There are many types of Unsolicited Electronic Messages ("UEM"), for example, electronic marketing messages promoting products or services that can be sent as text and pre-recorded voice messages to telephones, to fax machines or to email addresses.

The UEMO cover any messages:

1. with a commercial purpose (e.g. promoting a product or service or a service provider);
2. sent over a public telecommunications service (e.g. pre-recorded voice messages sent to a mobile number, SMS messages, faxes, emails); and
3. with a Hong Kong link:
   • in general, sent from HK or received in HK;
   • but also include sent to a Hong Kong telephone number which may have roamed outside of HK

   except for messages that fall into the exemptions as provided in Schedule 1 of the UEMO.

Examples of electronic messages covered by the UEMO are:

• a pre-recorded voice message sent to a Hong Kong mobile telephone number, selling any products or services such as medical services;
• a fax advertisement sent to a company in Hong Kong, selling any products or services such as printer toner cartridges; and
• an email sent to an email address which the registered user accessed whilst physically in Hong Kong, offering any products or services such as printing of business cards.

The UEMO contains a list of exempted electronic messages in Schedule 1. The regulatory requirements will NOT apply to those messages, including:

• person-to-person calls;
• messages sent in response to the recipient's specific requests, such as fax-on-demand; or
• messages such as invoices or receipts to confirm a commercial transaction that the recipient has previously agreed to enter into with the sender.

Yes, commercial electronic messages received in Hong Kong are covered (whether the recipient is a Hong Kong resident or not). In addition to enforcement under the UEMO, we maintain close liaison with overseas enforcement agencies to join forces in combating spam-related crimes.

Yes, as long as your mobile number is a Hong Kong mobile number, it is immaterial where you receive the message and the UEMO will still be applicable.

The UEMO regulates commercial electronic messages that have a Hong Kong link. The definition of "commercial electronic message" is given in section 2 of the UEMO. Whether a message is commercial in nature has to be determined on a case-by-case basis, taking into account matters including the purpose and content of the concerned message. The nature of the sending organisation is not the only factor that would be considered. If the purpose (or one of the purposes) of the message sent by a non-profit making / charitable / religious organisation meets the criteria set under section 2 of the UEMO, the message would be considered as a commercial message.

Any individual or business contravening the UEMO may be liable to a fine or imprisonment, according to the following:

In addition, anyone who has suffered loss or damage as a result of a contravention of the UEMO may take his/her own individual civil action against those who committed the contraventions, irrespective of whether they have been convicted.

If, following the completion of an investigation, the CA is of the opinion that a person has contravened the rules of sending commercial electronic messages and it is likely that the contravention will continue or be repeated, then the CA will issue an enforcement notice to that person specifying the contravention and the steps required to remedy the contravention within a prescribed period of time.

Contravention of an enforcement notice is an offence, punishable by a fine up to HK$100,000. Continuing offences would be punishable by a further fine of HK$1,000 a day.

Anyone who has suffered loss or damage as a result of a contravention of the UEMO may take his/her own individual civil action against those who committed the contraventions, irrespective of whether they have been convicted.

Under an opt-out regime, a sender may send out unsolicited messages to electronic addresses if he/she follows the rules of sending of commercial electronic messages. The rules include:

1. to include sender information in the message to enable the recipients to identify who the senders (or the organisations authorising the sending of the message) are and how to contact them;
2. to provide one or more unsubscribe facilities, and describe such facilities in the message, to enable the recipients to send unsubscribe requests to the party authorising the sending of the message;
3. to cease sending further messages to those electronic addresses which the registered users has submitted an unsubscribe request via the unsubscribe facility; and
4. not to send commercial electronic messages to electronic addresses which are listed in do-not-call registers.

The registered user of the receiving electronic address can:

1. find out from the message who the sender is and contact the sender if necessary;
2. stop further commercial electronic messages from the same sender at his/her electronic address by using the provided unsubscribe facility to send an unsubscribe request to the sender; and
3. stop further commercial electronic messages from all senders (except those to whom consent is given) at his/her electronic address by registration in the Do-not-call Registers.

The opt-out regime can be contrasted with the opt-in regime in which prior consent must be obtained from the registered user of an electronic address before a commercial electronic message can be sent.

The Unsolicited Electronic Messages Ordinance (UEMO) is the main body of the legislation. The Unsolicited Electronic Messages Regulation (UEMR) is the subsidiary legislation prescribing detailed requirements relating to "sender information" and "unsubscribe requests" to be included in messages. The Code of Practice provides guidance in respect of the application or operation of the provisions of the UEMO. Although codes of practice are not statutory requirements and failure to observe such codes of practice would not be subject to legal proceedings, they represent the views of the CA on how certain statutory provisions should be applied or operated and are admissible in evidence in legal proceedings. If the court is satisfied that a code of practice is relevant to determining a matter at issue, failure to observe the code of practice may be relied upon to establish or negate that matter.

CA is the enforcement agency for Part 2 of the UEMO.

In the case of pre-recorded voice or video messages, the required sender information includes the sender's name, address and contact telephone number. Instead of directly providing the address and contact number, the sender may provide a facility by which the recipient may enter a key specified in the message to immediately request to be provided with the address and the contact telephone number.

In the case of fax, the required sender information includes the sender's name, address and contact telephone number.

In the case of SMS, the required sender information includes the sender's name, address and contact telephone number. The address may be omitted from the message if the recipient is able to obtain the address by using the contact telephone number.

In the case of email, the required sender information includes the sender's name, address, contact telephone number and contact email address.

No. The address required under the UEMR, in relation to an individual or organisation, means the address of his or its usual place of business, but does not include a postal box address.

The UEMR (section 9) requires that:

1. in the case of SMS, at least a HK telephone number with which unsubscribe requests may be made orally or by entering key inputs has to be provided as the unsubscribe facility;
2. in other cases, at least one of the unsubscribe facilities provided must be capable of receiving an unsubscribe request transmitted from the telecommunication device that is used by the recipient to access the message. Guidance is further given in the CoP such that:
   1. in the case of pre-recorded voice or video telephone calls, at least one unsubscribe facility should be activated by key input of a specified one-digit number, and should be ready for use immediately after the unsubscribe facility statement has been given and should be available throughout the duration when the rest of the message is being played;
   2. in the case of a facsimile, at least one unsubscribe facility should be a Hong Kong facsimile number; and
   3. in the case of an email, at least one unsubscribe facility should be an email address, a web page or a web address;

The sender should, within 10 working days from the day on which the unsubscribe request is sent, stop sending any further commercial electronic messages to the electronic address in respect of which the unsubscribe request was sent.

Section 6 and 7 of the UEMR requires the sender information and the unsubscribe facility statement to be given in both Chinese and English. However, if the recipient has indicated to the sender that these can be given solely in one language (for example, by asking the recipient for his language preference at the beginning of the pre-recorded voice message), the sender may give the information solely in that language.

It is recognised that some individual or organisation may not have a Chinese name. Similarly, an overseas company will have difficulty to provide their address in Chinese. Section 6(3) and (4) of the UEMR provides that in such circumstances, the particular information of name and address can be given in either Chinese or English only.

The UEMR imposes some conditions on the order of presenting the sender information and the unsubscribe facility statement in the case of pre-recorded voice or video messages. This is aimed to facilitate the recipients to identify the sender and decide whether to listen on quickly.

If the sender is providing a key input to request for address and/or telephone number, the name of the sender, the key and the unsubscribe facility statement should be presented at the beginning of the message, in the order of:

1. first, the name
2. secondly, the unsubscribe facility statement; and
3. thirdly, the specified key input (section 8(3) of the UEMR).

Otherwise, the sender information and the unsubscribe facility statement should be presented at the beginning of the message, in the order of:

1. first, the name;
2. secondly, the unsubscribe facility statement; and
3. thirdly, other sender information including the contact telephone number and address (section 8(2) of the UEMR).

In addition, the CoP suggests that the sender information and the unsubscribe facility statement should be presented at such speed so as to be reasonably audible (paragraphs 6.3(a) and 8.3(a) of the CoP).

For fax or email messages, the CoP has provided guidelines in paragraph 6 and paragraph 8. In general, the CoP suggests that the sender information can be presented prominently at the top, or the bottom, of the first page of the fax message or the body of the email message. The sender information should be reasonably visible in terms of font size, position and contrast.

Similarly, the unsubscribe facility statement should be:

1. prominently displayed either at the top or at the bottom of the first page of the fax message;
2. reasonably visible in terms of font size, position and contrast; and
3. separate and distinguishable from the commercial content of the message.

For SMS, the CoP has detail guidelines on the label to precede the contact telephone number and the unsubscribe facility telephone number. Details can be found in paragraph 6.4 and 8.4 of the CoP.

Section 9(1)(f) of the UEMO requires the unsubscribe facility to be reasonably likely to be capable of receiving the recipient's unsubscribe request at all times during a period of at least 30 days after the message is sent. The CoP gives further guideline that if a telephone number or a facsimile number is provided as the unsubscribe facility, the sender should use reasonable endeavours and take into account the volume and rate of commercial electronic messages being sent to design the capacity of the concerned telecommunications line (and the relevant human resources if applicable) so that the unsubscribe facility has adequate capacity to receive the incoming unsubscribe requests.

According to section 9(3) of the UEMO, the sender should retain a record of unsubscribe requests in a format in which they were originally received, or in a format that can be demonstrated to represent accurately the information originally received, for at least 3 years after their receipt.

Therefore, how the record should be kept depends on the actual unsubscribe facility provisioned. If you are taking the suggestions given the CoP to provide the unsubscribe facility, you would be able to retain a record of the unsubscribe request in the following formats:

The offences in Part 3 of the UEMO are unscrupulous techniques to expand the reach of commercial electronic messages. In general, there are legitimate uses of these techniques in isolation.However, if they are used in connection with the sending of commercial electronic messages, the sender will be able to send out messages to more recipients or in a shorter time.These techniques are prohibited for use in connection with the sending of commercial electronic messages, so as to minimise the nuisance caused to recipients.

The enforcement agency for Part 3 of the UEMO is CA.

¹ Address harvesting software means software that is specifically designed or marketed for use for searching the Internet or a public telecommunications network, and collecting electronic addresses such as telephone numbers or email addresses

The UEMO also places a number of requirements on how commercial electronic messages should be sent using technical infrastructure. These requirements include:

1. Not to use automated means to generate an electronic address to which a commercial electronic message is sent (section 18 of the UEMO);
2. Not to use scripts or other automated means to register for 5 or more email addresses (section 19 of the UEMO);
3. Not to relay or retransmit multiple commercial electronic messages with the intent to deceive or mislead recipients, or any telecommunications service provider, as to the source of such messages (section 20 of the UEMO);
4. Not to access a telecommunications device without authorisation to send multiple commercial electronic messages (section 22 of the UEMO);
5. Not to initiate transmission of multiple commercial electronic messages from a telecommunications device, service or network without authorisation, with the intent to deceive or mislead recipients as to the source of such messages (section 23 of the UEMO);
6. Not to falsify header information in multiple commercial electronic messages and send such messages (section 24 of the UEMO);
7. Not to register for 5 or more electronic addresses or 2 or more domain names with information that materially falsifies the identity of the actual registrant, and knowingly initiates the transmission of multiple commercial electronic messages from such electronic addresses or domains; and
8. Not to falsely represents as the registrant of 5 or more electronic addresses or 2 or more domain names, and knowingly initiates the transmission of multiple commercial electronic messages from such electronic addresses or domains.

In summary, you should:

• Only use email addresses or domains that are legitimately registered with true identification information;
• Leave it to the email software to create the email header information;
• Not send your email through open/unauthorised relay or proxy;
• Not to use automated means to generate email addresses; and
• Not to use throwaway email accounts.

In order to expand the reach of messages, spammers may make use of address-harvesting software and/or harvested-address lists when creating distribution lists. Address-harvesting software is defined in section 14(1) of the UEMO and in general, means software specially designed to search the Internet or a public telecommunications network to collect electronic addresses.

The UEMO bans the supply, acquisition or use of address-harvesting software and/or harvested-address lists for the purpose of sending UEMs. If you are supplying or acquiring address list for marketing purposes, you should make sure that such lists are not created by using address-harvesting software.

Businesses and organisations, which need to publish their email addresses on the Internet, may consider displaying the addresses in a way that makes address harvesting more difficult. For tips on protecting email addresses from being harvested and other methods to reduce incoming spam, please refer to the Government's Information Security (InfoSec) website.

Dictionary or brute force attacks are often referred to as automated techniques used by email spammers to reach out to a large number of email recipients easily. These techniques try to use an automated means to mix/join all possible words/names or combinations of letters and alphabets to formulate recipient email addresses with a hope to reach some valid mailboxes. The ban on the use of such automated techniques under the UEMO is not only limited to email messages, but rather generally on all types of electronic messages. Lists generated manually are not prohibited.

Scripts or other automated means to create multiple email accounts are occasionally used by system administrators or telecommunications service providers to perform administration of information systems efficiently. However, these are also used by email spammers to create multiple email accounts for temporary use to send spam email messages. The spammers will normally discard these email accounts after a short while and move on to a new set, in order to avoid detection.

The UEMO bans the use of scripts or automated means to register for five or more email accounts for subsequent sending of multiple UEMs.

An open relay refers to an email server that lets a third-party send emails to other parties. It comes about when the mail server processes a mail where neither the sender nor the recipient is a local or a known user to the server. Email sent in this way will only bear the email server's IP address and not that of the third-party.

By exploiting open relays, email spammers can conceal their true IP addresses so that recipients of the spam email messages have no means to find out the real source. Such exploitation is prohibited under the UEMO.

It is possible for a computer to be running an open proxy or open relay without the knowledge of the computer's owner. This can be the result of mis-configuration of email server running on their computer, or of infection with malware (such as viruses, trojans or worms). To better protect yourselves and your company, IT administrators should ensure that:

• their network and computers are protected with the right security arrangements;
• their servers are not running any open relay or open proxy software; and
• their email messages are not routed through any relay or proxy not under their control.

If in doubt, you should consult qualified IT security professionals.

The offences in Part 4 of the UEMO are fraud and other illicit activities related to the sending of multiple commercial electronic messages. In general, these activities are associated with professional spammers that send out large quantity of messages.The professional spammers use these techniques to cover their track and avoid being identified. As these activities are fraudulent in nature, these cases will be investigated by the Hong Kong Police Force.

² "Multiple commercial electronic messages" mean transmission of more than 100 commercial electronic messages during a 24 hour period, or more than 1000 commercial electronic messages during a 30-day period.

³ A computer attached to the Internet that has been compromised by a hacker, a computer virus, or aTrojan program. Such computers are usually used to perform malicious tasks such as spamming under remote direction, with the owner normally unaware of such tasks.

⁴ Header is machine-generated information about the source or routing of the electronic message such as calling line identifications or IP addresses.It does not include the 'from' field in email message which can easily be altered by senders.

With the UEMO fully effective from 22 December 2007,:

• you can register your fixed, mobile or fax numbers in the do-not-call registers;
• you can use the unsubscribe facility provided in the commercial electronic message to send an unsubscribe request to the sender;
• you can report any contravention to the rules for sending commercial electronic messages to CA. These rules include:
  • the sending of commercial electronic messages without accurate sender information for you to contact the sender;
  • the sending of commercial electronic messages without providing you with "unsubscribe" facilities;
  • not honouring your "unsubscribe" request within ten (10) working days;
  • the sending of commercial electronic messages to any telephone or fax number registered in the do-not-call registers (applicable to fax, short messages and pre-recorded messages only) starting from the tenth (10) working day of its registration, unless consent has been given by the registered user of the relevant telephone or fax number;
  • using misleading subject headings in commercial email messages; and
  • withholding CLI when sending a commercial electronic messages to a telephone number.
  CA will investigate and may issue enforcement notice to the sender;
• if you suspect that someone is selling or using harvested address lists, you should report it to CA. CA will investigate and may take prosecution action against the seller or user; and
• if you suspect that your computer has been hacked by someone to send out commercial electronic messages, you should report it to CA. CA will collate reports and may transfer the case to the Hong Kong Police Force where applicable.

Person-to-person marketing calls are not within the scope of the UEMO. However, if you believe that these calls are made using your personal data for direct marketing (e.g. the caller is able to identify you), you can report the case to the Office of the Privacy Commissioner for Personal Data (PCPD). For more information, please see PCPD's website at http://www.pcpd.org.hk/.

In general, phishing emails are not covered by the UEMO but rather by other criminal law. You may report them to the Hong Kong Police Force.

You have the right to ask a sender of commercial electronic messages to stop sending you further messages by making an unsubscribe request and the sender must honour such request. By keeping a record of the unsubscribe requests made, you may assist investigation if such request is not honoured.

Nevertheless, some commercial electronic messages, especially email spams, are sent by professional spammers, rather than legitimate businesses. If you receive an email that seems dubious, for example, the subject line or sender looks suspicious, it is safer to delete it immediately without opening it. Do not reply and do not click on any links, including 'unsubscribe' links. Doing so may result in even more spam because the action confirms that your email address is a valid address.

If you wish to make a report to CA, please fill in the report form posted on our web site or obtainable through our fax-on-demand service (please call 2961 6333). The form can be filled in online or can be sent:

by post to :
    UEM Section
    Office of the Communications Authority
    29/F, Wu Chung House, 213 Queen's Road East
    Wan Chai, Hong Kong

by fax to : 3155 0956

You may also report any contravention by a letter to the above postal address. The letter should include the following information:

• your full name;
• your postal address, contact telephone number, fax number or email address;
• the type of message received, receiving electronic address, the date and time the message was received, and other contact information provided in the message, such as telephone number;
• details of the suspected breach; and
• any other documents that would assist us to handle your report, such as the fax received.

In case you have difficulty in expressing yourself in writing, you may contact us by calling 29616333 (from 8:30am to 5:45pm, Monday to Friday except public holidays). Our officer can help to fill in the report form for you. To ensure accuracy, the completed form will be sent by post or by fax to you for your confirmation and signature.