資訊洞見
Website operators or owners often collect information regarding users' online behaviour including information such as a user's identity, display and/or language preference, web pages visited, items purchased, and transactions performed. This is normally achieved through the use of cookies. Cookies are small files that are automatically downloaded onto a user's computer when the user accesses the websites. Cookies allow the website to recognise the user's device or computer and organise and store the user's browsing information. They can help a website to function more efficiently but are often used for advertising purposes to build detailed profiles of the user to provide targeted marketing.
Online behavioural tracking raises privacy concerns because the collection, use and storage of personal information and browsing habits are often without the knowledge or consent of the user. In some cases the information may even be collected by a third party, or transferred to third parties, without the user's knowledge or consent. The law in many countries, including the EU and UK, specifically regulate the use of cookies and other similar technologies.
The Hong Kong Privacy Commissioner has now published an information leaflet which sets out guidelines for businesses on the use of online behavioural tracking. It is important to be aware that the guidelines apply to online tracking in general and is not limited to any specific means of tracking and new technologies that arise in the future will be covered.
What is personal data?
Whether the information collected constitutes personal data must be judged on a case by case basis. It depends on whether the information:-
For example, if the information collected contains a unique identifier which identifies an individual such as an email address consisting of a person's full name, then the information would most likely be regarded as “personal data” under the Personal Data (Privacy) Ordinance (the PDPO). An identifier which, for example, only consists of an IP address is unlikely to be considered personal data. However, even where the information collected does not contain unique identifiers, organisations must still carefully assess whether such information, taken together, can be used to directly or indirectly identify an individual.
Compliance with the Data Protection Principles Required
Organisations that deploy online tracking on their websites that result in the collection of the personal data of the website users must observe the six Data Protection Principles (DPPs) set out in the PDPO:
DPP 1 – Purpose and manner of collection
Online tracking must be conducted in a lawful and fair manner. The purpose of the online tracking must be related to a function or activity of the data user. Information collected must be adequate but not excessive. The information outlined under DPP1 must be provided to data subjects.
DPP 2 – Accuracy and duration of retention
Online tracking information held by data users must be accurate, up-to-date and should not be kept longer than necessary.
DPP 3 – Use of personal data
Online tracking information can only be used for the original purposes stated at the time of collection. Data users must obtain data subjects' express and voluntary consent for any change to the purpose of use.
DPP 4 – Security of personal data
Data users must ensure that reasonably practicable steps are taken to protect the collected information from unauthorised or accidental access, processing, erasure, use, disclosure or loss.
DPP 5 – Information to be generally available
Data subjects must be made aware of the personal data privacy policy and practices of the data user, including the kinds of online tracking information held by the data user and the purpose for which the data are to be used.
DPP 6 – Access to personal data
Data subjects are entitled to ask a data user to ascertain whether it holds his/her personal data and to request for a copy of the personal data held. Data subjects also have the right to make a request to correct an inaccurate record.
Direct marketing
If online tracking information is collected for direct marketing purposes, data users must follow the requirements under section 34 of the PDPO to enable “opt-out” by data subjects. As discussed above, the law regulating the use of personal data in direct marketing activities has recently been amended to introduce more stringent requirements, namely instead of enabling the data subject to “opt-out”, specific consent of the data subject will be required.
Fair and Transparent Practices
Organisations uncertain as to whether the information they collect would constitute “personal data”, are strongly advised to adopt fair and transparent practices outlined in the guidelines. Accordingly, organisations conducting online behavioural tracking should as a matter of good practice:
The above measures should be implemented in a user-friendly manner, for example, ensuring they are easily accessible and comprehensible to the website users, including teenagers/children.
There are also specific best practice provisions regarding the use of cookies:
Whilst these are simply best practice guidelines at the moment, organisations carrying out any kind of online tracking should take note. The rapid evolution of website content and behaviour-tracking technology means that the debate over consumer privacy is only going to get louder. Further, the Privacy Commissioner is extremely vigilant in ensuring compliance with the law, and is known to initiate compliance checks even without receiving any complaints.