First published: 30th November 2007
The second phase of the Unsolicited Electronic Messages Ordinance (UEMO) will come into effect on the 22nd December but not all Hong Kong's company's and organisations have adapted to the requirements yet.
Some organisations appear to have reviewed and improved their procedures, for example, for several years the mailing list of the Hong Kong Institute of Marketing has had a broken unsubscribe mechanism - using the provided link would return a webpage reporting that the recipient had been unsubscribed, but the messages did not stop. However, in a recent posting, the unsubscribe procedure had changed, and it appears to have been effective. Did HKIM check and fix this as a result of the UEMO, or is this a coincidence? Either way, it is an improvement.
Unfortunately, other organisations seem less well prepared. HSBC uses email to send promotional messages to customers who have provided their email address. The messages appear to fail to comply with some supplementary rules issued by OFTA. Commercial email messages are required to include the sender's name, address, telephone number and email address, HSBC does not include their address. The unsubscribe mechanism involves calling the bank's "Direct Financial Services Hotline" at a number listed in the message, where bank staff ask for personal information, such as HK ID card number and account numbers, in order to verify that the person calling is the owner of the account(s) that the email address is linked to. This does not comply with OFTA's rules because they say that the unsubscribe mechanism must be reachable from the device used to read the message. Also, the hotline reports that processing the unsubscribe request takes 4 to 6 weeks, longer than the 10 days required by the UEMO. Ironically, the promotional message also states, "HSBC will never contact you by email or otherwise to ask you to validate personal information such as your user ID, password or account numbers. If you receive such a request, please call our Direct Financial Services hotline on...", yet, in order to unsubscribe, they instruct customers to call a number provided in the email, where the customer will be asked for HK ID number and account numbers. Are they unaware that a criminal could send fake messages with a different phone number, and ask customer who call for these important details? Why hasn't the HKMA issued guidelines forbidding banks from requestion sensitive data by phone? In summary, the HSBC marketing email appears to fail to comply with the UEMO rules in these ways:
- The address of HSBC is not included
- It is not possible to unsubscribe from a computer
- The unsubscribe mechanism is not easy to use
- The unsubscription takes more than 10 days
With less than four weeks until phase 2 comes into force, there is very little time for companies to fix problems like these.