Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
According to the Age of Majority (Related Provisions) Ordinance, the legal age of majority in Hong Kong is 18. Persons under the age of 18 are considered a minor.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
Hong Kong is a signatory of the UNCRC. However, the UNCRC has not been directly incorporated into Hong Kong domestic laws.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
No.
Currently, Hong Kong does not have a commissioner that focuses specifically on children’s rights.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
No.
There is no commissioner for children’s rights in Hong Kong.
Broadly speaking, the Office of the Privacy Commissioner for Personal Data, Hong Kong is responsible for enforcing provisions under the Personal Data (Privacy) Ordinance, which offers protection to data subjects in Hong Kong including minors.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
No.
The Personal Data (Privacy) Ordinance (PDPO) does not have a standalone requirement specifically on collecting parental consent for processing personal data of children. However, where consent is expressly required under the PDPO and the data user is a minor, then the consent must be obtained from a person with parental responsibility.
That said, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) recommends that, in general, data users are not advised to collect personal data from minors (particularly those who are incapable of making an informed decision) without prior consent from a person with parental responsibility for the individual. Further, according to the best practice guideline “Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children” published by the PCPD, data users are encouraged to involve parents when collecting children’s personal data. Practically speaking, the PCPD recommends data users to ask children to seek parental approval before offering their personal data online.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Where consent is required under the Personal Data (Privacy) Ordinance, a person that has attained the age of 18 will be capable of providing the necessary consent. Otherwise, consent must be obtained from a person with parental responsibility for the minor.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
Where consent is required under the Personal Data (Privacy) Ordinance, such consent from a person with parental responsibility for a minor must be express.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
According to the best practice guideline “Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children” published by the Office of the Privacy Commissioner for Personal Data, Hong Kong, data users should note that children might not be able to fully understand the content of privacy policies as they are drafted in sophisticated and legalistic language. In light of this, data users are encouraged to create an age-appropriate version of the privacy policy for children. Data users are likewise recommended to show their written privacy policy using graphics and cartoons to foster greater understanding from children.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
The Personal Data (Privacy) Ordinance does not prescribe that parents must be involved for minors to directly exercise their data subject rights.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Under the Personal Data (Privacy) Ordinance (PDPO), any person may make a complaint to the Office of the Privacy Commissioner for Personal Data, Hong Kong regarding any acts done by the data users that might be a contravention of the PDPO.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
Processing specific types of children’s personal data
There are no particular requirements/ prohibitions under the Personal Data (Privacy) Ordinance (PDPO) on processing specific types of children’s personal data. The PDPO also does not prescribe a separate category of “sensitive personal data”. That being said, certain types of personal data with higher sensitivity will require higher compliance obligations under the PDPO. For instance, the Office of the Privacy Commissioner for Personal Data, Hong Kong has published guidelines on processing biometric data collected from data subjects, including children.
Carrying out specific processing activities involving children’s personal data
There are no particular requirements/ prohibitions under the PDPO on carrying out specific processing activities involving specifically children’s personal data.
Using children’s personal data for specific purposes
There are no particular requirements/ prohibitions under the PDPO particularly related to using children’s personal data for specific purposes.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
Facts
A school provided student personal data including the student’s name, class and class number to an online service provider to create a user account for students to access emails, cloud services and learning tools. The parents of the student were concerned that the school may track the student’s computer usage and were concerned that the student did not fully understand the terms and conditions contained therein. The parents were not informed that the personal data of the student would be transferred to third party vendor. As such, there were concerns about the potential misuse of student’s personal data.
On behalf of the student, the parents lodged a complaint to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD).
Outcome
With the involvement of the PCPD, the school pledged to develop a policy on using online tools, clearly define the purposes of creating accounts, and greatly strengthen account safety to address the concerns raised by the parents.
Are there specific rules concerning electronic direct marketing to children?
Yes.
Provisions under the Unsolicited Electronic Messages Ordinance (UEMO)
The UEMO regulates the sending of commercial electronic messages. The UEMO are not specifically directed at electronic direct marketing to children but regardless of the age of the recipient of the electronic messages, the rule of thumb is that such commercial electronic messages must contain an unsubscribe facility and they must not be sent after the recipient has indicated their intention to unsubscribe.
Provisions under the Personal Data (Privacy) Ordinance
While not specifically on direct marketing to children per se, note that prior to sending direct marketing materials to data subjects, data users are required to obtain the data subject’s consent. On this note, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) has stated that if data users intend to use personal data from children for direct marketing purposes, they must first inform the children, obtain their consent and provide them with a communication channel to express their consent. Likewise, data users must notify children when using their personal data for direct marketing purposes for the first time. Children can at any time ask the data users to stop using their personal data in direct marketing.
The PCPD also recommends data users to provide children with simple and convenient means to opt-out of receiving direct marketing messages, taking into account their young age and relatively immaturity.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
No.
Save for direct marketing requirements, there are no specific rules to govern adtech tracking and online targeted advertising under the Personal Data (Privacy) Ordinance.
Are there specific rules concerning online contextual advertising to children?
No.
Save for direct marketing requirements, there are no specific rules to govern online contextual advertising under the Personal Data (Privacy) Ordinance.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To date, there has been no regulatory enforcement action regarding advertising to children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
According to the Age of Majority (Related Provisions) Ordinance, the legal age of majority in Hong Kong is 18. In general, persons above the age of 18 are qualified to enter into an agreement, which includes contracts for digital services.
Do consumer protection rules apply to children?
Yes.
In Hong Kong, consumer protection is generally governed by Trade Descriptions Ordinance (TDO).
The TDO prohibits unfair trade practices, which include (i) misleading omission, i.e., omitting material information regarding the products; (ii) aggressive commercial practices, i.e., commercial practices that significantly impair children’s freedom of choice through harassing, coercing and unduly influencing children such that they make a transactional decision that they otherwise would not have made; (iii) bait advertising, i.e., advertising at a price if there is no reasonable ground for the sellers to supply the products at that price; (iv) bait and switch, i.e., advertising a product with the intention of promoting another product to children which is at a higher price; and (v) wrongly accepting payment, i.e., accepting payment but intends not to supply a product to children.
When determining if there are unfair trade practices involved, the court will consider the concept of an “average consumer”. Under the TDO, the court will consider the factual circumstances including the material characteristics of an average underaged customer of a particular product or service.
Are there any consumer protection rules which are specific to children only?
No.
There are no consumer protection rules that apply specifically to children.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
To date, we are not aware of any formal enforcement action has been taken by Hong Kong’s data privacy regulator Office of the Privacy Commissioner for Personal Data, Hong Kong from a data privacy perspective or by the Customs and Excise Department from a consumer protection perspective, in relation to children’s use of digital services in Hong Kong.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
In Hong Kong, certain products and services must not be provided to minors. These include the online sale of products and services relating to gambling, cigarettes or other tobacco products including cigars and intoxicating liquor.
Are there any specific requirements relating to online/ digital safety for children?
No.
As of now, there are no specific requirements in relation to online safety for children. However, the Control of Obscene and Indecent Articles Ordinance prohibits the publication of indecent articles to children under the age of 18. Showing an indecent article to children would constitute a criminal offence and is liable to a fine and imprisonment. When an article has been determined by the Obscene Articles Tribunal to be indecent, it should be sealed in opaque wrappers. In case of online materials, there should be an on-screening warning on the web page before the content can be viewed:
WARNING: THIS ARTICLE CONTAINS MATERIAL WHICH MAY OFFEND AND MAY NOT BE DISTRIBUTED, CIRCULATED, SOLD, HIRED, GIVEN, LENT, SHOWN, PLAYED OR PROJECTED TO A PERSON UNDER THE AGE OF 18 YEARS. Whilst it is not specifically targeted at children, the Personal Data (Privacy) Ordinance (PDPO) prohibits the act of disclosing personal data without consent, otherwise known as “doxxing”. Under the PDPO, a person commits an offence if he discloses any personal data of a data subject without getting prior consent with an intent to obtain financial gain, cause harm to the data subject and his family or be reckless as to whether any harm would likely be caused by doxxing.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
No.
There are currently no statutory requirements on specific age verification or age assurance when children access online resources.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
There are currently no statutory requirements for parental control and involvement in children’s use of online services. Nonetheless, note that the Office of the Privacy Commissioner for Personal Data, Hong Kong has been advocating parental involvement in protecting children’s online privacy and has published a Children’s Online Privacy “Practical Tips for Parents and Teachers” guide.
Has there been any regulatory enforcement action concerning online/ digital safety?
No.
To date, we are not aware of any formal enforcement action that has been taken by the Office of the Privacy Commissioner for Personal Data, Hong Kong from a data privacy perspective or by the Customs and Excise Department from a consumer protection perspective, in relation to online/ digital safety in Hong Kong.
Are there any existing requirements relating to children and AI in your jurisdiction?
Talk to us for more information.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Talk to us for more information.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There is currently no other enforcement activity regarding children’s use of online services.
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
No.
There are currently no other existing or upcoming requirements in relation to children’s use of online services.
