The Office of Hong Kong’s Privacy Commissioner for Personal Data (PCPD) recently announced the results of compliance checks on the collection of “cookies” by local banks in response to earlier media reports and a survey by the Hong Kong Monetary Authority (HKMA).

According to media reports from September 2010, some local banks in Hong Kong required their customers to accept cookies for use of Internet banking services without informing customers of the type of data to be collected through the use of cookies and the purpose of such collection. The HKMA subsequently conducted a survey on the use of cookies by banks in the course of providing Internet banking services. Based on media reports and the survey results provided by the HKMA in October 2010, the PCPD made enquiries with 11 local banks in Hong Kong.

During the compliance checks, the banks provided the PCPD with information on the data stored in the cookies and confirmed that the main purpose of using cookies is to facilitate and maintain smooth Internet banking services to the customers. Some banks use cookies to store the web-navigation preferences of customers and some other banks use cookies to track Internet banking web usage statistics. The banks have also confirmed that cookies are not used to store personal data of customers and are only stored in the customers’ own terminals (and not in the banks’ servers).

While the PCPD concluded that there was no apparent evidence suggesting that the banks had collected personal data through cookies, it also pointed that that it is technically possible to identify an individual customer with his/her Internet banking habits by combining data in the cookies with other information held by the banks for the same customer. Thus, as a matter of good practice, the banks should inform their customers what information would be collected through cookies and the purpose of such collection, with an option to opt-out of such arrangement.  If opt-out is not possible, banks should inform its customers why it is not possible so that they can decide whether to continue using the website.

In this connection, the PCPD has published an Information Leaflet on “Online Behavioural Tracking”, explaining the relationship between online tracking, personal data and the Personal Data (Privacy) Ordinance. The leaflet aims at advising organizational data users what they should consider before they deploy online tracking on their websites.  The leaflet also contains the PCPD’s recommendations to data users regarding compliance with the Ordinance.