South Korea – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting South Korea — Korean-language disclosure required for any controller serving Korean residents. Sectoral rules (financial credit data, telecom, healthcare, employment) are touched only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

PIPA Stricter

Personal Information Protection Act (개인정보 보호법)

Omnibus personal data law applicable to all controllers ('personal information processors') regardless of sector or size. The 2020 amendment absorbed online-service privacy provisions formerly housed in the Network Act, ending the dual-regime split. The 2023 amendment introduced PIPC-issued adequacy decisions, Standard Contractual Clauses for cross-border transfers, mandatory designation of a domestic representative for foreign controllers, and a fine ceiling of 3% of total turnover (formerly 3% of related revenue).

Art 15-22 Lawful bases — opt-in consent is the default; legitimate-interest equivalent narrowly drawn
Art 22-2 Child consent — guardian consent required for under-14s
Art 23 Sensitive data ('Special-Type Information') — biometric, race, political views, health, sex life, ideology, trade-union; separate explicit consent
Art 28-8 / 28-9 Cross-border transfers — opt-in consent OR PIPC adequacy decision OR PIPC-approved SCCs OR contract necessity
Art 31 DPO ('Privacy Officer') — mandatory for ALL information & communications service providers regardless of headcount
Art 39-11 Domestic representative — mandatory for foreign controllers above prescribed user/revenue thresholds
Art 64-2 Administrative fines — up to 3% of total turnover (2023 amendment; previously 3% of related revenue)

Act No. 10465 (2011), major amendments Act No. 16930 (Feb 2020 — 'Data 3 Acts' package merging Network Act privacy provisions) and Act No. 19234 (Mar 2023 — adequacy decisions, 3% global-turnover cap, expanded data-subject rights)

Network Act Stricter

Act on Promotion of Information and Communications Network Utilization and Information Protection (정보통신망법)

Pre-2020 the Network Act ran a parallel privacy regime for online service providers ('정보통신서비스제공자'). The 2020 'Data 3 Acts' amendment moved the privacy chapters into PIPA but left enforceable rules on spam (Art 50 — opt-in marketing email/SMS, double-opt-in standard per KISA practice), unsolicited communications, network-incident reporting, and ICS-provider security obligations. The double-opt-in marketing baseline for Korean recipients still derives from this statute.

Art 50 Marketing email/SMS — prior express opt-in required; quiet-hours rule (21:00–08:00) for advertising messages
Art 50-7 App-push advertising — separate opt-in; sender identification + unsubscribe link mandatory
Art 76 Administrative fines for spam violations — up to ₩30M per offense

Act No. 6360 (2001), privacy provisions repealed and merged into PIPA by 2020 amendment; remaining provisions cover network safety, spam, and information security

Credit Information Use Act

Act on the Use and Protection of Credit Information (신용정보의 이용 및 보호에 관한 법률)

Sectoral overlay for financial-services data — banks, card issuers, insurers, lending platforms, BNPL, neobanks. The 2020 'Data 3 Acts' amendment created the MyData regime (consumer-driven data portability between financial institutions). FSC and FSS are the sector regulators; PIPA still applies as the baseline. Web-analytics implications: any landing page that captures financial-eligibility information (loan calculators, credit-score lookups) falls under this overlay alongside PIPA.

Art 32 Cross-border transfers of credit information — separate consent on top of PIPA Art 28-8
Art 40-2 Pseudonymized credit information — research/statistics/public-interest processing without consent

Act No. 4866 (1995), 2020 amendment introduced 'pseudonymized credit information' regime + MyData open-banking framework

Telecommunications Business Act

Telecommunications Business Act (전기통신사업법)

KCC sectoral oversight for telecommunications carriers and VATS providers (Value-Added Telecommunications Services — covers messaging apps, large platform operators, foreign content providers above 1M Korean users). Confidentiality of communications, fair-use obligations, and the 'In-App Payment Act' chapter (Act No. 18477, 2021 — first global regulation banning forced in-app billing). Web-analytics implications: VATS thresholds can pull foreign analytics/SaaS providers into Korean reporting obligations.

Art 22-7 VATS designation — foreign content providers above prescribed Korean user/revenue thresholds must designate a domestic agent
Art 50-2 App-store anti-steering / in-app payment — KCC enforcement on Apple, Google 2023-2024
Art 83 Confidentiality of communications — separate from PIPA; KCC-investigated

Act No. 3685 (1983), enforced by KCC (Korea Communications Commission)

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL

PIPC · Personal Information Protection Commission (개인정보보호위원회)

Lead privacy regulator for all sectors. Elevated from advisory body to full independent commission with rule-making and enforcement powers under the Aug 2020 PIPA amendment. Direct administrative-fine authority up to 3% of total turnover.

https://www.pipc.go.kr/eng/

Coordination body

PIPC + KCC + FSC/FSS · Inter-agency coordination — PIPC (privacy) · KCC (telecom & spam) · FSC/FSS (financial data) · KISA (operational support)

South Korea is a unitary state with no provincial DPAs. PIPC is the lead privacy regulator; KCC retains spam/marketing oversight under the residual Network Act; FSC and FSS supervise credit-information processing under the Credit Information Use Act; KISA (Korea Internet & Security Agency) operates the technical infrastructure (incident response, marketing-opt-in registry, encryption guidelines) on PIPC's behalf.

2020-08-05 · PIPC elevation — PIPC reorganized from a Prime Minister's advisory body into a full independent central administrative agency with binding rule-making, investigation, and direct fining authority — ending a decade of fragmented enforcement across MOIS, KCC, and FSC.
2022-09-14 · Behavioural advertising — Google + Meta — PIPC imposed a combined ₩100B+ administrative fine (Google ₩69.2B + Meta ₩30.8B) for collecting third-party behavioural data without legally valid opt-in consent — the largest enforcement action in PIPA history at announcement and a turning point for cross-border platform compliance in Korea.
2023-09-15 · Adequacy + SCCs — PIPA 2023 amendment effective — PIPC empowered to issue adequacy decisions for foreign jurisdictions and approve Standard Contractual Clauses. Mutual UK/EU adequacy recognition activated; first PIPC-approved SCC template published end-2023.

https://www.pipc.go.kr/eng/

Notable enforcement

South Korea's enforcement landscape was reshaped twice in five years. The August 2020 PIPC elevation ended a decade of fragmented oversight (MOIS + KCC + FSC each ran parallel privacy regimes) and concentrated rule-making, investigation, and direct-fine authority in one independent commission. The September 2022 ₩100B+ combined Google + Meta fine for behavioural-advertising consent failures was the turning point for cross-border platform compliance — it signalled that PIPC would treat foreign Big Tech under the same opt-in baseline as domestic operators, and it pre-figured the 3% global-turnover fine ceiling enacted in the March 2023 PIPA amendment. Korea is now consistently in the global top-5 jurisdictions by single-fine size, and PIPC continues to pair cross-border platform action (Google, Meta, OpenAI, AWS Korea) with sector-wide post-incident sweeps (LG U+, KT, SK Telecom).

2022-09 €49.0M

Google LLC PIPC · PIPA Art 15, 22, 39-3 stood

₩69.2B fine for collecting third-party behavioural-advertising data without legally valid opt-in consent (default-on consent UI). Largest single PIPA fine at announcement; corrective order to redesign Korean consent UI.
2022-09 €22.0M

Meta Platforms PIPC · PIPA Art 15, 22, 39-3 stood

₩30.8B fine alongside the Google decision for the same behavioural-ad consent pattern on Facebook/Instagram. Combined Google + Meta total ₩100B+ — turning-point ruling that foreign platforms face the full PIPA opt-in baseline.
2024-03 €4.9M

LG U+ PIPC · PIPA Art 29 stood

₩6.8B fine for the 2023 leak of ~297,000 customer records — insufficient access controls and encryption. Paired with corrective-action order on group-wide security architecture.
2023-07 €110k

Kakao PIPC · PIPA Art 29 stood

₩151M fine for Kakao Talk OAuth-token vulnerability that allowed cross-account data access. Corrective order on incident-response timelines.
2023-04 €47k

Naver Corporation PIPC · PIPA Art 39-3, Art 22 stood

₩65M fine + corrective order for marketing-opt-in defects on Naver-account onboarding flow — pre-ticked consent and bundled marketing consent invalid under PIPA Art 22.
2024-03 €5k

AWS Korea PIPC · PIPA Art 26 stood

₩7.5M fine on AWS Korea as joint processor in the LG U+ 2023 incident — first PIPC enforcement against a foreign cloud-infrastructure provider in a co-controller posture.

GA4 status

GA4 is usable in South Korea only with Korean-language, prior, granular opt-in consent under PIPA Art 15/22 — bundled or pre-ticked consent is invalid. Cross-border transfers to Google's US servers require either separate Art 28-8 transfer consent or reliance on PIPC-approved SCCs. The 2022 ₩69.2B PIPC fine on Google for behavioural-ad consent failures is the cautionary precedent — controllers deploying GA4 with Google Signals or audience-sharing features take on materially elevated regulatory risk.

DPA	Stance
PIPC	Lead regulator. Permissive of GA4 with strict opt-in + Korean-language consent UI; aggressive on Google Signals + Ads-linkage features post-2022 fine.
KCC	Telecom + spam overlay only — not the primary GA4 reviewer; coordinates with PIPC on VATS-designated foreign providers.
FSC/FSS	Financial-sector overlay — adds Credit Information Use Act consent on top of PIPA for credit-eligible landing pages.
KISA	Operational guidance + technical SCC templates; runs the marketing-opt-in registry that double-opt-in sender-identification rules feed into.

Cross-border transfers + Schrems II

South Korea is not part of the EU-US Data Privacy Framework. Outbound transfers from Korea are governed by PIPA Art 28-8 / 28-9: lawful only on (1) explicit separate opt-in consent, (2) PIPC adequacy decision for the destination, (3) PIPC-approved Standard Contractual Clauses, or (4) contract-necessity narrowly construed. The 2023 amendment introduced the adequacy + SCC tracks; first PIPC-approved SCC template published end-2023. Korea itself holds EU adequacy (in force 17 Dec 2021) and UK adequacy (in force 19 Dec 2023) — inbound EU/UK→Korea transfers are unrestricted at the GDPR layer.

PIPC-issued SCCs published December 2023 are the standard fallback when adequacy is absent and consent is impractical. Distinct from EU 2021/914 SCCs — Korean text governs and PIPC-jurisdiction clauses are mandatory. Credit-information transfers require an additional layer under Credit Information Use Act Art 32.

Topic: International transfers

Employee data

Employee monitoring — when analytics enters HR

When analytics tools can monitor employees (Hotjar on internal dashboards, productivity-tracking pixels, server-side logs of staff behavior), Korean employee-data rules apply on top of PIPA. The Labor Standards Act (근로기준법) restricts surveillance of workers without prior notice and consultation; the Industrial Safety and Health Act (산업안전보건법) covers workplace-monitoring health impacts; PIPA's general consent + sensitive-data rules sit on top. Workplace CCTV and behavioural monitoring without notification are routinely cited by the Ministry of Employment & Labor. Unlike Germany, Korea has no statutory works-council co-determination — but collective-agreement obligations and notification duties still apply, and PIPA's 'Special-Type Information' (Art 23) sweeps in biometric attendance systems, fingerprint scanners, and any health/union-membership inferences.

Key thresholds

Child consent age

14 years

Article 27 representative

Required

Marketing consent

Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red

Vendor	Status	Rationale
	YELLOW	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
	YELLOW	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 0 yellow · 3 red

Vendor	Status	Rationale
	RED	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
	RED	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
	RED	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE

South Korea vs Japan

COMPARE

South Korea vs Singapore

COMPARE

South Korea vs Taiwan

Common questions

Is Google Analytics legal in South Korea in 2026?

Yes, conditionally. GA4 is usable in South Korea only with Korean-language, prior, granular opt-in consent under PIPA Art 15/22 — bundled or pre-ticked consent is invalid. Cross-border transfers to Google's US servers require either separate Art 28-8 transfer consent or PIPC-approved SCCs. The 2022 ₩69.2B PIPC fine on Google for behavioural-ad consent failures means Signals + audience-sharing features carry elevated risk.

What changed when PIPA absorbed the Network Act in 2020?

The February 2020 'Data 3 Acts' amendments ended a decade-long dual regime. Privacy provisions formerly housed in the Network Act (정보통신망법) — which governed online service providers — were repealed and folded into PIPA, so all controllers are now under one omnibus law regardless of sector. Spam, network-security, and unsolicited-communications rules remain in the Network Act and are still enforced by KCC + KISA. The double-opt-in marketing baseline still derives from Network Act Art 50.

What was the 2022 Google + Meta fine?

On 14 September 2022 PIPC imposed a combined ₩100B+ administrative fine — ₩69.2B on Google LLC and ₩30.8B on Meta Platforms — for collecting third-party behavioural-advertising data without legally valid opt-in consent. It was the largest single PIPA enforcement action at announcement, the first time PIPC's elevated authority was used against US Big Tech, and the precedent for the 3% global-turnover fine ceiling enacted six months later.

What is the child-consent age in Korea?

14. Under PIPA Art 22-2, controllers processing personal information of children under 14 must obtain verifiable guardian consent. This is two years lower than GDPR's default of 16 and three years lower than Germany's full BDSG threshold — Korean platforms targeting minors must build distinct guardian-consent flows.

What is the PIPA fine ceiling and how was it calculated?

Up to 3% of total global turnover (PIPA Art 64-2, as amended March 2023). The 2023 amendment raised the cap from '3% of related revenue' to '3% of total turnover' — a substantial expansion that aligns Korean fines with GDPR Art 83's headline ceilings and was visibly scaled to Big Tech enforcement. Pre-2023 fines used the narrower 'related revenue' base.

What is a PIPC adequacy decision?

Introduced by the March 2023 PIPA amendment, PIPC may designate foreign jurisdictions as offering an adequate level of personal-information protection — equivalent to the European Commission's adequacy mechanism under GDPR Art 45. Adequacy removes the per-controller transfer-consent requirement under PIPA Art 28-8. UK and EU adequacy is recognized mutually with Korea (EU→Korea since 17 Dec 2021; UK→Korea since 19 Dec 2023).

Does my privacy notice need to be in Korean?

Yes for Korean-targeted services. PIPC's consistent enforcement position is that consent and notice surfaces directed at Korean residents must be in Korean — English-only is treated as failure to obtain valid consent, regardless of whether English is operationally workable for the user. The Google + Meta 2022 enforcement specifically cited Korean-language consent-UI defects.

Do I need a Korean Article 39-11 representative?

Yes if you are a foreign controller above PIPC-prescribed user/revenue thresholds processing personal information of Korean residents. PIPA Art 39-11 (added by the 2023 amendment in expanded form) requires designation of a domestic representative responsible for PIPC liaison, data-subject requests, and cooperation in investigations. The thresholds mirror the prior Network Act ICS-provider thresholds and pull most foreign SaaS providers in.

Is double opt-in mandatory for marketing in Korea?

Yes for marketing email/SMS/app-push to Korean recipients. Network Act Art 50 + KISA enforcement practice require prior express opt-in plus a confirmation interaction (KISA's marketing-opt-in registry is the standard mechanism). The 21:00–08:00 quiet-hours rule applies to any advertising message — including transactional templates that carry promotional content. Sender identification + unsubscribe link mandatory under Art 50-7.

What is 'Special-Type Information' under PIPA?

PIPA Art 23 defines a Korean-specific sensitive-data category broader than GDPR Art 9. It includes biometric data (fingerprint, facial geometry, iris), race and ethnicity, political views, religion or belief, health, sex life, ideology, trade-union membership, and DNA-derived information. Processing requires separate explicit opt-in consent on top of the general PIPA Art 15 consent — bundling with general consent is invalid. Workplace fingerprint-attendance and facial-recognition deployments routinely fail this test.

// EDITORIAL · NOT LEGAL ADVICE This page summarises South Korea's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.