Privacy Please!

The long awaited privacy policy has finally made it to town. It departed several years ago, but arrived with a fashionable delay on April 1 (not an April Fools’ joke).

There’s a lot of buzz around it with media and commercial companies interpreting its meaning and potential effect on the business realm.

To be honest, I am very happy with the change. But before you marketers get all upset with my happiness and move to another column, let me explain the reason for my thrill.

First and foremost we’re all consumers and recipients one way or another. Marketers, technology vendors (like me), and finally what we’re defining, as the ultimate recipient is actually none other than us. Since all of us are subject to abuse of our personal data (don’t tell me you’re not being spammed – even from companies in Hong Kong), having a policy that protects us and gives us the right to decide “whom are we dating” is actually a good thing.

But hold on, how it is going to affect companies? Will it affect the ability of marketers and commercial companies to conduct business? My simple answer is no. Under the status quo many Internet users in Hong Kong are reluctant to provide their private data to commercial companies, as they are afraid to be bombarded with marketing messages. In contrast the companies need to work harder to mine data, and there are quite a number of businesses that resolve to unethical methods to collect data for marketing purposes.

So if the power is in our hands now to select who we actually want to receive messages from, then we can stop it at any given time should businesses start abusing that privilege. With regulation, we will be seeing consumers being more comfortable with providing their personal data to companies for direct marketing purposes.

And now comes the good part. Users will only provide their private data to companies who give them good value/offers for their details. It means that I will be willing to listen to companies who will provide me an added value. Call it a real fair exchange – personal data for information/content I would not have received if I am not a subscriber.

It means that marketers will have to work harder to explain and work on content and offers that are sought after by the recipients.

To make my argument stronger, look at the rise of group-buying in Hong Kong: BeeCrazy, Funshare, Groupon, and many others. These companies offer bargains for their clients that if we were not subscribing to their services, we can’t benefit from these offers or will miss out on them. A true exchange. These companies worked hard to win their subscribers by good offers as well as providing them with robust opt-in and opt-out mechanisms. Subscribers can decide to join or leave the services at any given time, no questions asked!

So enough of why I feel the updated policy is a great thing, let’s move on to what must one do in order to comply. You definitely would want to comply with the policy, as fines for companies who breach the new regulations are steep and can reach to as much as HKD 1,000,000 per offense, you simply do not want to take any risks here.

It’s actually surprising that most establishments (medium-to-large enterprises) in Hong Kong have been complying with the policy way before it was amended, and it is not difficult to ensure compliance.

To begin with, companies should keep a clear opt-in channel where subscribers explicitly express their consent and willingness to receive content from you. The next step would be an updated privacy policy to reflect your understanding of the new obligations and your commitment to follow them. Finally, just make sure your recipients can opt out from services swiftly and easily. If you keep to these principles, you’re already safe.

The new policy applies to new subscribers that were added after April 1. For these subscribers an opt-in (consent) will be required (email, SMS, and a written confirmation for a verbal opt-in).

Furthermore, there must be a clear opt-out for all the channels. If your organization is involved in direct marketing, these include call centers, email, SMS, POS (retail or banking), fax, etc. Your unsubscription process will have to remove the subscribers from all the channels at once, all communications to the person opting out must cease upon 10 days you are notified of the unsubscribe request.

The privacy policy must be visible from your website or channels in which you collect data, the privacy statement must mention all the channels you’ll provide communications from, the type of communication (what you’re marketing), and who will use your information.

Last major note is that you cannot share the data with other departments or organizations unless explicitly agreed by subscribers. It is never a good idea to share data with other businesses (and if you absolutely have to, you need to seek explicit consent from people whose data you plan to share); even sharing data between departments within your organizations for purposes other than what the subscribers have agreed to can be seen as a violation of the new ordinance.

It is recommended to read more about the changes here, and send a reassurance email to your clients about the ways you’re using their data.

That’s all for now. Till next time, stay tuned.

Related reading