This FAQ, together with the summary of the requirements of the UEMO, illustrations and advice, is for general reference only. Readers should refer to the provisions of the UEMO for a complete and definitive statement of the law.
There are many types of Unsolicited Electronic Messages ("UEM"), for example, electronic marketing messages promoting products or services that can be sent as text and pre-recorded voice messages to telephones, to fax machines or to email addresses.
The UEMO cover any messages:
except for messages that fall into the exemptions as provided in Schedule 1 of the UEMO.
Examples of electronic messages covered by the UEMO are:
The UEMO contains a list of exempted electronic messages in Schedule 1. The regulatory requirements will NOT apply to those messages, including:
Yes, commercial electronic messages received in Hong Kong are covered (whether the recipient is a Hong Kong resident or not). In addition to enforcement under the UEMO, we maintain close liaison with overseas enforcement agencies to join forces in combating spam-related crimes.
Yes, as long as your mobile number is a Hong Kong mobile number, it is immaterial where you receive the message and the UEMO will still be applicable.
The UEMO regulates commercial electronic messages that have a Hong Kong link. The definition of "commercial electronic message" is given in section 2 of the UEMO. Whether a message is commercial in nature has to be determined on a case-by-case basis, taking into account matters including the purpose and content of the concerned message. The nature of the sending organisation is not the only factor that would be considered. If the purpose (or one of the purposes) of the message sent by a non-profit making / charitable / religious organisation meets the criteria set under section 2 of the UEMO, the message would be considered as a commercial message.
Any individual or business contravening the UEMO may be liable to a fine or imprisonment, according to the following:
|Fraud and other illicit activities related to sending of multiple commercial electronic messages||The Hong Kong Police Force but CA will carry out preliminary investigation and act as the first point of contact for public reporting||Unlimited fine as set by the court and/or imprisonment up to ten (10) years|
|Use of unscrupulous techniques to expand the reach of commercial electronic messages||
|A fine up to HK$1 million and/or imprisonment up to five (5) years|
|Contravention of the rules for sending commercial electronic messages||CA||An enforcement notice may be served to the offender. Contravention of the notice may attract a fine up to HK$100,000 on the first conviction|
In addition, anyone who has suffered loss or damage as a result of a contravention of the UEMO may take his/her own individual civil action against those who committed the contraventions, irrespective of whether they have been convicted.
If, following the completion of an investigation, the CA is of the opinion that a person has contravened the rules of sending commercial electronic messages and it is likely that the contravention will continue or be repeated, then the CA will issue an enforcement notice to that person specifying the contravention and the steps required to remedy the contravention within a prescribed period of time.
Contravention of an enforcement notice is an offence, punishable by a fine up to HK$100,000. Continuing offences would be punishable by a further fine of HK$1,000 a day.
Anyone who has suffered loss or damage as a result of a contravention of the UEMO may take his/her own individual civil action against those who committed the contraventions, irrespective of whether they have been convicted.
Under an opt-out regime, a sender may send out unsolicited messages to electronic addresses if he/she follows the rules of sending of commercial electronic messages. The rules include:
The registered user of the receiving electronic address can:
The opt-out regime can be contrasted with the opt-in regime in which prior consent must be obtained from the registered user of an electronic address before a commercial electronic message can be sent.
The Unsolicited Electronic Messages Ordinance (UEMO) is the main body of the legislation. The Unsolicited Electronic Messages Regulation (UEMR) is the subsidiary legislation prescribing detailed requirements relating to "sender information" and "unsubscribe requests" to be included in messages. The Code of Practice provides guidance in respect of the application or operation of the provisions of the UEMO. Although codes of practice are not statutory requirements and failure to observe such codes of practice would not be subject to legal proceedings, they represent the views of the CA on how certain statutory provisions should be applied or operated and are admissible in evidence in legal proceedings. If the court is satisfied that a code of practice is relevant to determining a matter at issue, failure to observe the code of practice may be relied upon to establish or negate that matter.
|Rules for Sending Commercial Electronic Messages||Examples of Contravention of the Rules||Penalty|
A sender of commercial electronic message shall:
CA may issue enforcement notice to first time offenders. If the offender contravenes the enforcement notice, he/she is liable to a maximum fine of $100,000.
CA is the enforcement agency for Part 2 of the UEMO.
In the case of pre-recorded voice or video messages, the required sender information includes the sender's name, address and contact telephone number. Instead of directly providing the address and contact number, the sender may provide a facility by which the recipient may enter a key specified in the message to immediately request to be provided with the address and the contact telephone number.
In the case of fax, the required sender information includes the sender's name, address and contact telephone number.
In the case of SMS, the required sender information includes the sender's name, address and contact telephone number. The address may be omitted from the message if the recipient is able to obtain the address by using the contact telephone number.
In the case of email, the required sender information includes the sender's name, address, contact telephone number and contact email address.
No. The address required under the UEMR, in relation to an individual or organisation, means the address of his or its usual place of business, but does not include a postal box address.
The UEMR (section 9) requires that:
The sender should, within 10 working days from the day on which the unsubscribe request is sent, stop sending any further commercial electronic messages to the electronic address in respect of which the unsubscribe request was sent.
Section 6 and 7 of the UEMR requires the sender information and the unsubscribe facility statement to be given in both Chinese and English. However, if the recipient has indicated to the sender that these can be given solely in one language (for example, by asking the recipient for his language preference at the beginning of the pre-recorded voice message), the sender may give the information solely in that language.
It is recognised that some individual or organisation may not have a Chinese name. Similarly, an overseas company will have difficulty to provide their address in Chinese. Section 6(3) and (4) of the UEMR provides that in such circumstances, the particular information of name and address can be given in either Chinese or English only.
The UEMR imposes some conditions on the order of presenting the sender information and the unsubscribe facility statement in the case of pre-recorded voice or video messages. This is aimed to facilitate the recipients to identify the sender and decide whether to listen on quickly.
If the sender is providing a key input to request for address and/or telephone number, the name of the sender, the key and the unsubscribe facility statement should be presented at the beginning of the message, in the order of:
Otherwise, the sender information and the unsubscribe facility statement should be presented at the beginning of the message, in the order of:
In addition, the CoP suggests that the sender information and the unsubscribe facility statement should be presented at such speed so as to be reasonably audible (paragraphs 6.3(a) and 8.3(a) of the CoP).
For fax or email messages, the CoP has provided guidelines in paragraph 6 and paragraph 8. In general, the CoP suggests that the sender information can be presented prominently at the top, or the bottom, of the first page of the fax message or the body of the email message. The sender information should be reasonably visible in terms of font size, position and contrast.
Similarly, the unsubscribe facility statement should be:
For SMS, the CoP has detail guidelines on the label to precede the contact telephone number and the unsubscribe facility telephone number. Details can be found in paragraph 6.4 and 8.4 of the CoP.
Section 9(1)(f) of the UEMO requires the unsubscribe facility to be reasonably likely to be capable of receiving the recipient's unsubscribe request at all times during a period of at least 30 days after the message is sent. The CoP gives further guideline that if a telephone number or a facsimile number is provided as the unsubscribe facility, the sender should use reasonable endeavours and take into account the volume and rate of commercial electronic messages being sent to design the capacity of the concerned telecommunications line (and the relevant human resources if applicable) so that the unsubscribe facility has adequate capacity to receive the incoming unsubscribe requests.
According to section 9(3) of the UEMO, the sender should retain a record of unsubscribe requests in a format in which they were originally received, or in a format that can be demonstrated to represent accurately the information originally received, for at least 3 years after their receipt.
Therefore, how the record should be kept depends on the actual unsubscribe facility provisioned. If you are taking the suggestions given the CoP to provide the unsubscribe facility, you would be able to retain a record of the unsubscribe request in the following formats:
|Type of Message||Unsubscribe Facility||Format of record|
|Pre-recorded voice or video messages||A one-digit key pressed during the pre-recorded voice or video call||A digital record of the recipient numbers who has pressed the specified key|
|Fax||A fax number||Keep the received fax as record.You may further streamline the process by using an electronic fax service as unsubscribe facility, or scanned the received fax pages, so that the record can be kept digitally.|
|An email account, a web address / web page||Keep the received email or the computer log for the submission via the web page for record purpose.|
|SMS||A telephone number for receiving unsubscribe request orally, or by pressing a key.||
In the case of using an IVRS to accept a key pressed, a computer log file may be kept as record.If oral unsubscribe request is to be accepted, you may, subject to compliance with the Personal Data (Privacy) Ordinance (Cap.486) and any applicable law, record the actual conversation in order to meet the statutory requirement.
The offences in Part 3 of the UEMO are unscrupulous techniques to expand the reach of commercial electronic messages. In general, there are legitimate uses of these techniques in isolation.However, if they are used in connection with the sending of commercial electronic messages, the sender will be able to send out messages to more recipients or in a shorter time.These techniques are prohibited for use in connection with the sending of commercial electronic messages, so as to minimise the nuisance caused to recipients.
|Offences||Examples of Prohibited Activities||Penalty|
Part 3 of the UEMO – use of unscrupulous techniques to reach out to more recipients, including:
A fine up to HK$1 million and/or imprisonment up to five (5) years
The enforcement agency for Part 3 of the UEMO is CA.
1 Address harvesting software means software that is specifically designed or marketed for use for searching the Internet or a public telecommunications network, and collecting electronic addresses such as telephone numbers or email addresses
The UEMO also places a number of requirements on how commercial electronic messages should be sent using technical infrastructure. These requirements include:
In summary, you should:
In order to expand the reach of messages, spammers may make use of address-harvesting software and/or harvested-address lists when creating distribution lists. Address-harvesting software is defined in section 14(1) of the UEMO and in general, means software specially designed to search the Internet or a public telecommunications network to collect electronic addresses.
The UEMO bans the supply, acquisition or use of address-harvesting software and/or harvested-address lists for the purpose of sending UEMs. If you are supplying or acquiring address list for marketing purposes, you should make sure that such lists are not created by using address-harvesting software.
Businesses and organisations, which need to publish their email addresses on the Internet, may consider displaying the addresses in a way that makes address harvesting more difficult. For tips on protecting email addresses from being harvested and other methods to reduce incoming spam, please refer to the Government's Information Security (InfoSec) website.
Dictionary or brute force attacks are often referred to as automated techniques used by email spammers to reach out to a large number of email recipients easily. These techniques try to use an automated means to mix/join all possible words/names or combinations of letters and alphabets to formulate recipient email addresses with a hope to reach some valid mailboxes. The ban on the use of such automated techniques under the UEMO is not only limited to email messages, but rather generally on all types of electronic messages. Lists generated manually are not prohibited.
Scripts or other automated means to create multiple email accounts are occasionally used by system administrators or telecommunications service providers to perform administration of information systems efficiently. However, these are also used by email spammers to create multiple email accounts for temporary use to send spam email messages. The spammers will normally discard these email accounts after a short while and move on to a new set, in order to avoid detection.
The UEMO bans the use of scripts or automated means to register for five or more email accounts for subsequent sending of multiple UEMs.
An open relay refers to an email server that lets a third-party send emails to other parties. It comes about when the mail server processes a mail where neither the sender nor the recipient is a local or a known user to the server. Email sent in this way will only bear the email server's IP address and not that of the third-party.
By exploiting open relays, email spammers can conceal their true IP addresses so that recipients of the spam email messages have no means to find out the real source. Such exploitation is prohibited under the UEMO.
It is possible for a computer to be running an open proxy or open relay without the knowledge of the computer's owner. This can be the result of mis-configuration of email server running on their computer, or of infection with malware (such as viruses, trojans or worms). To better protect yourselves and your company, IT administrators should ensure that:
If in doubt, you should consult qualified IT security professionals.
The offences in Part 4 of the UEMO are fraud and other illicit activities related to the sending of multiple commercial electronic messages. In general, these activities are associated with professional spammers that send out large quantity of messages.The professional spammers use these techniques to cover their track and avoid being identified. As these activities are fraudulent in nature, these cases will be investigated by the Hong Kong Police Force.
|Offences||Examples of Prohibited Activities||Penalty|
Part 4 of the UEMO – fraud and other illicit activities related to the sending of multiple commercial electronic messages2, including:
Unlimited fine as set by the court and/or imprisonment up to ten (10) years
2 "Multiple commercial electronic messages" mean transmission of more than 100 commercial electronic messages during a 24 hour period, or more than 1000 commercial electronic messages during a 30-day period.
3 A computer attached to the Internet that has been compromised by a hacker, a computer virus, or aTrojan program. Such computers are usually used to perform malicious tasks such as spamming under remote direction, with the owner normally unaware of such tasks.
4 Header is machine-generated information about the source or routing of the electronic message such as calling line identifications or IP addresses.It does not include the 'from' field in email message which can easily be altered by senders.
With the UEMO fully effective from 22 December 2007,:
Person-to-person marketing calls are not within the scope of the UEMO. However, if you believe that these calls are made using your personal data for direct marketing (e.g. the caller is able to identify you), you can report the case to the Office of the Privacy Commissioner for Personal Data (PCPD). For more information, please see PCPD's website at http://www.pcpd.org.hk/.
In general, phishing emails are not covered by the UEMO but rather by other criminal law. You may report them to the Hong Kong Police Force.
You have the right to ask a sender of commercial electronic messages to stop sending you further messages by making an unsubscribe request and the sender must honour such request. By keeping a record of the unsubscribe requests made, you may assist investigation if such request is not honoured.
Nevertheless, some commercial electronic messages, especially email spams, are sent by professional spammers, rather than legitimate businesses. If you receive an email that seems dubious, for example, the subject line or sender looks suspicious, it is safer to delete it immediately without opening it. Do not reply and do not click on any links, including 'unsubscribe' links. Doing so may result in even more spam because the action confirms that your email address is a valid address.
If you wish to make a report to CA, please fill in the report form posted on our web site or obtainable through our fax-on-demand service (please call 2961 6333). The form can be filled in online or can be sent:
by post to :
Office of the Communications Authority
29/F, Wu Chung House, 213 Queen's Road East
Wan Chai, Hong Kong
by fax to : 3155 0956
You may also report any contravention by a letter to the above postal address. The letter should include the following information:
In case you have difficulty in expressing yourself in writing, you may contact us by calling 29616333 (from 8:30am to 5:45pm, Monday to Friday except public holidays). Our officer can help to fill in the report form for you. To ensure accuracy, the completed form will be sent by post or by fax to you for your confirmation and signature.