Online contracting and e-commerce under Hong Kong law
Q&A Legal analysis of the current legal framework
21 May 2020
Can contracts be electronically signed? Are browsewrap and clickwrap contracts enforceable? Can standard terms be incorporated if communicated electronically? Our Q&A addresses these and more questions.
1. Are there restrictions on advertising digitally?
Trade Descriptions Ordinance
The main consumer protection legislation governing advertisements including digital advertisements is the Trade Descriptions Ordinance (Cap 362) (TDO). The TDO prohibits the use of a trade description in relation to a class of goods or services in a false manner.
Likewise, it is an offence under the TDO for a trader to engage in advertising and marketing that is a misleading omission by hiding or providing unclear or untimely material information. Other offences under the TDO include bait advertising (advertising at a price at which the trader fails to offer for reasonable supply) and bait-and-switch (inviting to purchase and then refusing to show or take orders with the real intention of promoting a different product).
An innocent publication defence is available to those involved in the business of publication of advertisements.
Industry-specific advertising regulation
Depending on the type of goods or services promoted, other industry-specific advertising restrictions may apply. For example, advertisements of financial services and products may need to meet certain requirements under the Securities and Futures Ordinance (Cap 571) (SFO) and codes and guidelines published by the Securities and Futures Commission (SFC) (such as the advertising guidelines applicable to collective investments schemes and guidelines on online platforms and advisory services, the latter requiring up-to-date product offering documents, information as to the scope and limitations of services, and disclosure of commission, brokerage and other fees).
Other advertising restrictions in relation to food, drugs and the medical sector apply by virtue of the Public Health and Municipal Services Ordinance (Cap 132); Food and Drugs (Composition and Labelling) Regulations (Cap 132W) and Undesirable Medical Advertisement Ordinance (Cap 231).
2. Is there any prohibition or restriction against "spam"?
"Spam" may be sent provided that the requirements under the Unsolicited Electronic Messages Ordinance (Cap 593) (UEMO) and the Personal Data (Privacy) Ordinance (Cap 486) (PDPO) are met.
Unsolicited Electronic Messages Ordinance
The UEMO regulates unsolicited electronic messages for advertisement, promotion or offering to supply goods, services or business or investment opportunities by email, instant messaging or other media.
The UEMO requires the relevant electronic message to: (i) contain accurate information about the sender's identity and contact details; (ii) contain an unsubscribe facility, and (iii) not use a misleading subject heading.
In addition, the sending of electronic messages using address-harvesting software or a harvested address list without addressee consent is a criminal offence under the UEMO.
The Communications Authority has issued a Code of Practice on Sending Commercial Electronic Messages under UEMO to provide practical guidance on UEMO requirements.
Personal Data (Privacy) Ordinance
The PDPO regulates the collection and use of personal data including for direct marketing. "Spam" will involve personal data and trigger the application of the PDPO if it identifies the intended recipient by his or her name. Consent of the recipient must be sought. Non-response does not constitute consent, whereas ticking a box to indicate no objection does constitute consent. Data may not be transferred (even to subsidiaries or associated companies) for direct marketing purposes without written consent. There must be notification of certain rights such as of opt-out and to request access to and correction of data collected. Further, personal data handling policies must be published. Contravention of some of these requirements carry criminal sanctions.
The Privacy Commissioner has published guidance on direct marketing.
3. Do products displayed on a website or app constitute a binding offer to supply upon acceptance?
Depends on how the display for the product is presented on the website or app and the language used. The principles in relation to traditional storefront product displays are well established and such a product display is generally treated as an invitation to treat, as opposed to a binding offer to supply. However, in a landmark Singapore case, a distinction was drawn between products displayed in a traditional storefront versus on a website because the latter has a worldwide reach; integrates a traditional storefront with advertising, catalogues and physical shopping, and there is no immediate ability on the part of the customer to physically view the stock available or on the part of the merchant to turn down an offer to purchase. The court held that the binding nature of an online product display is thus a matter of language and intention, objectively ascertained. Online businesses can make it clear that any offer is subject to the availability of stock or a contract will only be formed when acceptance of the order is subsequently expressly confirmed by email, and in such case, it is unlikely that the mere act of displaying products online will be viewed as a binding offer to supply.
4. In light of the popularity of online auction platforms such as eBay, are sellers bound to supply to the highest bidder?
Depending on the terms.
We are not aware of any Hong Kong case specifically touching upon online auctioning. However, in an Australian case, the court ruled that on eBay, the seller was bound to sell its goods to the highest bidder, which was at the minimum bid presented. Use of wording such as "without reserve" will also indicate goods put up for auction constitute a binding offer to be accepted by the highest bidder. The Australian case opened up another issue by classifying eBay as an auctioneer (rejecting eBay's attempts to distinguish itself through wording in its user agreement), namely, an auctioneer's potential liability for sellers' activities such as infringing intellectual property.
5. Can contracts be electronically signed?
In general, documents including contracts may be signed electronically or digitally. There are exceptions, however, and these are listed in Schedule 1 to the Electronic Transactions Ordinance (Cap 553) (ETO). The exceptions are unlikely to be relevant to e-commerce and include documents such as wills, trust documents, powers of attorney and some negotiable instruments.
The ETO distinguishes electronic and digital signatures. It allows the use of electronic signatures for documents if neither party is, or is acting on behalf of, a government entity. For documents involving government entities, digital signatures must be used.
In terms of electronic signatures, the method must be reliable and appropriate, and the other party must consent to the method. Acceptable methods include the application of an electronic image (jpeg file) of a signature, making a mark, or taking some action electronically to indicate consent. The sender typing his name at the bottom of an email has been recognised in Hong Kong, English and Australian case law to constitute an electronic signature. Further, an electronic signature appearing in an associated document is acceptable (and need not appear in the document in question).
Digital signatures on the other hand must be supported by and generated within the validity of a certificate issued by a certification authority recognised under the ETO such as the Hong Kong Post Certification Authority.
Whilst the above discusses the Hong Kong law position, if the document needs to be recognised or accepted elsewhere, consideration of foreign law will be required. See our electronic signature briefing for an introduction to the position globally.
6. Are browsewrap and clickwrap contracts enforceable?
Clickwrap contracts are likely enforceable, whereas the position with browsewrap contracts is less clear cut.
A clickwrap contract is a contract which requires a user to actively indicate acceptance or agreement by, for example, clicking an "I Accept" or similar button or icon, ticking a box, or tracing a manuscript signature. A browsewrap contract is a contract, the terms of which often appear as a hyperlink on the relevant website, which a user is taken to accept by the mere act of browsing and using the website. We are not aware of any case in Hong Kong specifically dealing with the enforceability of clickwrap or browsewrap contracts. That said, it is a matter of considering traditional contractual principles of offer and acceptance, consideration and intention to create legal relations.
Clickwrap contracts are defined by the user taking positive action to indicate agreement such as clicking or ticking a button or box. An English case held that a clickwrap contract whereby the relevant party clicked an "I Accept" button is enforceable.
On the other hand, there is no definitive answer in relation to browsewrap contracts by the English courts. Similarly, US case law has found browsewrap contracts to be both enforceable and unenforceable with the cases very much turning on their individual facts. The facts go to the extent of actual awareness of the terms or whether the user can be taken to have notice of the terms.
7. Can standard terms be incorporated if communicated electronically?
Standard terms and conditions that users might be requested to accept in the context of e-commerce include clarification of online businesses' intellectual property rights such as over materials on their websites; limiting the scope of liability or other contractual protection against unauthorised links, data scraping (see the answer to question 13) or errors and omissions on their websites; personal data protection and privacy policies, and/or incorporation of dispute resolution provisions such as arbitration clauses.
At common law, standard terms can only be validly incorporated if reasonable steps are taken to give notice and bring them to the attention of the relevant party before or at the time the contract is formed. In order to incorporate, online businesses can consider designing their website such that customers must scroll through the whole of the terms and conditions and click a button or check a box indicating acceptance before they are able to place an order online. Hong Kong case law has also held that referencing standard terms routinely in email correspondence is sufficient to incorporate them.
See also the answer to question 6 on clickwrap and browsewrap contracts.
8. How are electronic payments regulated?
Payment Systems and Stored Value Facilities Ordinance and Monetary Authority guidance
Under the current legislative framework, electronic payment services operated by banks, deposit-taking companies, retail payment system operators (for example, Visa, Mastercard, UnionPay, JETCO and EPS) and stored-value facility (SVF) operators (such as Octopus, AliPay, WeChat Pay, Autotoll and PayPal) are required to be licensed or designated by the Hong Kong Monetary Authority (HKMA) and subject to the Banking Ordinance (Cap 155) and/or the Payment Systems and Stored Value Facilities Ordinance (Cap 584) (PSSVFO). The HKMA has issued various guidance to retail payment system operators including Explanatory Note on Designation of Retail Payment Systems and Code of Practice for Payment Card Scheme Operators, and SVF licensees including Explanatory Note on Licensing for SVF; Guideline on Supervision of SVF Licensees; Practice Note on Supervision of SVF Licensees and Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (for SVF Licensees).
Initiatives introduced by the HKMA to promote electronic payments in Hong Kong include the Faster Payment System and the Common QR Code Standard for Retail Payments, which facilitates conversion into a single QR code for different service providers.
Electronic Transactions Ordinance
Electronic records produced from electronic payments are subject to the ETO. The ETO provides that where the law requires information to be retained, such requirements may be satisfied by retaining electronic records if the electronic records remain accessible and usable for subsequent reference; are retained in their original format or in a format accurately representing the original information, and information as to the electronic record's origin, destination, and date and time of sending or receiving is retained.
Personal Data (Privacy) Ordinance
Operators should also note the requirements of the PDPO if personal data is used for verification purposes or otherwise involved in the course of electronic payment, for example, issues to consider include keeping data no longer than necessary and taking appropriate security measures to protect the same.
10. Are there restrictions on website content?
Control of Obscene and Indecent Articles Ordinance
Internet and mobile content published in Hong Kong is regulated by the Control of Obscene and Indecent Articles Ordinance (Cap 390) (COIAO), which otherwise has wide application covering any material to be read and/or looked at. Indecent articles not suitable for those under the age of 18 may only be published subject to conditions, whereas obscene articles are prohibited from publication altogether. Indecent and obscene articles include those that are violent, depraved or repulsive. Government published FAQs regarding the COIAO regime can be found here.
Further, businesses should ensure that their websites do not include content that infringes intellectual property, contains misrepresentations, or is defamatory.
In terms of doxing and cyberbullying, they may potentially constitute criminal offences under section 64 of the PDPO. The offences are currently enforced by the police and Department of Justice; the Privacy Commissioner has no power to request removal of doxing content from websites or social media platforms. Amendments to the PDPO in this regard were proposed in January 2020 and the government is further studying and considering the same.
For more on personal data protection and privacy issues, please see the answers to questions 11 to 13.
11. What are the limitations on collection and use of personal data?
In Hong Kong, the PDPO regulates the collection and use of personal data. Currently, only data users controlling the collection or use of personal data are regulated. Reforms to the PDPO proposed in January 2020 seek to widen the regulatory net. The government is studying whether to hold data processors (those who process data on behalf of others and not for their own purposes) directly accountable.
Guidance by the Privacy Commissioner related to the Internet and mobile apps
The Privacy Commissioner's guidance on collection and use of personal data through the Internet can be found here. Under the PDPO, only necessary personal data may be collected by data users. By way of example, for online purchase and delivery, it might be necessary to collect the credit card number and residential address of the customer, but not the customer's gender or date of birth.
Further, data users may only collect personal data by lawful and fair means, and personal data and privacy policies must be transparent. The Privacy Commissioner suggests that an organisation display clearly and conspicuously, say on a linked paged accessible from the membership registration or customer agreement page on its website, personal data and privacy policies, as well as a personal information collection statement.
The Privacy Commissioner's best practice guide for mobile app development can also be found here.
12. What are the restrictions on storage of personal data? What should be done to secure it? Can data be stored on a cloud? Can cookies be used?
Under the PDPO, personal data must be kept for no longer than necessary. All practical steps must also be taken to ensure that any personal data is protected against unauthorised or accidental access, processing, erasure, loss or use. There is currently no definite retention period spelt out in the PDPO or statutory requirement to notify of a data breach. In January 2020, changes were proposed to the PDPO including requiring the formulation of clear retention policies and data breaches to be notified to the Privacy Commissioner if they involve a real risk of significant harm.
In terms of keeping personal data for no longer than necessary, the mobile app development guidance by the Privacy Commissioner contains general suggestions such as avoiding automatic and continuous collection, and more specific suggestions such as if a user's contact list is uploaded and used every time every time the app in question runs, consider erasing the contact list as soon as it is not needed, or at least deleting unnecessary data such as names if only telephone numbers are required to be used.
The Privacy Commissioner also suggests, in relation to security of storage and transmission of personal data, that an organisation consider the use of technological safeguards if it hosts an app or maintains a database which allows access to personal data online. Measures to be considered include access and password controls; firewalls; encryption; security patch management procedures so that security patches released by software vendors are applied in a timely manner; vulnerability scanning; data loss prevention systems, and privacy enhancing technologies (for more on privacy enhancing technologies and the issue of data scraping, see the answer to question 13).
Whilst there is no prohibition against the use of cloud storage, if a data user engages a data processor which uses cloud storage, it will need to adopt contractual means to protect itself as the PDPO currently holds data users and not data processors accountable (unless the reforms discussed at question 11 are implemented). Data users will need to consider issues of data retention and security when it comes to cloud storage.
Industry regulators may also have a say on cloud storage. The SFC issued a circular to licensed corporations on use of external electronic data storage providers (EDSPs) in October 2019. The term EDSP is broadly defined to include public and private cloud services. The SFC emphasised the importance of the authenticity, integrity and reliability of regulatory records, as well as the ability to access them promptly. Please find link to our RIFC blog post discussing the circular in more detail here.
In relation to cookies, the same data protection requirements outlined above must be observed. The Privacy Commissioner suggests that if third party cookies are deployed, organisations explicitly state what kind of information such cookies collect and to whom the information will be transferred and for what purposes, as well as whether users have the option to choose whether to accept cookies and if so, the consequences for non-acceptance such as affecting the proper functioning of the website. The Privacy Commissioner's guidance can be found here.
13. What can be done to protect against data scraping?
Data or web scraping refers to the process of a computer program extracting data in human readable output from another program or website, and the scraped data is generally combined and stored on a spreadsheet and/or local system and used for various purposes such as recruitment, assessment of credit risk, marketing, and analysis of trends and sentiment.
Technical measures and safeguards
Businesses should implement appropriate technical measures and safeguards to ensure there is no unauthorised access to personal data, in particular, by way of data scraping. Some suggested technical data security measures are discussed at question 12. Others include rate limiting the maximum number of requests a particular IP address is able to make over a given window of time (to limit the amount of data scraping that can occur in the relevant window); avoiding the use of easily predictable methods such as sequential variables in URLs to retrieve personal data (which reduces the risk of unauthorised access by guessing the URL), and anti-robot protocols and verification to prevent search engines from indexing websites and downloading databases in bulk by automation. Anti-robot verification may involve incorporating a Completely Automated Public Turing test to tell Computers and Humans Apart (or CAPTCHA) in the user experience, which operates by stretching or manipulating letters, numbers or pictures in such a way to require human interpretation and judgment.
Contractual and other protection
14. If the website is aimed at children, what precautions should be taken?
There is no specific legislation that deals with websites targeted at children. That said, businesses should bear in mind the general law discussed below.
Sale of Goods Ordinance
Whilst a minor under the age of 18 may enter into a contract, the other party bears the risk of the contract being voidable at the option of the minor. However, this is subject to the Sale of Goods Ordinance (Cap 26), which provides that where "necessaries" are sold and delivered to a minor, the seller can sue for a reasonable price to be paid. Necessaries are goods suitable to the condition in life and actual requirements of the minor in question.
Website content should be child-friendly. As discussed at question 10, the Control of Obscene and Indecent Articles Ordinance (Cap 390) prohibits the publication of obscene articles and makes conditional the publication of indecent articles to minors. The Betting Duty Ordinance (Cap 108) prohibits the acceptance of bets from minors and advertising or promotional activities aimed at minors in relation to betting on horse racing, football matches and lotteries.
Further, care must be taken to ensure compliance with the PDPO. The Privacy Commissioner suggests that organisations bear in mind children's vulnerability and adopt age-appropriate approaches; generally avoid collection of personal data from children, and encourage children to involve their parents. Guidance from the Privacy Commissioner for data users targeting children through the Internet can be found here.
15. What other legislation should you be aware of in the online supply of products and services?
The following legislation may be of relevance in the context of e-commerce:
- Sale of Goods Ordinance (Cap 26), which protects consumers and governs contracts for the sale of goods including providing for implied conditions for goods to be of merchantable quality, fit for purpose and corresponding to the description by the seller.
- Consumer Goods Safety Ordinance (Cap 456), which imposes a duty on suppliers (as well as manufacturers and importers) of consumer goods (subject to exception) to ensure they are reasonably safe.
- Supply of Services (Implied Terms) Ordinance (Cap 457), which protects consumers and governs contracts for the supply of services including providing for implied terms such as requiring services to be carried out with reasonable care and skill, and where the contract is silent, within a reasonable time and for a reasonable charge.
- Misrepresentation Ordinance (Cap 284), which supplements the common law and deals with a contract entered into after a misrepresentation (including negligent misrepresentation) and the entitlement to rescind the contract and damages.
- Control of Exemption Clauses Ordinance (Cap 71), which protects consumers and regulates exemption clauses in contracts. Clauses excluding or restricting liability for death or personal injury resulting from negligence are not effective. The validity of clauses in consumer contracts excluding or restricting liability for breach is subject to the test of reasonableness.
- Unconscionable Contracts Ordinance (Cap 458), which applies to contracts for the sale or supply of goods or services. In considering whether a contract is unconscionable, the court looks at such factors as the relative bargaining positions of the consumer and the other party, and whether the consumer was able to understand the relevant documents. If a contract or part thereof is found to be unconscionable, the court may refuse to enforce the same; enforce the remainder without the unconscionable part, or limit the application of or revise any unconscionable part.