Guidelines on Online Behavioural Tracking

Website operators or owners often collect information regarding users' online behaviour including information such as a user's identity, display and/or language preference, web pages visited, items purchased, and transactions performed. This is normally achieved through the use of cookies. Cookies are small files that are automatically downloaded onto a user's computer when the user accesses the websites. Cookies allow the website to recognise the user's device or computer and organise and store the user's browsing information. They can help a website to function more efficiently but are often used for advertising purposes to build detailed profiles of the user to provide targeted marketing.

Online behavioural tracking raises privacy concerns because the collection, use and storage of personal information and browsing habits are often without the knowledge or consent of the user. In some cases the information may even be collected by a third party, or transferred to third parties, without the user's knowledge or consent. The law in many countries, including the EU and UK, specifically regulate the use of cookies and other similar technologies.

The Hong Kong Privacy Commissioner has now published an information leaflet which sets out guidelines for businesses on the use of online behavioural tracking. It is important to be aware that the guidelines apply to online tracking in general and is not limited to any specific means of tracking and new technologies that arise in the future will be covered.

What is personal data?

Whether the information collected constitutes personal data must be judged on a case by case basis. It depends on whether the information:-

• relates directly or indirectly to a living individual;
• allows the identity of the individual to be directly or indirectly ascertained; and
• is in a form in which access to, or processing of, the information is practicable.

For example, if the information collected contains a unique identifier which identifies an individual such as an email address consisting of a person's full name, then the information would most likely be regarded as "personal data" under the Personal Data (Privacy) Ordinance (the PDPO). An identifier which, for example, only consists of an IP address is unlikely to be considered personal data. However, even where the information collected does not contain unique identifiers, organisations must still carefully assess whether such information, taken together, can be used to directly or indirectly identify an individual.

Compliance with the Data Protection Principles Required

Organisations that deploy online tracking on their websites that result in the collection of the personal data of the website users must observe the six Data Protection Principles (DPPs) set out in the PDPO:

DPP 1 – Purpose and manner of collection

Online tracking must be conducted in a lawful and fair manner. The purpose of the online tracking must be related to a function or activity of the data user. Information collected must be adequate but not excessive. The information outlined under DPP1 must be provided to data subjects.

DPP 2 – Accuracy and duration of retention

Online tracking information held by data users must be accurate, up-to-date and should not be kept longer than necessary.

DPP 3 – Use of personal data

Online tracking information can only be used for the original purposes stated at the time of collection. Data users must obtain data subjects' express and voluntary consent for any change to the purpose of use.

DPP 4 – Security of personal data

Data users must ensure that reasonably practicable steps are taken to protect the collected information from unauthorised or accidental access, processing, erasure, use, disclosure or loss.

DPP 5 – Information to be generally available

Data subjects must be made aware of the personal data privacy policy and practices of the data user, including the kinds of online tracking information held by the data user and the purpose for which the data are to be used.

DPP 6 – Access to personal data

Data subjects are entitled to ask a data user to ascertain whether it holds his/her personal data and to request for a copy of the personal data held. Data subjects also have the right to make a request to correct an inaccurate record.

Direct marketing

If online tracking information is collected for direct marketing purposes, data users must follow the requirements under section 34 of the PDPO to enable "opt-out" by data subjects. As discussed above, the law regulating the use of personal data in direct marketing activities has recently been amended to introduce more stringent requirements, namely instead of enabling the data subject to "opt-out", specific consent of the data subject will be required.

Fair and Transparent Practices

Organisations uncertain as to whether the information they collect would constitute "personal data", are strongly advised to adopt fair and transparent practices outlined in the guidelines. Accordingly, organisations conducting online behavioural tracking should as a matter of good practice:

• Inform users what information is being collected or tracked by them, the purpose of collecting the information, how the information is collected (including what tools are used), whether the information will be transferred to third-parties (and, if so, the classes of such third-parties and purpose of transfer) and how long the information will be kept;
• Inform users whether any third-party is collecting or tracking their behavioural information. Users should be informed of the class of such third-parties, purpose and means of collection, retention period and whether such information collected will be further transferred to other parties by the third party;
• Offer users a way to opt-out of the tracking and inform them of the consequence of opting out. If it is not possible to opt-out of tracking while using the website, explain the reason why it is not possible so that website users can decide whether to continue using the website;

The above measures should be implemented in a user-friendly manner, for example, ensuring they are easily accessible and comprehensible to the website users, including teenagers/children.

There are also specific best practice provisions regarding the use of cookies:

• To pre-set a reasonable expiry date in cookies;
• To encrypt the contents of cookies whenever appropriate; and
• Not to deploy techniques such as Flash/zombie/super cookies that would ignore browser settings on cookies unless organisations can offer an option to website users to disable or reject such cookies.

Whilst these are simply best practice guidelines at the moment, organisations carrying out any kind of online tracking should take note. The rapid evolution of website content and behaviour-tracking technology means that the debate over consumer privacy is only going to get louder. Further, the Privacy Commissioner is extremely vigilant in ensuring compliance with the law, and is known to initiate compliance checks even without receiving any complaints.

Key Contacts

Charmaine Koo

Consultant | Intellectual Property

Email or call +852 2825 9300