In September 2022, South Korea's data regulator fined Google 69.2 billion won and Meta 30.8 billion won, roughly 100 billion won combined (about US$72 million), for tracking users' behaviour across sites and services to build advertising profiles without proper consent. They were the country's first penalties aimed at online behavioural advertising, and they put every ad-tech operator on notice. Then in November 2024, the regulator hit Meta again, 21.6 billion won, for collecting sensitive data and sharing it with some 4,000 advertisers.
South Korea takes cookie consent more seriously than almost anywhere, and the enforcement record backs it up. This guide covers how the Personal Information Protection Act (PIPA) treats cookies after its 2023 overhaul, the consent standard, cross-border transfers, who enforces it, and what it costs to get wrong.
Cookies Are Personal Information, and Consent Is Opt-In
Under PIPA, cookies that collect identifiable or behavioural data are treated as personal information, and processing personal information requires the individual's prior consent. That consent has to be specific and informed: obtained before the tracking starts, tied to a clearly stated purpose, and separate from unrelated agreements. This is a genuine opt-in regime, on the strict end of the global spectrum.
PIPA also draws a hard line around sensitive information (religion, political views, health, sexual orientation, and similar) and unique identifiers, which need separate, explicit consent. The 2024 Meta fine turned on exactly this: the regulator found Meta had built advertising categories that effectively revealed users' religion and sexual orientation, sensitive data, without a proper legal basis. If any of your trackers can infer sensitive attributes, that's the high-risk zone.
What the 2023 Amendment Changed
A major amendment to PIPA passed in February 2023 and took effect on 15 September 2023. It pushed Korea's framework closer to the GDPR and added rights and enforcement tools:
- Right to data portability, letting individuals move their personal information between services.
- Rights around automated decisions. Individuals can refuse, or demand an explanation of, fully automated decisions, including AI-driven ones, that significantly affect their rights. That reaches into profiling and automated ad targeting.
- New cross-border transfer bases beyond consent (certification and recognition mechanisms), giving alternatives to obtaining explicit transfer consent every time.
- Tougher economic penalties. The amendment shifted the surcharge model so that administrative penalties can reach up to 3% of relevant total revenue, rather than a narrow slice tied only to the violating activity.
Who Enforces It
The regulator is the Personal Information Protection Commission (PIPC), an independent central authority with strong investigative and penalty powers, and it uses them. Beyond the Google and Meta cases, the PIPC has pursued a steady stream of enforcement against domestic and foreign companies alike, and it has been developing dedicated guidelines for behavioural and personalised advertising. Its English resources are at the PIPC's official site.
PIPA applies extraterritorially: overseas businesses that process the personal information of Korean residents are within scope, which is why global platforms have been on the receiving end of the largest fines. A useful English summary of the amendment and the PIPC's enforcement posture is available from the IAPP.
The enforcement contrasts sharply with Japan next door. Where Japan's regulator has leaned on corrective orders first and reserved penalties for non-compliance, the PIPC issues large economic fines directly, and it moves against the biggest global platforms rather than only domestic firms. If you treat Korea like a lighter-touch APPI market, the fine history says you'll misjudge the risk.
Cross-Border Transfers
If your trackers send Korean users' data offshore, PIPA's transfer rules apply. Historically the route was explicit consent to the transfer, with detailed disclosures about the recipient, the destination, and the purpose. The 2023 amendment broadened the options to include recognition and certification mechanisms, so you're no longer limited to per-transfer consent. Even so, when you do rely on consent, PIPA expects specific, itemised disclosure, a vague blanket clause won't hold up.
A Practical Setup for Korean Traffic
- Opt-in before tracking. No non-essential cookie, pixel, or SDK fires until the visitor consents. This is the core PIPA requirement, and it's where the big fines came from.
- Separate consent for sensitive data and identifiers. If a tracker can infer religion, politics, health, or sexual orientation, gate it behind its own explicit consent, or don't run it.
- Be granular and specific. Per-purpose consent with clear Korean-language descriptions of what each category does.
- Handle transfers explicitly. Disclose the recipient, country, and purpose when you rely on transfer consent.
- Respect automated-decision rights. Give users a way to object to profiling-based targeting.
- Log everything. Timestamped, purpose-level consent records are your defence if the PIPC investigates. See consent logging requirements.
How CookieBeam Handles South Korea
CookieBeam ships a PIPA framework preset scoped to South Korea, set to opt-in, with non-essential scripts blocked until the visitor consents, which is what PIPA's prior-consent standard demands. Through the regional consent engine, a visitor in Korea gets that strict opt-in experience, in Korean, while other regions get their own model, from a single banner.
Every consent decision is logged with a timestamp and purpose-level detail, which is precisely the evidence the PIPC looks for, and the absence of which drove the behavioural-advertising fines. Where PIPA goes beyond the banner, appointing a domestic representative if required, choosing lawful cross-border transfer mechanisms, building the internal legal basis for any sensitive-data processing, those remain your responsibility; the consent tool captures and proves the consent, it doesn't file your paperwork. Given how active the PIPC is, verify the current guidelines, especially the evolving behavioural-advertising rules, before you finalise. This guide reflects mid-2026.
Related Guides
For neighbouring Asian regimes, read our Japan APPI guide and China PIPL guide. For the EU model PIPA now resembles, see the GDPR cookie compliance checklist. For how penalties stack up worldwide, read cookie consent penalties by country. For serving different rules per location, see regional consent for global sites.