What Is South Korea's PIPA?
South Korea's Personal Information Protection Act (PIPA) governs how organisations collect, process, and store personal data. Enacted in 2011, the law has undergone significant amendments - most recently in September 2024 and March 2025 - that tighten consent requirements and expand the rights of data subjects.
The law applies to any entity that processes the personal information of individuals in South Korea, regardless of where that entity is based. If your website targets South Korean users or collects data from visitors in the country, PIPA applies to you.
Enforcement sits with the Personal Information Protection Commission (PIPC), which has steadily increased its regulatory activity since becoming an independent body in 2020. The PIPC can impose administrative fines of up to 3% of a company's total sales revenue related to the violation.
PIPA's Scope: Does It Apply to Your Website?
PIPA applies extraterritorially. A company based in London, Berlin, or San Francisco falls under PIPA if it processes personal information of individuals located in South Korea.
The definition of personal information under PIPA is broad. It covers any data that can identify a specific individual, either on its own or when combined with other information. Cookies, device identifiers, IP addresses, and behavioural tracking data all qualify when they can be linked to an identifiable person. This means that analytics cookies like _ga or advertising pixels such as _fbp fall within PIPA's scope when used to track South Korean visitors.
From October 2025, foreign businesses that process the personal information of South Korean data subjects must appoint a domestic representative in South Korea to handle privacy-related matters.
Cookie Consent Under PIPA
PIPA requires explicit opt-in consent before collecting or using personal data through cookies and other tracking technologies. This is similar to the GDPR model rather than the opt-out approach used in most US state privacy laws.
Consent must meet four conditions to be valid under PIPA:
- Specific - consent must relate to clearly defined purposes, not bundled into a single catch-all agreement
- Informed - the data subject must understand what data is collected and how it will be used
- Prior - consent must be obtained before any non-essential cookies are set
- Voluntary - consent must be freely given, without making service access conditional on acceptance
The September 2024 amendment to the Enforcement Decree reinforced the principle of voluntary consent. Organisations can only collect data without consent when it is strictly necessary for performing a contract. A simple notice-and-browse banner does not satisfy PIPA's requirements.
Your cookie banner must present granular choices, allowing visitors to accept or reject different categories of cookies independently. Pre-ticked boxes or implied consent through continued browsing are not valid.
How PIPA Compares to Other Privacy Laws
The table below shows how PIPA's key requirements compare with other major data protection frameworks.
| Requirement | PIPA (South Korea) | GDPR (EU) | CCPA/CPRA (California) | LGPD (Brazil) |
|---|---|---|---|---|
| Consent model | Opt-in | Opt-in | Opt-out | Opt-in |
| Extraterritorial scope | Yes | Yes | Yes | Yes |
| Data portability right | Yes (from March 2025) | Yes | Yes | Yes |
| Maximum fine | 3% of relevant sales | 4% of global turnover | $7,500 per violation | 2% of revenue (capped) |
| Domestic representative required | Yes (from Oct 2025) | Yes (Article 27) | No | Yes |
| Automated decision-making rules | Yes (2024 amendment) | Yes (Article 22) | Yes (from 2027) | Yes |
Cross-Border Data Transfers
PIPA imposes strict rules on transferring personal information outside South Korea. If your website sends visitor data to servers in another country - through analytics tools, advertising platforms, or cloud infrastructure - you must comply with PIPA's cross-border transfer provisions.
The PIPC requires organisations to inform data subjects about overseas transfers, including the recipient, the destination country, and the purpose of the transfer. The January 2025 enforcement action against KakaoPay (KRW 5.9 billion fine) and Apple (KRW 2.4 billion fine) demonstrated how seriously the PIPC treats cross-border transfer violations. In that case, KakaoPay had sent approximately 40 million users' data to Alipay without proper notification.
In September 2025, the PIPC announced its first adequacy decision for the EU, with plans to extend recognition to the UK and Japan. For countries like the United States, where privacy frameworks differ significantly, the PIPC is developing customised transfer mechanisms including Standard Contractual Clauses and Binding Corporate Rules, expected in the first half of 2026.
Recent PIPC Enforcement Actions
The PIPC has become one of Asia's most active data protection authorities. Recent enforcement actions signal the areas where the regulator focuses its attention.
In November 2024, the PIPC fined Meta KRW 21.6 billion (approximately USD 16 million) for collecting and using sensitive personal information - including religious beliefs, political views, and relationship status - without a lawful basis. This was one of the largest privacy fines ever imposed in South Korea.
Golfzon, a domestic golf simulation company, received a KRW 7.5 billion fine in May 2024 following a data breach - the largest penalty imposed on a Korean company at that time. AliExpress was fined KRW 1.978 billion in July 2024 for non-compliance with PIPA's requirements.
In early 2025, the PIPC ordered DeepSeek to halt unlawful cross-border transfers, delete previously exported data, publish a Korean-language privacy policy, and designate a domestic representative.
These actions confirm a pattern: the PIPC targets large platforms, scrutinises cross-border data flows, and is willing to order the deletion of data and algorithms - not just impose fines.
Data Subject Rights Under PIPA
PIPA grants individuals a set of rights that your website must accommodate.
- Right of access - individuals can request details about the personal information you hold about them
- Right to correction - data subjects can ask you to correct inaccurate personal information
- Right to deletion - individuals can request the deletion of their personal data, subject to limited exceptions
- Right to suspension - data subjects can request that you stop processing their personal information
- Right to data portability - from March 2025, individuals can request their data in a machine-readable format or have it transferred to another service provider
- Right to explanation of automated decisions - the 2024 amendment introduced requirements for transparency around automated decision-making and profiling
Practical Steps for Website Compliance
Getting your website ready for PIPA requires attention to several areas.
Audit Your Cookies and Tracking
Run a thorough cookie audit to identify every cookie and tracking technology on your site. Document their purpose, duration, and whether they involve any cross-border data transfer. Cookies set by third-party scripts - analytics platforms, social media widgets, advertising pixels - are your responsibility under PIPA.
Implement Granular Consent
Deploy a consent management mechanism that blocks non-essential cookies until the visitor actively opts in. Your cookie banner must present clear categories (strictly necessary, analytics, marketing, functional) and allow individual selection.
Update Your Privacy Policy
PIPA requires a detailed privacy notice served to users upon arrival. The notice must disclose what data you collect, the purposes of collection, any third parties who receive the data, retention periods, and the data subject's rights. If your site is available in Korean, the privacy policy must also be available in Korean.
Handle Cross-Border Transfers Correctly
Document every instance where personal data leaves South Korea. Notify data subjects about the receiving entity, the destination country, and the purpose. Monitor PIPC announcements about adequacy decisions and approved transfer mechanisms as they develop through 2026.
Frequently Asked Questions
Does South Korea's PIPA apply to websites outside South Korea?
Yes. PIPA applies extraterritorially to any organisation that processes the personal information of individuals in South Korea, regardless of where the organisation is based. If your website targets or collects data from South Korean users, you must comply.
Do I need opt-in or opt-out consent for cookies under PIPA?
PIPA requires explicit opt-in consent before setting non-essential cookies. Implied consent through continued browsing or pre-ticked checkboxes is not sufficient. This aligns with the GDPR model rather than the opt-out approach used in most US state laws.
What is the maximum fine for violating PIPA?
The PIPC can impose administrative fines of up to 3% of a company's total sales revenue related to the violation. Recent fines have reached billions of Korean won - for example, Meta was fined KRW 21.6 billion in November 2024.
How does PIPA handle cross-border data transfers?
PIPA requires organisations to inform data subjects about overseas transfers, including the recipient and destination country. The PIPC is developing Standard Contractual Clauses and adequacy decisions as formal transfer mechanisms, with further frameworks expected by mid-2026.
Do foreign companies need a representative in South Korea under PIPA?
Yes. From October 2025, foreign businesses that process personal information of South Korean data subjects must appoint a domestic representative in South Korea to handle privacy matters on their behalf.
What data subject rights does PIPA provide?
PIPA grants rights of access, correction, deletion, suspension of processing, data portability (from March 2025), and the right to an explanation of automated decisions. These rights are broadly similar to those under the GDPR.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your consent mechanism meets PIPA's requirements, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
