Table of Contents

The Hong Kong cookie law is not a standalone piece of legislation. There is no Cookie Ordinance and no dedicated privacy statute for websites. What governs cookie-related obligations in Hong Kong is the Personal Data (Privacy) Ordinance, Cap. 486, known as the PDPO. Most business owners searching for the Hong Kong cookie law do not know this, which is why so many Hong Kong websites are non-compliant without realising it.

The PDPO was enacted in 1996 and last substantively amended in 2012. It predates the cookie economy entirely. The Privacy Commissioner for Personal Data, the PCPD, has published guidance on online behavioural tracking, but that guidance carries no legal force on its own. The PDPO's six Data Protection Principles create the actual legal obligations, and they apply to cookies only when those cookies collect data that can identify an individual.

The Hong Kong cookie law position diverges from the EU at a fundamental level. The PCPD has ruled that an IP address relates to a device, not a person, and therefore falls outside the PDPO's definition of personal data in most cases. Under GDPR, an IP address is personal data. This distinction changes the compliance picture for a large share of the tracking activity that happens on a typical Hong Kong website.

That does not mean the Hong Kong cookie law position allows websites to ignore privacy obligations. Cookies that collect names, email addresses, login credentials, or purchase history linked to an account fall within the PDPO. Third-party advertising cookies used for direct marketing create additional obligations beyond standard notification. Any Hong Kong website with EU or UK visitors is subject to GDPR for those visitors regardless of where the site is hosted.

Proposed amendments to the Hong Kong cookie law framework include mandatory data breach notification, stricter consent requirements for sensitive personal data, and substantially higher penalties. No confirmed timeline exists as of the date of this article. The compliance bar is rising and businesses that act now will be better positioned when amendments pass.

The Hong Kong cookie law obligation flows from Data Protection Principle 1 of the PDPO. It requires that personal data is collected for a lawful purpose, that the collection is necessary for that purpose, and that the person whose data is collected is notified at the time of collection. This notification is delivered through a Personal Information Collection statement, known as a PIC statement. It is not a cookie banner in the European sense. It is a written notice that must appear at the point where personal data is first collected.

Hong Kong operates on an implied consent model under the Hong Kong cookie law framework. A website does not need to wait for a user to click accept before setting cookies, unless those cookies collect personal data for direct marketing. For most analytical and functional cookies, notifying the user through a privacy policy or PIC statement is sufficient. If your website sets cookies that collect personal data and your privacy policy does not describe that collection clearly, you are in breach of DPP1 regardless of whether you have a cookie banner.

When a Cookie Becomes Personal Data Under the PDPO

A cookie becomes personal data under the PDPO when it contains or links to data that can identify a living individual. A session cookie storing a temporary cart ID with no link to a user account does not meet this definition. A cookie storing a logged-in user's account reference, email address, or purchase history does. The PCPD has stated that IP addresses alone do not constitute personal data because they identify a device rather than a person, which differs from the GDPR position and matters significantly for how you assess your analytics setup.

What Your Personal Information Collection Statement Must Cover

A Hong Kong cookie law compliant PIC statement must tell users what personal data is collected, why it is collected, who it will be transferred to, and what rights the individual has to access and correct that data. For a website that uses cookies to collect personal data, the PIC statement must specifically describe that collection, name the third parties receiving the data, and state the purpose.

A generic policy that says "we may collect personal information" without this detail does not satisfy DPP1. It must be accessible from the first page a user lands on, written in plain language, and provided before or at the time of collection. This is a core requirement of the Hong Kong cookie law compliance standard.

Which Cookies on Your Website Trigger PDPO Obligations

Not every cookie creates a Hong Kong cookie law compliance obligation. The deciding factor is whether the cookie collects or links to personal data as defined by the PDPO. Six cookie types appear on most Hong Kong business websites, and their compliance implications differ significantly.

Cookie Type Example Tools Personal Data Under PDPO Consent Required
Session / functional Cart cookies, login tokens, language preference No, unless linked to a user account No express consent. PIC statement recommended.
Analytics (anonymised) GA4 with IP anonymisation, no User ID No under current PDPO position No express consent. Disclosure in privacy policy required.
Analytics (with User ID) GA4 configured with logged-in user tracking Yes, once linked to an identifiable account PIC statement required. Implied consent with clear notification.
Third-party tracking Meta Pixel, Google Ads tags Yes, when linked to an identifiable individual PIC statement required. Third-party transfer disclosure required.
Retargeting / advertising Google Remarketing, Meta Custom Audiences Yes, when used to target identifiable individuals PIC statement required. Express consent required if used for direct marketing.
Direct marketing cookies Email remarketing tools, CRM-linked tracking Yes Express, voluntary, and separate consent required before collection.

Under the Hong Kong cookie law framework, direct marketing means offering goods or services to an individual using their personal data. When a cookie enables you to send a personalised offer to a specific identified customer based on their browsing behaviour, that is direct marketing and express consent is required before that data is collected. Retargeting that shows a generic ad based on pages visited does not automatically meet this definition, but the line between the two is narrow and easily crossed without realising it.

The Hong Kong cookie law position is significantly more permissive than GDPR. The five differences below affect every practical decision about consent, banners, and data handling on a Hong Kong website in 2026.

Dimension Hong Kong PDPO EU GDPR UK GDPR
Consent model Implied consent with PIC notification. Express consent for direct marketing only. Explicit opt-in required for non-essential cookies before they are set. Explicit opt-in required. Same position as EU GDPR post-Brexit.
IP address status Not personal data. Relates to a device, not an individual. Personal data. Can be used to identify an individual. Personal data. Same position as EU GDPR.
Cookie banner required Not legally required. PIC statement and privacy policy are required. Banner is best practice. Required. Must offer genuine choice to decline non-essential cookies before they load. Required. Same standard as EU GDPR.
Maximum penalties HK$50,000 and up to 2 years imprisonment. Proposed amendments: up to 10% of annual turnover or HK$10 million. Up to EUR 20 million or 4% of global annual turnover, whichever is higher. Up to GBP 17.5 million or 4% of global annual turnover, whichever is higher.
Data residency Cross-border transfer restrictions apply. Data sent overseas must be protected to a standard comparable to PDPO. Strict transfer mechanisms required for data leaving the EEA. UK adequacy framework applies. Transfer impact assessments required for non-adequate countries.

Hong Kong businesses running Google Ads or Meta campaigns already face GDPR-standard consent requirements through Google Consent Mode v2 and Meta's Consent API for any EU or UK traffic. The Hong Kong cookie law position does not exempt you from GDPR obligations for those visitors. For businesses with no EU or UK visitors, the Hong Kong cookie law compliance gap is almost always in the privacy policy, not the absence of a banner.

A Hong Kong cookie law compliant setup has four components: an accurate PIC statement, an opt-out mechanism, a third-party disclosure that names every external service receiving personal data from your site, and a cookie expiry policy with reasonable retention periods. A GDPR-style consent banner is only required if your site has EU or UK visitors. For businesses that need help keeping their website technically compliant on an ongoing basis, DOOD's website maintenance and security services cover cookie audits, privacy policy updates, and consent configuration as part of regular site management.

What the Cookie Banner Must Say and Do

A PDPO-compliant banner for a Hong Kong-only audience must name what data is collected, why, and who receives it. It must link to the full privacy policy and provide a clear opt-out for non-essential data collection. It does not need to block all cookies until the user clicks accept. A banner serving both Hong Kong and international visitors must not set any non-essential cookies for EU or UK users until explicit consent is given.

Google Consent Mode v2 connects this consent signal to your Google tags so that GA4 and Google Ads respect the user's choice without breaking your measurement setup entirely. Choosing a Hong Kong-based server keeps customer personal data within the jurisdiction and simplifies cross-border transfer obligations. For businesses reviewing their hosting setup as part of a compliance audit, DOOD's Hong Kong hosting services include local server options with full data residency in the city.

How to Handle Third-Party and Advertising Cookies

Cookies set by Meta Pixel, Google Ads tags, and LinkedIn Insight Tag send user data to servers outside Hong Kong. Under Hong Kong cookie law, your privacy policy must name each third party. Specifically under DPP3 of the PDPO, your privacy policy must name each third party, describe what data is transferred, and state the purpose. A policy that says "we may share data with advertising partners" without naming them does not satisfy this requirement. Cookie expiry periods should be set to the shortest period necessary for the stated purpose. A third-party advertising cookie persisting for two years requires clear justification under the PCPD's published guidance.

Warning: implied consent does not protect your website when cookies collect personal data for direct marketing. The PDPO requires express, voluntary, and separate consent before you collect personal data to market goods or services directly to an individual. This consent must be given before collection, not after. If your retargeting setup feeds a direct marketing workflow without this consent on record, you are in breach of the PDPO.

The proposed PDPO amendments add a further layer to this. Businesses that establish correct data documentation and consent processes under the current framework will meet the higher bar more easily when amendments pass.

Key point: the most important compliance step for most Hong Kong websites is not installing a cookie banner. It is writing an accurate PIC statement that describes exactly what data your cookies collect, why, and who receives it. A banner without an accurate privacy policy underneath it provides no legal protection.

Hong Kong cookie law compliance has two components that need two different types of expertise. The legal component covers what the PDPO requires, whether your data practices are compliant, and what your obligations are for cross-border transfers or direct marketing. The technical component covers what your website actually does with cookies and how to implement the changes. A web developer cannot give legal advice on PDPO obligations, and a privacy lawyer cannot configure your Google Tag Manager consent setup.

What a Web Development Agency Handles

A web agency handles the technical side of Hong Kong cookie law compliance. It runs a cookie audit to identify every cookie your site sets, what data each one collects, and who it reports to. It configures your consent management platform, sets up Google Consent Mode v2, updates cookie expiry settings, and reviews your hosting setup for data residency compliance. For legal sector websites where PDPO compliance and reputational risk both matter, DOOD's legal website design services cover PDPO-aware architecture from the ground up. For other industries, DOOD's web development services in Hong Kong include cookie compliance as part of the build specification.

What a Privacy Law Firm Handles Hong Kong cookie law

A privacy law firm reviews your PIC statement and privacy policy against the PDPO's requirements, advises on cross-border transfer obligations, confirms whether your direct marketing consent process meets the express consent standard, and handles your response if you receive a PCPD investigation or data access request. When selecting a firm for Hong Kong cookie law advice, always choose one that specifically references PDPO work in their practice description. A lawyer whose primary experience is GDPR will not automatically know where the PDPO diverges and where the two laws require different responses.

How to Brief Either Party Without Wasting Time or Money

Before engaging either party, document the following: every third-party tool your website uses, what personal data your site collects from visitors, where your website is hosted, and what direct marketing activity your business runs using website-collected data. Start with the legal review to confirm exactly what the PDPO requires for your specific data practices, then brief the web agency with those requirements. Doing it the other way around, configuring a technical solution first and asking a lawyer to validate it after, almost always results in rework. For ongoing maintenance that keeps your technical compliance current as your site evolves, DOOD's WordPress maintenance services include regular compliance checks as part of the maintenance scope.

Frequently asked questions

Do I need a cookie banner on my Hong Kong website

A cookie banner is not legally required under the PDPO for a website with only Hong Kong visitors. What is required is a PIC statement notifying users of what personal data your cookies collect, why it is collected, and who receives it. If your website has EU or UK visitors, a GDPR-compliant consent banner is required for those users, meaning non-essential cookies must not fire until the user gives explicit consent.

What happens if I ignore PDPO Hong Kong cookie law obligations

The PCPD can investigate complaints, serve enforcement notices, and refer serious cases for criminal prosecution. Current maximum penalties include fines of up to HK$50,000 and imprisonment of up to two years, with proposed amendments raising this to 10% of annual turnover or HK$10 million. A published PCPD enforcement finding also creates reputational damage that is disproportionate to the cost of getting compliant in the first place.

Does the Hong Kong cookie law apply if my website has overseas visitors

The PDPO applies to personal data collected by a data user operating in Hong Kong regardless of where the visitor is located. If that visitor is in the EU or UK, GDPR or UK GDPR also applies simultaneously and you must meet the higher standard where the two laws conflict. For Hong Kong websites with significant mainland Chinese traffic, China's Personal Information Protection Law, known as PIPL, applies to personal data collected from individuals in mainland China and has its own consent and transfer requirements separate from the PDPO.

Recent websites built by DOOD

Related reading

To begin, contact DOOD with your website URL, current hosting setup, a brief description of the third-party tools your site uses, and the primary compliance outcome you are working toward. Book a Free Consultation or Request a Proposal with the DOOD team in Hong Kong.