City Hall Square in Seoul, South Korea showing privacy law violations

Fines for Google and Meta in South Korea Over Privacy Law Violations; Targeted Ad Consent Mechanisms Found To Be Lacking

Google and Meta are each facing tens of millions in fines from the government of South Korea over privacy law violations, in both cases due to insufficient consent mechanisms for their targeted advertising programs and a lack of clarity in communicating key information to consumers.

Google is looking at ₩69.2 billion (about $50 million) and Meta ₩30.8 billion (about $22 million) in fines issued by the country’s Personal Information Protection Commission (PIPC). South Korea has had a national digital privacy law (the Personal Information Protection Act) since 2011, but a 2020 set of amendments tightened user consent requirements and the situations in which collected data must be pseudonymized.

Privacy law violations highlight South Korean requirements for consent and disclosures

Google and Meta both issued statements indicating that they do not believe that their conduct rose to the level of privacy law violations and would be reviewing the PIPC decision; Meta added that it is open to considering legal action.

The regulator took issue with Google specifically due to it setting the default choice for collection of personal information to “agree” and for it obscuring other options in its settings menu. Both companies were hit with privacy law violations for not providing enough information about how their information would be collected and used in regards to targeted advertising. Meta also failed to obtain adequate consent for ad tracking, and was taken to task for burying important consumer information in the body of its full data policy statement.

The penalties are the first assessed specifically for targeted advertising programs, and the largest yet for privacy law violations. The size of the penalties are in part due to the omnipresence of these two companies in the digital lives of residents of South Korea; some 82% of the country uses Google’s services, and about 98% use at least one of Meta’s apps (such as Facebook, WhatsApp and Instagram). The PIPC said that the size of the two companies meant that the issue presented a serious threat to privacy rights.

In addition to the fines, Google and Meta have been ordered to correct the issues and provide an “easy and clear” process of consent in line with regulatory requirements. Both companies are awaiting a full written decision from the PIPC that will provide more clear and direct information about what needs to be corrected, and have the ability to pursue a legal challenge if they desire.

Tech firms face policy changes in South Korea, continued investigations elsewhere

South Korea’s data regulations are in something of a state of flux with the Yoon government taking power in March 2022. The government has called for self-regulation guidelines for the digital platform industry in a “public-private cooperation approach”, with a general eye toward reducing regulation in this area, but has also called for stricter data retention rules that involve immediate anonymization and for customer purchase information to not be accessible to online sellers for more than 90 days.

As the major tech platforms navigate these changes in South Korea, they have plenty of experience to draw from in terms of their legal challenges in other countries (particularly Europe). Meta has been targeted with numerous consent and disclosure complaints in the EU and has already been fined several times, and continues to battle an order from the German Federal Cartel Office that restricts its ability to gather targeted advertising data from third-party websites without first obtaining user consent. And the first major GDPR fine was handed to Google in early 2019, a penalty of $57 million that also involved failure to properly disclose how user information was being used and failure to collect adequate consent under the then-new terms. That investigation was initiated by complaints that were filed on May 25, 2018, the first day that complaints about GDPR privacy law violations could be filed.

As the privacy law violations may indicate, South Korea’s data regulations make it one of about 15 countries that have received an adequacy decision from the European Commission, allowing companies like Meta and Google to transfer user data between the two regions without special protections or mechanisms. South Korea was the most recent nation to join this club, receiving its decision in December 2021 after nearly a year of talks and deliberation. The tech giants thus could very well find that all of the legal issues that have dogged them in Europe will re-emerge in South Korea if they do not onboard the required changes in the region. In addition to potential privacy law violations, South Korea’s legislators have been echoing the EU in raising serious concerns about the size of these tech giants in the market and antitrust considerations.