The Personal Information Protection Commission (PIPC) of South Korea, in a briefing held on Wednesday, announced detailed policy plans specifying that users’ behavioral information—data related to internet activity—must be processed in a manner that does not reveal the identity of individual users.
The PIPC emphasized that advertisers should observe a strict distinction between behavioral information and personal data. While acknowledging that behavioral advertising—which targets specific social groups based on their internet activities—enhances the efficiency of promotions, the PIPC also raised concerns about the potential misuse of personal data. The classification of users into groups based on online behavior necessitates careful handling of individuals’ information.
In its statement, the PIPC further emphasized that advertisers must explicitly detail how their privacy policies guide their handling of behavioral data, even when there is no direct merging of personal and behavioral information. Moreover, the commission stressed that, even with user consent for the use of their behavioral data in marketing, such data must not be processed in a way that allows individuals to be identified. The PIPC also prohibited data processors from attempting to identify users without their consent.
The recent policy plan introduced by the PIPC includes tailored obligations or recommendations that vary according to the type of business and its use of online identifiers—a factor not covered by previous guidelines. The “Online Personalized Advertisement Privacy Guidelines,” published in 2017, stipulated that behavioral data should not be merged with personal data without obtaining user consent. However, the PIPC noted in its briefing that due to the complex processing chain of personalized advertising, pinpointing responsibility proved challenging. To tackle these issues, the PIPC has been engaged in ongoing discussions since 2021 to develop more precise and effective approaches.
This year’s policy enhancements also extend to advertising media. These entities are now required to disclose the specific businesses to which they transmit users’ internet activity data in their privacy policies. Additionally, Chief Product Officers are tasked with conducting regular audits on the management of this data. The new policy plan makes a clear distinction between advertisers and advertising media: advertisers are those who collect internet activity data to target and deliver appropriate advertisements, while advertising media are the platforms that supply the internet activity data and host these personalized advertisements.
The stringent measures introduced by the policy plan also apply to in-app browsers. Businesses operating these browsers are prohibited from collecting sensitive personal information. Furthermore, they are required to offer users the option to open web pages in an external browser of their choice.
Additionally, the updated policies include plans to assess companies that manage behavioral data for personalized advertising purposes and to establish a joint council consisting of representatives from both the private sector and government administration. A spokesperson for the PIPC announced, “The joint council will be formed by March, followed by the commencement of inspections under the new evaluation system for personal data processing policies.” The representative further mentioned, “During the inspection process, we plan to highlight exemplary practices in data processing policies.”
While many of the policy plans are framed as recommendations without mandatory legal obligations, the PIPC has indicated that adherence to these recommendations will be considered during future evaluations related to public sector procurement.
The issue of mishandled personal data came into sharp focus following significant fines imposed on Google and Meta, two of the largest technology firms. In September 2022, these companies were fined approximately $51 million and $23 million, respectively. The penalties were levied for their practices of collecting users’ behavioral data and utilizing it to serve personalized advertisements without obtaining the users’ consent.
Similar policies are in place in Europe, where enforcement took a notable turn in January of last year. Meta faced action for incorporating the processing of personal data into its terms of service, a move interpreted as forcing users to consent. As a result, Meta was fined approximately $434 million by Ireland for breaching the General Data Protection Regulation (GDPR).