Media Statements

• 60% Collected Excessive Personal Data Generally

• 62% Provided Options to Say “No” to Certain Personal Data Including Family Status 

• “The Whampoa” Collected Least Personal Data
 

The Privacy Commissioner for Personal Data, Hong Kong (the Privacy Commissioner) Mr Stephen Kai-yi WONG today released a compliance checks report (the Report) about personal data collection in shopping malls and online promotion activities.

In order to understand the collection of personal data by shopping mall operators in Hong Kong, and in response to the public concerns on personal data collection during online promotion activities, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) visited 100 shopping malls and reviewed 300 webpages requesting personal data in exchange for benefits in 2018. The PCPD also conducted compliance checks against 41 shopping malls that had membership programmes and 19 website operators that appeared to have excessive collection of personal data.

Shopping mall membership programmes

The results of the compliance checks on shopping malls revealed that 31 membership programmes (60% of a total of 52[1] membership programmes found in the site visits) adopted a "the more the merrier" approach when collecting personal data including contact information, sensitive personal data and information relating to personal and family status, contrary to the no-excessive data collection principle under the Personal Data (Privacy) Ordinance (the Ordinance) and the practice of collecting minimum information for the purpose of data collection.  Amongst the shopping malls checked, “The Whampoa” collected the least personal data, with only collection of three personal data items for their membership programme, and is considered as the most privacy-friendly.

These 31 membership programmes were hosted by 25 shopping malls in 13 districts, including five in Yau Tsim Mong; four in Wanchai/Causeway Bay; three in Tseung Kwan O/Sai Kung; two each in Central/Western, Kwun Tong and Tsuen Wan respectively.
 
The results also showed that:

• Apart from collecting basic contact information (e.g. name, telephone number, address and email address), some shopping mall membership programmes also collected sensitive personal data (e.g. date of birth, age, Hong Kong Identity Card number) and personal data relating to personal and family status (e.g. monthly income, marital status, whether a car owner or not and vehicle registration mark);
• Three membership programmes (6% of the 52 membership programmes) required collection of 18 personal data items;
• 20 membership programmes (38% of the 52 membership programmes) required compulsory provision of unnecessary personal data; and
• The design of eight membership programmes (15% of the 52 membership programmes) forced customers to agree that the relevant organisations could use their personal data for direct marketing purposes, leaving individual customers with no choice at all.

The said "bundled consent" design and practice obtained no meaningful and real consent, and practically constituted unfair collection of personal data. Such practice therefore should be discontinued, and the malls concerned had rectified the situation accordingly. 

With regard to personal data collected by shopping mall membership programmes, in general, the Privacy Commissioner accepts the collection of contact information for the purposes of identification and communication.   However, the collection of HKID Card number by membership programmes is generally considered excessive because HKID Card number is sensitive in nature, and improper processing of this data may cause unnecessary risks such as identity theft, etc.

Meanwhile, collection of personal data relating to personal and family status is generally acceptable for the purposes of market analyses and provision of suitable offers, but members should be given a choice of not providing such information. 

Concerning the personal data related to HKID Card number as well as personal and family information, the Privacy Commissioner is pleased to note that:

• 45 membership programmes (87% of the 52 membership programmes) did not collect HKID Card number; and
• 32 membership programmes (62% of the 52 membership programmes) either provided members with an option not to provide certain personal information (such as age, working district, occupation, etc.) and family status or did not request such information at all.

Online promotion activities

For online promotion activities, the results of the compliance checks revealed that:

• Beauty, education institutions as well as health products and services industry used more online promotion activities than other industries, accounting for 44%, 18% and 8% of the 300 webpages reviewed respectively; and
• Given the purpose is simply to attract customers for promotional offers, only 20 online promotion activities (6% of the 300 webpages) involved excessive collection of personal data, such as HKID Card number, date of birth, age and monthly income.

The Privacy Commissioner emphasised that: “these compliance checks aligned with our strategies in education and promotion, with the emphasis on organisations, the data users as well. In the data driven economy, organisations are handling more personal data than ever. It is therefore of utmost importance for them to incorporate data governance, stewardship and ethics - being respectful, beneficial and fair - as part of the corporate governance and a long term solution for personal data protection. This strategy is also well demonstrated in our upcoming Privacy Awareness Week themed “Data Ethics in Action”, with a series of promotional programmes targeting organisations in advocating the implementation of data ethics in their daily operations, and to fully reap the benefits of the data-driven economy while protecting and respecting personal data privacy at the same time.”




Click here to download the Compliance Checks Report: Overview of Personal Data Collection in Shopping Mall Membership Programmes and Online Promotion Activities