreed that the flow of handling customers’ opt-out requests should be fair and transparent to the customers. Hence, the bank has improved the personal data update webpage by changing the wording of the box from “do not accept the use of customer’s personal data for direct marketing by the bank” to “accept the use of customer’s personal data for direct marketing by the bank”. If customers do not tick the box of “accept the use of customer’s personal data for direct marketing by the bank”, the bank will not use their personal data for direct marketing.
Lesson learnt
Under the PDPO, a data subject’s “consent” to the use of his personal data for direct marketing by data users can include the data subject’s “indication of no objection”. However, to satisfy the definition of “indication of no objection”, the data subject must have expressly indicated that he did not object to the use of his personal data for direct marketing by data users. In other words, for a customer who has already made an opt-out request to the bank, even when the bank re-asked if he would accept direct marketing and he did not respond, the bank could not recklessly presume that he “consented” to the use of his personal data for direct marketing, or he wanted to cancel his previous opt-out request.
When collecting customers’ personal data or allowing them to make an opt-in or opt-out choice online or through applications, organisations should adopt the Privacy by Design approach to ensure that organisations will then collect and use customers’ personal data for direct marketing only when customers are clearly informed and their genuine consent is obtained. Thus, organisations not only win trust from customers, but also enhance their professional images in the industry, as well as the effectiveness of direct marketing.
(Uploaded in September 2020)