The Office of Hong Kong’s Privacy Commissioner for Personal Data (PCPD) recently announced the results of compliance checks on the collection of “cookies” by local banks in response to earlier media reports and a survey by the Hong Kong Monetary Authority (HKMA).
While the PCPD concluded that there was no apparent evidence suggesting that the banks had collected personal data through cookies, it also pointed that that it is technically possible to identify an individual customer with his/her Internet banking habits by combining data in the cookies with other information held by the banks for the same customer. Thus, as a matter of good practice, the banks should inform their customers what information would be collected through cookies and the purpose of such collection, with an option to opt-out of such arrangement. If opt-out is not possible, banks should inform its customers why it is not possible so that they can decide whether to continue using the website.
In this connection, the PCPD has published an Information Leaflet on “Online Behavioural Tracking”, explaining the relationship between online tracking, personal data and the Personal Data (Privacy) Ordinance. The leaflet aims at advising organizational data users what they should consider before they deploy online tracking on their websites. The leaflet also contains the PCPD’s recommendations to data users regarding compliance with the Ordinance.