South Korea PIPA

Personal Information Protection Act

Flag of KR
South KoreaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 30, 2011
Enacted
March 29, 2011
Enforcing Authority
Personal Information Protection Commission (PIPC)
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
All public and private organizations processing personal information of individuals in South Korea, including foreign businesses (extraterritorial)

Overview

South Korea's PIPA was strengthened by a February 2026 amendment introducing the world's highest potential penalty ceiling at 10% of total annual revenue for severe violations. The amendment also designates the CEO as the ultimate responsible person for data protection, creating statutory accountability at the highest level.

What This Means for Your Website

  • Explicit opt-in consent is required when cookie data can be combined with other data to identify individuals
  • Privacy policies must disclose use of automatic data collection devices (cookies, pixels, SDKs)
  • Data portability rights have been effective since March 2025
  • Foreign businesses targeting Korean users must appoint a domestic representative from October 2025
  • The 10% revenue penalty ceiling applies to repeated violations, intentional conduct affecting 10M+ individuals, or failure to comply with PIPC orders

Key Requirements

The PIPC enforces PIPA alongside KMCC, KISA, FSC, and MSIT. Standard penalties reach 3% of turnover; aggravated penalties reach 10% for severe violations. The SK Telecom fine of KRW 134.7 billion for a 23 million user breach demonstrates enforcement willingness. CEO statutory duty to manage and supervise compliance is unique globally.

How ConsentStack Handles This

ConsentStack detects South Korean visitors and applies opt-in consent for cookie data that can identify individuals, meeting PIPA's requirements including disclosure of automatic data collection devices.

Penalties

Standard: up to 3% of total annual turnover. Aggravated (Feb 2026): up to 10% of total annual turnover for severe violations. SK Telecom fined KRW 134.7B.

Revenue-based
10% of annual revenue

Key Requirements

  • Explicit opt-in consent for personal information processing including linked cookie data
  • Privacy policy must disclose use of automatic data collection devices
  • Data portability rights effective March 2025
  • Foreign businesses must appoint domestic representative from October 2025
  • Mandatory data breach notification
  • CEO designated as ultimate responsible person (February 2026)

Notable Provisions

  • World's highest potential penalty ceiling (10% of total revenue)
  • CEO statutory accountability for data protection
  • SK Telecom fined KRW 134.7 billion for 23 million user breach
  • AI Framework Act effective January 2026

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Indonesia PDP LawIndonesia
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Frequently Asked Questions

What are the maximum PIPA penalties?

Up to 10% of total annual revenue for severe violations — the world's highest potential data protection penalty ceiling. SK Telecom was fined KRW 134.7 billion.

Is the CEO personally liable under PIPA?

Yes. The February 2026 amendment designates the CEO as the ultimate responsible person with statutory duty to manage and supervise data protection compliance.

Does South Korea require cookie consent?

When cookie data is combinable with other data to identify individuals, explicit opt-in consent is required. Privacy policies must disclose automatic data collection devices.

Does PIPA apply to foreign companies?

Yes. Foreign businesses targeting Korean users must appoint a domestic representative from October 2025.

Stay compliant with South Korea PIPA

ConsentStack helps you implement Opt-in consent for South Korea automatically.

Get started free