South Korea announces stringent measures against privacy problems in personalized advertising

By Hongeun Im, The Readable
Feb. 2, 2024 10:08PM GMT+9

The Personal Information Protection Commission (PIPC) of South Korea, in a briefing held on Wednesday, announced detailed policy plans specifying that users’ behavioral information—data related to internet activity—must be processed in a manner that does not reveal the identity of individual users.

The PIPC emphasized that advertisers should observe a strict distinction between behavioral information and personal data. While acknowledging that behavioral advertising—which targets specific social groups based on their internet activities—enhances the efficiency of promotions, the PIPC also raised concerns about the potential misuse of personal data. The classification of users into groups based on online behavior necessitates careful handling of individuals’ information.

In its statement, the PIPC further emphasized that advertisers must explicitly detail how their privacy policies guide their handling of behavioral data, even when there is no direct merging of personal and behavioral information. Moreover, the commission stressed that, even with user consent for the use of their behavioral data in marketing, such data must not be processed in a way that allows individuals to be identified. The PIPC also prohibited data processors from attempting to identify users without their consent.

The recent policy plan introduced by the PIPC includes tailored obligations or recommendations that vary according to the type of business and its use of online identifiers—a factor not covered by previous guidelines. The “Online Personalized Advertisement Privacy Guidelines,” published in 2017, stipulated that behavioral data should not be merged with personal data without obtaining user consent. However, the PIPC noted in its briefing that due to the complex processing chain of personalized advertising, pinpointing responsibility proved challenging. To tackle these issues, the PIPC has been engaged in ongoing discussions since 2021 to develop more precise and effective approaches.

This year’s policy enhancements also extend to advertising media. These entities are now required to disclose the specific businesses to which they transmit users’ internet activity data in their privacy policies. Additionally, Chief Product Officers are tasked with conducting regular audits on the management of this data. The new policy plan makes a clear distinction between advertisers and advertising media: advertisers are those who collect internet activity data to target and deliver appropriate advertisements, while advertising media are the platforms that supply the internet activity data and host these personalized advertisements.

The stringent measures introduced by the policy plan also apply to in-app browsers. Businesses operating these browsers are prohibited from collecting sensitive personal information. Furthermore, they are required to offer users the option to open web pages in an external browser of their choice.

Additionally, the updated policies include plans to assess companies that manage behavioral data for personalized advertising purposes and to establish a joint council consisting of representatives from both the private sector and government administration. A spokesperson for the PIPC announced, “The joint council will be formed by March, followed by the commencement of inspections under the new evaluation system for personal data processing policies.” The representative further mentioned, “During the inspection process, we plan to highlight exemplary practices in data processing policies.”

While many of the policy plans are framed as recommendations without mandatory legal obligations, the PIPC has indicated that adherence to these recommendations will be considered during future evaluations related to public sector procurement.

The issue of mishandled personal data came into sharp focus following significant fines imposed on Google and Meta, two of the largest technology firms. In September 2022, these companies were fined approximately $51 million and $23 million, respectively. The penalties were levied for their practices of collecting users’ behavioral data and utilizing it to serve personalized advertisements without obtaining the users’ consent.

Similar policies are in place in Europe, where enforcement took a notable turn in January of last year. Meta faced action for incorporating the processing of personal data into its terms of service, a move interpreted as forcing users to consent. As a result, Meta was fined approximately $434 million by Ireland for breaching the General Data Protection Regulation (GDPR).

The cover image of this article was designed by Sangseon Kim. This article was edited by Dain Oh and copyedited by Arthur Gregory Willers.

Hongeun Im is a reporting intern for The Readable. Motivated by her aspirations in cybersecurity and aided by the language skills she honed while living in the United Kingdom, Im aims to write about security issues affecting the Korean Peninsula and lead more people to become interested in cybersecurity. She attends Gwangju Institute of Science and Technology, majoring in Electrical Engineering and Computer Science. Her interest in computer science led her to participate in the World Friends Korea volunteer program, where she taught Python at the Digital Government Center in Laos and at Al-Balqa Applied University in Jordan.