Cookies: Requirements Under the Hong Kong Personal Data (Privacy) Ordinance

Cookies, also known as HTTP Cookies, are text files which are stored on a user’s computer to enable website owners to identity the user’s computer or electronic device. They are generally used by website owners to track a user’s online behaviour or interaction with websites.

These text files typically store information such as the user’s username, language preference and browsing habits. For example, it is a way how website owners serve targeted advertisements which match a user’s browsing preferences.

Hong Kong Cookies Ally Law

The widespread use of cookies increasingly raises privacy concerns since a user’s browsing activities are often collected and might also be transferred to third parties without the user’s knowledge and the information might also be used for marketing purposes.

In Hong Kong, personal data covers information which relates to a living individual and can be used to ascertain that individual’s identity. It must also exist in a form in which access to or processing of it is practicable. When determining whether a piece of data is personal data, the totality of the circumstances should be taken into account (see Note 1 below).

In light of the above, when deciding whether cookies in a specific case are personal data, it depends on whether the cookies contain any data that can uniquely identify an individual. Website owners who deploy online tracking that involves the collection of personal data should consider the requirements under the Personal Data (Privacy) Ordinance, including the six Data Protection Principles.

Website owners intending to use cookies to collect information from users are recommended to:

  1. Inform website users about the kind of information being stored in the cookies, the purpose of collecting the information and how the information is collected;
  2. State whether the websites allow access by users who do not accept the use of cookies and whether there would be any loss of functionality resulting from not accepting cookies.

If the website deploys third-party cookies, the website owner should also set out the type of information being collected and/or transferred and the purposes of collecting the information (Notes 2 & 3).

When cookies are used to collect behavioural information, it is recommended that website owners should:

  1. Set up an appropriate expiry date for the cookies;
  2. Encrypt the contents of the cookies whenever appropriate; and
  3. Not deploy techniques that disregard browser settings on cookies unless they can provide an alternative to website users to disable the cookies or decline the use of cookies (Note 4).

It is also important for the website owners to offer an option to website users to disable or reject the cookies.

Many countries have recently expanded their regulations to cover cookies in their scope of personal data for better protection of data privacy. For more information, website owners or website users should observe the Guidance on Online Behavioural Tracking issued by the Office of the Privacy Commissioner for Personal Data.

Click here to read the original blogpost, “Cookies and what you need to know,” by Allison Lee of Ally Law member Boase Cohen & Collins.


  1. https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html
    2. https://www.pcpd.org.hk/english/publications/files/guidance_internet_e.pdf
    3. https://www.pcpd.org.hk/english/publications/files/GN_picspps_e.pdf
    4. https://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf