Table of Contents
The upcoming AI regulations in Hong Kong are not a distant concern. Several are already in effect. Others have confirmed timelines in 2026. And a few are sitting in a drafting process that most business owners are not watching. If you run a website in Hong Kong that collects data from visitors, publishes original content, or uses AI tools anywhere in your business, at least three of the changes described in this article apply to you today, not when a new law eventually passes.
Hong Kong does not yet have a single comprehensive AI law. What it has is a growing collection of sector-specific guidelines, existing laws that apply to AI by extension, and a pipeline of upcoming AI regulations that will tighten requirements significantly over the next 18 months.
The White and Case global AI regulatory tracker describes Hong Kong as developing sector-specific guidelines and investing heavily in AI, but stops short of covering what any of this means for the person running a business website in Hong Kong rather than a legal team inside a bank. That gap is what this article fills.
The steps below cover what is already law, what is coming, and what a website in Hong Kong needs to have in place before the next round of upcoming AI regulations arrives. Apply them using this guide, or talk to DOOD about doing it correctly and quickly. DOOD has been building compliant WordPress sites for Hong Kong businesses since 2012 and can implement everything below at a cost that will surprise you.
What the Current State of AI Regulation in Hong Kong Actually Means for Business Owners Right Now
Right now, there is no single law in Hong Kong that says "this is what you must do with AI." Instead, the rules that apply to your website in Hong Kong come from laws that were not written specifically for AI but cover it anyway. The Personal Data (Privacy) Ordinance, known as the PDPO, covers how you collect and store data from visitors, whether you use AI or not.
The Copyright Ordinance covers who owns content, whether a human or an AI system created it. Various sector regulators, covering banking, insurance, and healthcare, have added their own AI-specific guidance on top of those existing laws.
The upcoming AI regulations being developed right now are not going to replace any of that. They are going to add to it. This means that a business owner who waits for a single comprehensive AI law before taking action will find, when it arrives, that several other obligations already existed and were already enforceable.
Understanding what applies to your website in Hong Kong today is the practical first step, not something to defer. The table below summarises the key regulatory changes, their current status, and what each one means in plain terms for a business website.
| Regulatory change | Current status | What it means for your website |
|---|---|---|
| Copyright Ordinance text and data mining amendment | Bill pending, not yet passed | Your published website content can be used to train AI models unless you add a machine-readable opt-out signal |
| Generative AI Technical and Application Guidelines | In force since April 2025, voluntary | Five governance principles that signal where mandatory rules are heading |
| Protection of Critical Infrastructures Bill | Gazetted December 2024, full implementation mid-2026 | Websites handling data for critical infrastructure operators face new security obligations |
| PDPO cookie consent requirement | Already mandatory | Any website using tracking cookies must obtain visitor consent before placing them |
| PDPO reform with mandatory breach notification and fines up to HK$1 million | On hold since October 2024, not cancelled | When it passes, failing to notify the PCPD of a data breach becomes a criminal offence |
| Insurance Authority updated AI guidelines | Updated version coming 2026 | Websites for insurance intermediaries face sector-specific AI disclosure requirements |
Source: White and Case HK AI Tracker June 2025 / Bird and Bird AI Horizon Tracker / PCPD / Digital Policy Office HK / Legislative Council papers 2025. DOOD's SEO and compliance team monitors these changes continuously and can apply them to your website in Hong Kong as each new requirement comes into force, drawing on over a decade of working directly with Hong Kong businesses.
Key point: Hong Kong has no comprehensive AI law right now. Every rule that currently applies to your website in Hong Kong comes from existing legislation, mainly the PDPO and the Copyright Ordinance, plus sector-specific regulators. The upcoming AI regulations being developed will add to that framework, not replace it. Understanding what already applies to your website today is the first step before preparing for what is coming.
What the 2025 Generative AI Guidelines Tell Us About Where Mandatory Rules Are Heading
In April 2025, Hong Kong's Digital Policy Office published its Generative Artificial Intelligence Technical and Application Guidelines. These are voluntary right now. But voluntary guidelines from a government body are almost always a preview of what becomes mandatory later.
The five principles they contain cover legal compliance, security and transparency, accuracy and reliability, fairness and objectivity, and practicality and efficiency. A website in Hong Kong that adopts these five principles now is building the foundation that the upcoming AI regulations will eventually require by law. Doing it voluntarily before a deadline removes the scramble of doing it under pressure.
How the Upcoming AI regulations Copyright Ordinance Amendment Changes What You Can Put on Your Website
One of the most significant upcoming AI regulations for any business that publishes content on a website in Hong Kong is the planned amendment to the Copyright Ordinance. The amendment introduces rules around text and data mining, which is the process AI companies use to read and learn from published content on the internet.
Under the current Copyright Ordinance, AI companies can legally use content published on your website to train their models because there is no rule specifically stopping them. The amendment will change that by introducing an opt-out mechanism.
Here is what the text and data mining opt-out means in plain terms. Once the amendment passes, content owners, including anyone running a website in Hong Kong, will be able to add a machine-readable signal to their website code that tells AI crawlers "do not use this content for training."
Without that signal, AI companies can continue using your content legally. With the signal in place, using your content after you have opted out becomes a copyright infringement.
The signal is added in the website's code and takes a developer about 30 minutes to implement. Most business owners in Hong Kong do not know this is coming. DOOD builds this opt-out signal into every new client site as standard preparation for the upcoming AI regulations, backed by years of experience updating Hong Kong sites quickly when regulatory requirements change.
Does AI-Generated Content on Your Website Already Have Copyright Protection in Hong Kong?
Yes, and this is a fact that surprises most business owners. Under the current Hong Kong Copyright Ordinance, AI-generated content is already protected as a "computer-generated work." The person who arranged for the content to be generated is treated as its author for copyright purposes. This is different from the United States, where AI-generated content with no human creative input currently cannot be copyrighted.
A Hong Kong business that publishes AI-generated articles, product descriptions, or images on its website in Hong Kong already owns the copyright to that content under current law. The upcoming AI regulations are likely to clarify and potentially strengthen these protections rather than remove them.
What the PDPO Already Requires From Every Business Website That Collects Data in Hong Kong
The Personal Data (Privacy) Ordinance, which covers how any organisation in Hong Kong collects, stores, and uses personal data, already applies to your website right now. It is not an upcoming regulation. It has been in force for years. The PCPD, which is the Privacy Commissioner for Personal Data and the body responsible for enforcing it, checked 60 organisations in May 2025 and found that 80 percent of them were using AI in their daily operations.
That means the PCPD is actively looking at how businesses use AI tools that touch personal data, and it has the power to investigate and fine organisations today under the current law.
For a website in Hong Kong, the PDPO compliance requirements that most SMEs are currently missing are straightforward. A privacy notice must be visible to visitors before they submit any personal data, including filling in a contact form or making a purchase. Tracking cookies, which include Google Analytics, Meta Pixel, and any advertising pixel, must not be placed on a visitor's device until the visitor has actively consented.
The consent must be real: a banner that says "by continuing to use this site you accept cookies" does not count as valid consent under the PDPO. The visitor must be able to say yes or no clearly. Most business websites in Hong Kong are not compliant with this requirement today.
The upcoming AI regulations around data governance will tighten this further, not relax it. DOOD's maintenance service includes a PDPO compliance check as a standard part of every website audit, applied by a team that has been working with Hong Kong businesses on exactly these issues since 2012.
Worth knowing: Any website in Hong Kong that uses Google Analytics, Meta Pixel, tracking cookies, or contact forms collecting personal data is already subject to the PDPO. A privacy notice must appear when visitors arrive. Cookie consent must be collected before tracking cookies are placed. Most SME websites in Hong Kong do not comply with either requirement. The PCPD has the power to investigate and fine right now, not when the upcoming AI regulations arrive. This is a current obligation, not a future one.
What the On-Hold PDPO Reform Means When It Eventually Passes
In October 2024, the Hong Kong government put a proposed PDPO reform on hold. The reform would have introduced mandatory data breach notification requirements and fines of up to HK$1 million for serious violations. It was paused, not cancelled, due to concerns about the burden on SMEs.
When it does pass, any website in Hong Kong that suffers a data breach, meaning a situation where personal data held on the site is accessed, stolen, or lost without authorisation, will be required to report it to the PCPD within a defined timeframe.
Failure to do so will be a criminal offence. A website that is already PDPO-compliant now will have far less to do when that reform finally passes than one that has been ignoring the existing requirements.
Why the Critical Infrastructure Bill Matters to Any Business Website Handling Sensitive Data
The Protection of Critical Infrastructures (Computer Systems) Bill was published in December 2024 and is expected to be fully implemented by mid-2026. This is one of the most concrete upcoming AI regulations with a confirmed timeline. It targets operators of systems that are essential to the functioning of critical services in Hong Kong: energy, transport, banking, communications, and related sectors.
If your business operates in one of these sectors and your website processes data that is central to those operations, the bill requires you to meet specific security standards for your computer systems, which includes your website and any servers it runs on to respect AI regulations.
Most small business websites in Hong Kong are not directly affected by this bill. A retail shop, a restaurant, or a freelance services website does not operate critical infrastructure. But a fintech platform, a healthcare data system, a payment processing service, or a company contracted to provide data services to regulated industries may well be in scope. The bill requires designated critical infrastructure operators to notify authorities of serious security incidents and to meet minimum security standards for their computer systems.
A website in Hong Kong that is in scope needs to begin a compliance review now, given that mid-2026 is not far away. DOOD's development team has been building secure WordPress systems for Hong Kong businesses since 2012 and can assess whether your website falls in scope and what changes are required.
How to Know Whether Your Business Website Is in Scope for the Critical Infrastructure Bill
The bill applies to computer systems designated as critical computer systems by the Secretary for Security. The designation process targets systems whose disruption would have serious consequences for the functioning of essential services in Hong Kong. If your business is not in a sector listed under the bill and your website does not process data that is central to essential services, you are almost certainly not in scope.
The test to apply is simple: if your website went down for 24 hours, would it disrupt a service that Hong Kong residents depend on for safety, energy, money, or communications? For most business websites in Hong Kong, the answer is no. For a platform processing financial transactions, medical data, or infrastructure management data, the answer may be yes and the upcoming AI regulations around critical infrastructure warrant professional legal advice in that case.
The Five Things a Hong Kong Business Website Needs in Place Before AI regulations Tighten
Three of these five steps address obligations that already exist under the PDPO. Two address upcoming AI regulations with confirmed timelines. A website in Hong Kong that completes all five is compliant with current law and prepared for the next 18 months of regulatory change without any further urgent action required.
- First: add a real cookie consent banner that allows visitors to accept or decline tracking cookies before any are placed.
- Second: publish a privacy notice that explains what data the site collects, why, and who has access to it.
- Third: add a machine-readable AI training opt-out signal to the website code in preparation for the Copyright Ordinance text and data mining amendment.
- Fourth: conduct a data audit to identify every piece of personal data the website collects, where it is stored, and who can access it.
- Fifth: implement a basic data breach response plan so that if a breach occurs, the business knows what to do and who to notify.
None of these five steps require a lawyer. They require a developer who understands both the technical implementation and the regulatory context of a website in Hong Kong. The cookie consent update and the privacy notice can be done in a day.
The AI training opt-out signal takes about 30 minutes. The data audit and breach response plan take longer but can be handled as part of a structured website review. For businesses that want all five completed properly and quickly, DOOD has been doing exactly this for Hong Kong clients since 2012.
The upcoming AI regulations are moving on a timeline that rewards early action. DOOD's development services cover all five steps for e-commerce and service websites at a cost built for local business budgets.
Key point: The five steps above are not theoretical preparation for future rules. Three of them address obligations that already exist under the PDPO. Two address the upcoming AI regulations that have confirmed timelines in 2026. A website in Hong Kong that completes all five is compliant with current law and prepared for the next round of regulatory change without any further action required when each new rule arrives.
What to Do If Your Website Was Built Before Any of These AI regulations Requirements Existed
Most business websites in Hong Kong that were built before 2022 were not designed with PDPO compliance or AI regulatory preparation in mind. The agency that built the site may no longer be contactable. The plugin stack may be outdated. The cookie banner may be decorative rather than functional.
The best starting point is a compliance audit that checks the current state of the site against the five steps above and produces a prioritised list of what needs to be fixed, in what order, and at what cost. A website in Hong Kong that goes through this process has a clear picture of its current exposure under both existing law and the upcoming AI regulations on the way. It also has a documented record of good faith compliance effort, which matters if the PCPD ever investigates.
How DOOD Builds Websites That Are Ready for Where Hong Kong AI regulations Are Heading
Every website DOOD builds for a Hong Kong client includes the five compliance steps above as standard. Cookie consent is functional, not decorative. The privacy notice is written for the specific data that website collects, not copied from a generic template.
The AI training opt-out signal is added to the site code as a forward-looking preparation for the upcoming AI regulations. Schema markup is in place for entity verification. And the site is built on a codebase that can be updated quickly when a new requirement comes into force, rather than one that requires a rebuild every time something changes.
DOOD has been building WordPress sites for businesses in Hong Kong since 2012. That means the team has updated sites through multiple rounds of regulatory change before, from PDPO guideline updates to cookie consent standards to the introduction of accessibility requirements.
A website in Hong Kong built by a team that has that history behind it is not starting from zero every time a new rule arrives. The regulatory compliance work gets done faster, to a more complete standard, and at a price that reflects the reality of operating in Hong Kong. Talk to DOOD about a compliance audit of your current site, or about building a new website in Hong Kong that is ready for where the upcoming AI regulations are heading.
Frequently asked questions
Recent websites built by DOOD
- Law.asia: a leading legal e-magazine and news portal for the Asian legal industry, built by DOOD on a custom WordPress platform with paywall, subscription management, and Stripe payments
- Bain Marie HK: Hong Kong's premier healthy catering service, built by DOOD on WordPress and WooCommerce with Stripe integration, multilingual WPML support, and a delivery booking system
- Wine Paradise: a Hong Kong online premium wine store sourcing directly from family-owned estates in France and Italy for over twenty years, built by DOOD on WordPress and WooCommerce