Korea’s Most Recent Announcement on the Regulation of Behavioural Information
In this article, Yaera Jeon of Dr & Aju discusses the anticipated regulatory framework for online behavioural information processing, and the changes expected to be made as a result.
In late January 2024, the Personal Information Protection Commission (PIPC) of Korea organised a seminar to address “Policy Direction for Personalised Advertising” and to elucidate the forthcoming regulatory framework for online behavioural information processing. This event provided insight into the holistic stance of the PIPC regarding the processing of online behavioural information for personalised advertising purposes. It entailed the delineation of responsibilities for “advertising businesses” and “advertising media businesses”, potentially impacting companies that employ personalised advertising strategies. This would be a pivotal aspect in comprehending the regulation of behavioural information in Korea.
Regulation Concerning Behavioural Information in Korea to Date
In Korea, the Personal Information Protection Act (PIPA), which serves as the fundamental legislation for data privacy, does not specifically define or regulate behavioural information separately. Furthermore, there are no other regulations below PIPA that address this issue. Instead, the PIPC has been operating under the Guidelines established and announced as far back as 2017, focusing on regulating personalised advertising and serving as the framework for regulating behavioural information-related matters thus far. Apart from this, the basic premise has been that if behavioural information is to be used in conjunction with personally identifiable information, data processors must obtain prior consent from the data subject, imposing an obligation on them to comply with PIPA.
However, the current market for personalised advertising differs from traditional advertising markets in that there are various ad tech companies acting as intermediaries between advertisers and web/app operators selling advertising space. Additionally, the nature of their operations is highly diverse. Furthermore, it is challenging for external parties to easily discern their processes for handling and distributing behavioural information. In response to this situation, the PIPC has expressed its determination to address the inadequate regulatory framework for behavioural information processing in Korea. They aim to achieve transparency and legality in the processing of behavioural information, thereby mitigating legal uncertainties and fostering a healthy advertising ecosystem.
Direction of Future Regulation by PIPC – Clarification of Roles and Responsibilities of Key Stakeholders in Personalised Advertising
The “Policy Direction for Personalised Advertising” assigns specific responsibilities and roles to advertising businesses and advertising media businesses. It particularly outlines obligations and recommendations separately. However, considering the prevailing practices in Korea, it can be deemed acceptable that ultimately, all recommendations are also considered obligatory to follow.
Advertising businesses
An advertising business refers to an entity that collects users’ behavioural information through its own or third-party websites, apps, etc, and delivers personalised advertisements on its own or third-party websites and apps.
- If behavioural information is processed in a way that can identify individuals itself or when combined with other data, it is considered personal information. Hence, all obligations under the PIPA must be adhered to. Moreover, personalised advertisements should not be provided to children under 14 years old without prior consent from their legal guardians.
- When processing behavioural information without identifying individuals, it is essential to ensure that there is no possibility of combining personal information with behavioural information.
- Obligations: Systems must be operated in a manner that ensures there is no possibility of identifying individuals through processed behavioural information. Additionally, measures should be taken to separate systems to prevent the combination of personal information with behavioural information, and matching keys that combine personal information and behavioural information should not exist. Furthermore, online identifiers such as email addresses or phone numbers, which carry a high potential for identification, should not be included.
- Recommendations:
- Transparency – it is recommended to disclose the collection and usage of behavioural information in the privacy policy and provide “information” notification in all personalised advertisements. Detailed information, such as the acknowledgment of behavioural information collection and usage for personalised advertisements upon clicking an “information” icon, the name of the advertising business, the items of behavioural information collected and used, the method and purpose of collection, retention period, and methods for users to exercise control should be provided on a separate page.
- Post-control – it is recommended to provide a means for users to refuse behavioural information collection (personalised advertising) by clicking on the “information” icon notification.
- Secure processing – it is recommended to store and manage behavioural information for a minimum period (recommended within six months) to prevent the identification of specific individuals. Regular education for handlers, periodic checks to determine if identification occurs, strict access control management, and adherence to technical and administrative measures such as security pledges are also recommended.
- Protection of children – even if individuals are not identified, it is recommended to refrain from collecting or utilising behavioural information for personalised advertising purposes if the service is known to target children under 14 or is primarily used by them.
Advertising media businesses
Advertising media businesses refer to entities that provide advertising space to display personalised advertisements on their own websites, apps, or other platforms. If an advertising media business directly processes behavioural information, the same principles and guidelines applicable to advertising businesses apply.
However, if an advertising media business allows third-party collection tools to gather behavioural information, the following recommendations apply.
- Disclosure of privacy policy – it is recommended to provide information on the name and type of collection tools, third parties involved in data collection, types of information collected, purposes of usage, and methods of control.
- Chief Privacy Officer (CPO) management responsibility – regularly assessing and inspecting the status of behavioural information collection tools installed on operated websites or apps is recommended. This process aims to determine if the tools have achieved their objectives or if there are significant concerns regarding infringement of rights, prompting the removal of such tools.
- Protection of children – if the primary users of the operated website or app are children under 14 years old, it is recommended to refrain from installing behavioural information collection tools for personalised advertising purposes targeting children.
Inspection and Evaluation of Privacy Policies Planned
The PIPC has announced plans to conduct an online inspection on personalised advertising during the first half of this year. Additionally, the PIPC will conduct inspections in conjunction with the newly implemented privacy policy evaluation system starting from March this year. This initiative aims to ensure that advertising businesses and advertising media businesses properly disclose the collection and usage of behavioural information in their privacy policies.
Guideline Revision Through Public-Private Collaboration
The PIPC plans to establish an online behavioural information protection public-private consultation group in the first quarter of this year and is set to announce revised personalised advertising guidelines by the end of the year. In practice, these guidelines are expected to contain specific regulations regarding behavioural information and personalised advertising, imposing greater responsibilities on both advertising businesses and advertising media businesses. Therefore, it is crucial to carefully examine the content of the revisions once they are announced.
Dr & Aju
