Hong Kong PDPO

Personal Data (Privacy) Ordinance (Cap. 486)

Flag of HK
Hong KongOpt-inSpecial Administrative Region
Back to Regulations Guide

Key Facts

Effective Date
December 20, 1996
Enacted
January 1, 1996
Enforcing Authority
Office of the Privacy Commissioner for Personal Data (PCPD)
Consent Model
Opt-in
Fulfillment Time
40 days
Applies To
Any data user that controls personal data in Hong Kong (no explicit extraterritorial scope)

Overview

Hong Kong's PDPO is built around six Data Protection Principles governing how personal data is collected, used, stored, and disclosed. The 2021 amendment added strong anti-doxxing provisions with criminal penalties. Cookies collecting personal data require clear notices and consent, though the law does not yet mandate data breach notification.

What This Means for Your Website

  • Fair and lawful data collection with informed consent is required for Hong Kong visitors
  • Cookies collecting personal data need clear notices and user consent
  • Direct marketing requires opt-in consent
  • Data breach notification is recommended but not yet legally mandated
  • The PDPO does not currently include data portability rights

Key Requirements

The PCPD enforces the PDPO with penalties varying by offense type. Anti-doxxing violations carry up to HKD 1 million and 5 years imprisonment. Direct marketing violations carry up to HKD 500,000 and 3 years. Consumer requests must be fulfilled within 40 days. The PCPD and Government are studying further amendments for AI challenges.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Hong Kong visitors meeting the PDPO's six Data Protection Principles, with direct marketing opt-in where applicable.

Penalties

Doxxing: up to HKD 1M and 5 years. Direct marketing: up to HKD 500,000 and 3 years. Non-compliance with enforcement: up to HKD 50,000 and 2 years.

Maximum Fine
HK$1,000,000 per violation

Key Requirements

  • Fair and lawful data collection with informed consent
  • Data collected only for lawful purposes directly related to a function
  • Personal data not kept longer than necessary
  • Adequate security measures required
  • Privacy policies must be publicly available
  • Direct marketing requires opt-in consent

Notable Provisions

  • 2021 amendment added strong anti-doxxing provisions
  • No mandatory data breach notification (PCPD recommends voluntary)
  • No data portability rights unlike GDPR
  • Legislative Council debated AI adequacy in July 2025

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Does Hong Kong require cookie consent?

Hong Kong's PDPO does not have dedicated cookie provisions, but cookies collecting personal data are subject to the six Data Protection Principles including informed consent.

Does Hong Kong require breach notification?

Not yet legally mandated. The PCPD recommends voluntary notification. This differs from most modern data protection laws.

What are Hong Kong's anti-doxxing penalties?

Up to HKD 1 million fine and 5 years imprisonment, added by the 2021 amendment.

Stay compliant with Hong Kong PDPO

ConsentStack helps you implement Opt-in consent for Hong Kong automatically.

Get started free