The Personal Data (Privacy) Ordinance (PDPO) in Hong Kong requires organizations that collect, process, or store personal data to uphold stringent privacy protections, including transparency in the use of cookies that track user behavior. Is your website ready for compliance?
The Personal Data (Privacy) Ordinance (Cap. 486) is the main data protection legislation in Hong Kong, first enacted in 1996 and enforced by the Office of the Privacy Commissioner for Personal Data (PCPD). It governs the collection, use, and handling of personal data through six Data Protection Principles (DPPs), emphasizing transparency, purpose specification, and data security.
Businesses operating in or targeting individuals in Hong Kong must comply with the PDPO when handling personal data. This includes implementing clear consent practices, limiting data use to stated purposes, and ensuring secure data storage. For websites, it's essential to disclose how cookies collect user data and to provide options for consent and control. Non-local companies serving Hong Kong residents may also fall under PDPO jurisdiction.
Websites using cookies to gather personal data must provide clear notices and obtain user consent, aligning with the principles of fair and lawful collection under the PDPO. Ensuring cookie consent is compliant with the PDPO is a key step in protecting consumer rights and maintaining trust.
To be in compliance with PDPO Hong Kong, businesses should:
Review data practices:
Implement robust data governance policies and publish
Update privacy policy:
Keep up-to-date a comprehensive Privacy Policy
Implement consent management:
Obtain proper consent for collecting and processing personal data and ensure users can withdraw consent
Audit:
Audit all data collection practices, including consent mechanisms, data security, third-party data sharing
Data minimization:
Adhere to data minimization principles, collecting only what data is required and using it only for the stated purposes
Any individual or organization that collects, holds, processes, or uses personal data in Hong Kong must comply with the PDPO. This includes both private businesses and public entities, as well as foreign companies offering goods or services to Hong Kong residents. If your business handles personal data related to Hong Kong individuals, PDPO compliance is mandatory.
The PDPO gives consumers various data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request withdrawal of consent for direct marketing and removal from marketing lists
Notification in the event of a data breach or unauthorized access to affected individuals
Under the PDPO, cookies that collect personal data—such as tracking user behavior, preferences, or location—may constitute personal data collection. Organizations must inform users about the purpose of such data collection, the types of data collected, and whether the data will be transferred to third parties. Explicit or implied consent should be obtained before using such cookies, in accordance with the PDPO’s transparency requirements.
Non-compliance with the PDPO can lead to enforcement actions by the PCPD, including enforcement notices, public reprimands, and in serious cases, criminal prosecution. Penalties may include fines of up to HK$50,000 and imprisonment for up to two years for individuals, with additional daily fines for continuing offenses. Civil claims for damages may also be pursued by affected individuals.
Some best practices to bring your data privacy approach in line with PDPO compliance include:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent:
Ensure consent banners are implemented correctly, ensure users can withdraw consent at any time, and maintain consent logs and enable
Check partners and third parties:
Review third-party data-sharing practices
Train employees:
Ensure that employees have training to understand and comply with PDPO
The PDPO governs the collection, handling, processing, and use of personal data in Hong Kong. It applies to both public and private sector organizations that control or process personal data, ensuring that individuals' privacy rights are protected. The Ordinance sets out data protection principles that must be followed when managing personal data.
Under the PDPO, personal data refers to any data that relates directly or indirectly to a living individual that could foreseeably lead to the identification of the individual and which is in a form that makes access to and processing of the data feasible. Examples include names, phone numbers, ID card numbers, addresses and so on.
The PDPO does not explicitly define or provide special treatment for "sensitive data" as found in some other jurisdictions. However, certain types of personal data, such as identity card numbers, medical records, and biometric data, may require extra care due to their sensitive nature and higher risk of harm if mishandled.
The Office of the Privacy Commissioner for Personal Data (PCPD) is the independent statutory body responsible for enforcing the PDPO, promoting awareness of data protection rights, and handling complaints and investigations related to personal data privacy.
Certain exemptions apply under the PDPO, including domestic or household purposes (e.g., keeping personal contact lists), data processed for news activities by news media, data held for academic, research, or statistical purposes under specific conditions, or legal and security-related exemptions, such as for crime prevention or legal proceedings. These exemptions are subject to conditions and are not blanket exclusions.
You can visit the Office of the Privacy Commissioner for Personal Data (PCPD) website for official guidelines, resources, and updates related to the PDPO.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
