Do Not Call Compliance Policy (Hong Kong)
DO NOT CALL COMPLIANCE POLICY
Unsolicited Electronic Messages Ordinance (Cap. 593) | Personal Data (Privacy) Ordinance (Cap. 486)
[Organisation Name]
Effective Date: [Effective Date]
Compliance Contact: [Compliance Contact]
1. PURPOSE
1.1 This Do Not Call Compliance Policy (“Policy”) ensures that [Organisation Name] (“the Organisation”) complies with the Unsolicited Electronic Messages Ordinance (Cap. 593) and the direct marketing provisions of the Personal Data (Privacy) Ordinance (Cap. 486) Part VIA when conducting marketing activities.
2. MARKETING CHANNELS AND PURPOSES
2.1 Marketing channels used: [Marketing Channels]
2.2 Purposes: [Marketing Purposes]
3. DO NOT CALL REGISTER
3.1 Before making commercial person-to-person telephone calls, the Organisation shall check telephone numbers against the OFCA Do Not Call Register. Check frequency: [DNC Check Frequency].
3.2 Person responsible for DNC Register checks: [DNC Check Responsible]
3.3 If a number is on the Do Not Call Register, the Organisation shall not call that number unless the person has given specific consent to receive calls from the Organisation.
3.4 Internal do-not-contact list maintained: [Internal DNC List]. The Organisation maintains an internal list of persons who have opted out, in addition to checking the OFCA register.
4. CONSENT AND OPT-OUT
4.1 Under PDPO Part VIA, the Organisation must obtain consent before using personal data for direct marketing. Consent method: [Consent Method]
4.2 Opt-out requests shall be processed: [Opt-Out Timeframe]. All marketing communications must include a clear opt-out mechanism.
4.3 Commercial email messages must comply with the UEMO: include accurate sender information, the Organisation’s contact details, and a functioning unsubscribe facility.
5. RECORD KEEPING
5.1 The Organisation shall maintain records of: consent obtained (including date, method, and scope); DNC Register checks (including dates and results); opt-out requests (including date received and date processed); and marketing communications sent.
6. TRAINING
6.1 Training frequency: [Training Frequency]. Training shall cover the UEMO, PDPO Part VIA, DNC Register procedures, and this Policy.
7. ENFORCEMENT
7.1 Non-compliance with this Policy may result in: [Disciplinary Measures]
7.2 Contravention of the UEMO carries penalties of up to HK$100,000 per offence. Contravention of PDPO Part VIA carries penalties of up to HK$500,000 and 3 years imprisonment.
8. GOVERNING LAW
8.1 This Policy is governed by the laws of the Hong Kong Special Administrative Region of the People’s Republic of China.
Marketing Compliance Officer
________________
Signature
Head of Marketing / CEO
________________
Signature
What Is a Do Not Call Compliance Policy (Hong Kong)?
A Do Not Call Compliance Policy in Hong Kong is an internal governance document that sets out an organisation's procedures for complying with the Unsolicited Electronic Messages Ordinance (Cap. 593) and the direct marketing provisions of the Personal Data (Privacy) Ordinance (Cap. 486) Part VIA. Any organisation that conducts telemarketing, sends commercial emails or SMS, or uses personal data for direct marketing in Hong Kong must maintain a Do Not Call Compliance Policy to manage legal risk under both regulatory regimes.
The Unsolicited Electronic Messages Ordinance (Cap. 593), commonly known as the UEMO, came into force on 22 December 2007 and is administered by the Office of the Communications Authority (OFCA). The UEMO establishes Do Not Call registers for person-to-person telemarketing calls and pre-recorded messages, and a Do Not Fax Register for fax communications under Cap. 593. Senders must check telephone numbers against the Do Not Call Register before making commercial calls. Numbers registered on the DNC register may not be called without the specific consent of the number holder. OFCA investigates complaints from registered number holders who receive unsolicited commercial calls and may issue infringement notices or prosecute for repeated violations.
The Personal Data (Privacy) Ordinance (Cap. 486) Part VIA, administered by the Privacy Commissioner for Personal Data (PCPD), separately requires organisations to obtain consent before using a person's personal data for direct marketing purposes. Part VIA of Cap. 486 applies regardless of the communication channel — telephone, email, SMS, post, or any other medium. Organisations must inform the data subject of the intended use of their data for direct marketing and obtain their consent before any marketing communication is sent. Opt-out requests under Cap. 486 must be honoured without delay.
Both the Unsolicited Electronic Messages Ordinance (Cap. 593) and the Personal Data (Privacy) Ordinance (Cap. 486) must be complied with simultaneously. Non-compliance with the UEMO carries criminal penalties of up to HK$100,000 per first offence for calling registered numbers without consent under Cap. 593. Non-compliance with PDPO Part VIA carries penalties of up to HK$500,000 and 3 years imprisonment for a first offence under Cap. 486, and up to HK$1,000,000 and 5 years for providing personal data to third parties for marketing without consent — enforced by the PCPD.
OFCA maintains the Do Not Call Register under Cap. 593 and provides a checking service that allows organisations to verify telephone numbers before making commercial calls. The register must be checked at least every 30 days. Failure to check the register before calling, or calling a registered number without consent, is an offence under the Unsolicited Electronic Messages Ordinance (Cap. 593).
Regulated entities in Hong Kong — including licensed banks supervised by the Hong Kong Monetary Authority (HKMA) and licensed insurers supervised by the Insurance Authority (IA) — must also comply with HKMA and IA guidelines on customer communication in addition to Cap. 593 and Cap. 486. The 2021 amendments to the Personal Data (Privacy) Ordinance (Cap. 486) introduced new criminal offences for doxxing — non-consensual disclosure of personal data with intent to harm — reinforcing the importance of strict data handling practices in all direct marketing activities. A well-maintained Do Not Call Compliance Policy is the primary documented safeguard against regulatory action by OFCA and the PCPD.
When Do You Need a Do Not Call Compliance Policy (Hong Kong)?
A Do Not Call Compliance Policy in Hong Kong is needed before any organisation commences telemarketing activities, direct email campaigns, SMS marketing, or any other form of direct marketing using personal data under the Personal Data (Privacy) Ordinance (Cap. 486).
Financial institutions, insurance companies, real estate agencies, and telecommunications companies — all significant users of telemarketing in Hong Kong — must maintain a current Do Not Call Compliance Policy and demonstrate compliance with the Unsolicited Electronic Messages Ordinance (Cap. 593) to OFCA and compliance with the Personal Data (Privacy) Ordinance (Cap. 486) to the Privacy Commissioner for Personal Data. Licensed banks regulated by the HKMA under the Banking Ordinance (Cap. 155) and licensed insurers regulated by the Insurance Authority (IA) under the Insurance Ordinance (Cap. 41) are subject to additional sector-specific guidelines on customer communication that layer on top of the UEMO and PDPO requirements.
Retailers, e-commerce operators, and service businesses that maintain customer databases and use those databases for marketing communications need a Policy to manage the consent lifecycle under Cap. 486 — recording when consent was obtained, through what channel, for what purpose, and when it was withdrawn. Email marketing without a functioning unsubscribe mechanism, or with misleading sender information, is an offence under the Unsolicited Electronic Messages Ordinance (Cap. 593).
Organisations that outsource marketing activities to third-party call centres or marketing agencies remain responsible for compliance with both Cap. 593 and Cap. 486. A Do Not Call Compliance Policy should address how the organisation controls third-party marketing activities, including contractual requirements for the third party to check the DNC register, obtain consent, and honour opt-out requests. Data processing agreements with third-party marketers should address the requirements of Data Protection Principle 4 of Cap. 486, requiring appropriate security measures for personal data.
After any data breach or following a complaint by a customer to OFCA or the Privacy Commissioner for Personal Data under Cap. 486, reviewing and updating the Do Not Call Compliance Policy is essential. OFCA and the PCPD both have enforcement and investigation powers and expect organisations to maintain documented compliance procedures.
Annual review of the Policy is recommended to reflect changes in the Unsolicited Electronic Messages Ordinance (Cap. 593) regulations, PDPO guidelines under Cap. 486, OFCA guidance notes, and Privacy Commissioner directions. Organisations should update their procedures accordingly and document each review cycle as evidence of ongoing compliance.
What to Include in Your Do Not Call Compliance Policy (Hong Kong)
A Do Not Call Compliance Policy for a Hong Kong organisation under the Unsolicited Electronic Messages Ordinance (Cap. 593) and Personal Data (Privacy) Ordinance (Cap. 486) Part VIA must include the following key elements.
Legal framework: A clear statement of the regulatory framework — the UEMO (Cap. 593) administered by the Office of the Communications Authority (OFCA) and the PDPO (Cap. 486) Part VIA administered by the Privacy Commissioner for Personal Data (PCPD) — and the specific obligations each imposes on the organisation's marketing activities. The Policy should acknowledge that both regimes apply simultaneously and that non-compliance with either carries separate criminal penalties.
Do Not Call Register checking procedures under Cap. 593: Documented procedures for checking the OFCA Do Not Call Register before making commercial person-to-person telephone calls. The Policy should specify how frequently the register is checked (at minimum every 30 days under Cap. 593), how the OFCA checking service is accessed, and how results are applied to calling lists. Records of each register check — including the date of the check and the lists screened — should be retained as evidence of compliance.
Consent management under Cap. 486: Procedures for obtaining, recording, and maintaining evidence of consent from data subjects for the use of their personal data for direct marketing under Personal Data (Privacy) Ordinance (Cap. 486) Part VIA. Consent must be specific, informed, and freely given. Records of consent, including the date, channel, and scope of consent, must be retrievable for evidence in the event of a PCPD investigation.
Internal Do Not Contact list: An internal list of individuals who have opted out of marketing communications under Cap. 593 and Cap. 486, updated without delay upon receipt of any opt-out request and cross-checked against all calling and mailing lists before every campaign. The list should capture the date of the opt-out request and the channel through which it was received.
Email and SMS compliance under Cap. 593: Procedures covering all commercial email messages — confirming they include a functioning unsubscribe facility, accurate sender information, and non-deceptive subject lines as required by the Unsolicited Electronic Messages Ordinance (Cap. 593). Unsubscribe requests must be processed within 10 business days. Address harvesting using automated software is prohibited under Cap. 593 and carries a fine of up to HK$1,000,000.
Opt-out handling: Documented procedures for receiving, recording, and acting on opt-out requests through all channels — telephone, email, SMS, written request, or through the OFCA DNC register. The organisation must cease marketing communications without delay after receipt of a valid opt-out request under both Cap. 593 and Cap. 486. Failure to honour an opt-out is a criminal offence under Section 35G of Cap. 486.
Third-party marketing controls: Where marketing activities are outsourced to third-party call centres or agencies, the Policy must address how compliance obligations are passed down contractually, including requirements for the third party to check the DNC register, maintain consent records, and honour opt-out requests. Data processing agreements with third parties must address Data Protection Principle 4 under Cap. 486.
Staff training: Regular training for all marketing, sales, and customer service staff on UEMO and PDPO direct marketing obligations, including how to process opt-out requests, how to check the DNC register under Cap. 593, and the procedure if a complaint is received from OFCA or the PCPD.
Compliance monitoring and audit: Annual review of the Policy, periodic audits of consent records and DNC checking procedures, and a documented process for reporting and remedying compliance failures. Related documents include the Privacy Policy, Data Protection Policy, Terms of Service, and Acceptable Use Policy. Forms-legal.com provides a Do Not Call Compliance Policy template for Hong Kong organisations covering all UEMO and PDPO obligations, downloadable as PDF or Word.
Sources & Citations
Statutory citations link to official government sources.
- Unsolicited Electronic Messages Ordinance (Cap. 593)HK official
- Personal Data (Privacy) Ordinance (Cap. 486)HK official
- The Unsolicited Electronic Messages Ordinance (Cap. 593)HK official
- The Personal Data (Privacy) Ordinance (Cap. 486)HK official
- Both the Unsolicited Electronic Messages Ordinance (Cap. 593)HK official
- OFCA and compliance with the Personal Data (Privacy) Ordinance (Cap. 486)HK official
- Licensed banks regulated by the HKMA under the Banking Ordinance (Cap. 155)HK official
- Insurance Authority (IA) under the Insurance Ordinance (Cap. 41)HK official
- Hong Kong organisation under the Unsolicited Electronic Messages Ordinance (Cap. 593)HK official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Do Not Call Compliance Policy (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/business/policies/do-not-call-compliance-policy-hong-kong
"Do Not Call Compliance Policy (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/business/policies/do-not-call-compliance-policy-hong-kong.
@misc{formslegal-do-not-call-compliance-policy-hong-kong,
author = {{Forms Legal}},
title = {Do Not Call Compliance Policy (Hong Kong) (Hong Kong)},
year = {2026},
howpublished = {\url{https://forms-legal.com/hong-kong/business/policies/do-not-call-compliance-policy-hong-kong}},
note = {Free legal document template. Based on Unsolicited Electronic Messages Ordinance (Cap. 593)}
}Also available for these jurisdictions:
Frequently Asked Questions
The Unsolicited Electronic Messages Ordinance (Cap. 593), commonly known as the UEMO, is Hong Kong's primary legislation regulating unsolicited commercial electronic messages, including commercial telephone calls, fax messages, and email. The UEMO came into effect on 22 December 2007 and is administered by the Office of the Communications Authority (OFCA). The UEMO establishes Do Not Call registers for three types of communication: person-to-person telemarketing calls; pre-recorded telemarketing messages; and fax messages (the Do Not Fax Register). The UEMO also regulates commercial email messages under Cap. 593. For person-to-person calls: A sender must not make a commercial electronic message by telephone call to a number on the Do Not Call Register without the called person's consent to receive calls from that specific sender under Cap. 593. For commercial email: The UEMO requires all commercial email messages to include an unsubscribe facility, accurate sender information, and a valid contact address. Senders must honour unsubscribe requests within 10 business days under Cap. 593. Penalties: Contravention of the UEMO carries penalties of up to HK$100,000 for a first offence (person-to-person calls to DNC numbers) and higher penalties for subsequent offences under Cap. 593. For sending commercial electronic messages with misleading subject lines or sender information, the penalty is a fine of up to HK$100,000. Harvesting addresses using software carries a fine of up to HK$1,000,000. The UEMO works alongside PDPO (Cap.
The Do Not Call Register is maintained by the Office of the Communications Authority (OFCA) under the Unsolicited Electronic Messages Ordinance (Cap. 593). It allows Hong Kong telephone number holders to register their numbers to opt out of receiving unsolicited commercial person-to-person telephone calls and pre-recorded messages. Registration: Individuals can register their Hong Kong telephone numbers (landline and mobile) on the Do Not Call Register through the OFCA website, by telephone, or by fax. Registration is free and takes effect 10 business days after submission. Registration remains effective until the number holder cancels it. Obligation on senders: Before making commercial person-to-person calls, senders must check the Do Not Call Register. If a telephone number is on the register, the sender must not make unsolicited commercial calls to that number unless the number holder has given consent specifically to that sender. The register is updated regularly and senders must check it at least every 30 days. Consent exception: Even if a number is on the Do Not Call Register, a sender may make commercial calls if the number holder has given consent to receive calls from that specific sender. Consent may be given in writing, electronically, or verbally, but the sender bears the burden of proving consent. Compliance checking: OFCA provides a checking service that allows senders to check telephone numbers against the register before making calls. This service is essential for compliance.
The Personal Data (Privacy) Ordinance (Cap. 486) and the Unsolicited Electronic Messages Ordinance (Cap. 593) both regulate direct marketing in Hong Kong, but they address different aspects and both must be complied with simultaneously. PDPO Part VIA (Direct Marketing): Regulates the use of personal data for direct marketing purposes. Before using a person’s personal data for direct marketing, the data user must inform the person of the intended use and obtain their consent. The PDPO applies regardless of the communication channel — telephone, email, SMS, post, or any other medium. The PCPD enforces Part VIA. UEMO (Cap. 593): Regulates the sending of unsolicited commercial electronic messages. It specifically governs the method of communication — telephone calls, fax, and email. The UEMO establishes Do Not Call and Do Not Fax registers. OFCA enforces the UEMO. Dual compliance: An organisation that uses personal data to make commercial telephone calls must comply with both: the PDPO Part VIA (obtaining consent to use the personal data for direct marketing) and the UEMO (checking the Do Not Call Register and not calling registered numbers without consent). Non-compliance with either regime carries separate penalties.
The Unsolicited Electronic Messages Ordinance (Cap. 593) provides for both criminal penalties and enforcement actions. Do Not Call Register violations: Making or causing to be made a person-to-person commercial electronic message by telephone call to a number on the Do Not Call Register without consent is an offence. The penalty is a fine of up to HK$100,000 on first conviction. For subsequent convictions, the fine may be higher. Commercial email violations: Sending commercial email messages that do not include an unsubscribe facility, contain misleading sender information, or have deceptive subject lines is an offence. The penalty is a fine of up to HK$100,000. Harvesting addresses: Using address-harvesting software or harvested address lists to send commercial electronic messages is an offence carrying a fine of up to HK$1,000,000. Infringement notices: OFCA may issue infringement notices requiring the sender to comply with the UEMO. Failure to comply with an infringement notice is a criminal offence. Director liability: If an offence is committed by a body corporate with the consent or connivance of a director, the director may be personally liable. In addition to UEMO penalties, if the direct marketing also involves personal data, non-compliance with PDPO Part VIA carries separate and additional penalties: up to HK$500,000 and 3 years imprisonment for first offence, and up to HK$1,000,000 and 5 years for providing data to third parties for marketing without consent.
The Personal Data (Privacy) Ordinance (Cap. 486) Part VIA imposes specific obligations on data users who wish to use personal data for direct marketing, and breach of these obligations carries significant criminal penalties enforced by the Privacy Commissioner for Personal Data (PCPD). First offence — using personal data for direct marketing without consent: Under section 35C of the Personal Data (Privacy) Ordinance (Cap. 486), a data user who uses personal data for direct marketing without informing the data subject and obtaining their consent commits an offence. The penalty for a first conviction is a fine up to HK$500,000 and imprisonment for up to 3 years. First offence — providing personal data to third parties for marketing without consent: Under section 35D of Cap. 486, a data user who provides personal data to a third party for that third party's use in direct marketing without the data subject's explicit written consent commits a more serious offence. The penalty is a fine up to HK$1,000,000 and imprisonment for up to 5 years for a first conviction. This is one of the most serious offences under the PDPO. Opt-out failures: If a data user fails to stop using or providing a person's data for direct marketing after receiving an opt-out request under section 35G of Cap. 486, the data user commits an offence with a fine up to HK$500,000 and imprisonment up to 3 years. Opt-out requests must be processed without charge and without delay.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Hong Kong)
A Privacy Policy Statement for Hong Kong organisations compliant with the Personal Data (Privacy) Ordinance (Cap. 486). Addresses the six Data Protection Principles, data subject rights, direct marketing consent, cookies, and data breach handling as recommended by the PCPD.
Data Protection Policy (Hong Kong)
A Data Protection Policy for Hong Kong organisations ensuring compliance with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles. Establishes rules for collecting, holding, processing, and using personal data, and addresses data subject rights under the PDPO.
Terms of Service (Hong Kong)
A comprehensive Terms of Service agreement for Hong Kong businesses, covering user obligations, liability limitations, intellectual property, and PDPO compliance.
E-Commerce Terms and Conditions (Hong Kong)
E-Commerce Terms and Conditions for Hong Kong online businesses governing the sale of goods and services through websites and mobile applications. Addresses the Electronic Transactions Ordinance (Cap. 553), Trade Descriptions Ordinance (Cap. 362), Sale of Goods Ordinance (Cap. 26), and consumer protection requirements.
Acceptable Use Policy (Hong Kong)
An Acceptable Use Policy (AUP) for Hong Kong organisations setting out the rules and guidelines for the proper use of company IT systems, networks, and digital resources. Governs employee conduct when accessing company technology, internet, email, and software under Hong Kong common law and practical compliance standards.