On January 31, 2024, the Personal Information Protection Commission (PIPC) announced ‘Policy Direction for the Protection of Online Behavioral Data Used in Targeted Advertising’ (Policy Direction). This announcement marks a significant milestone as PIPC’s first comprehensive stance on online behavioral data for targeted advertising. Aligned with regulations under the Personal Information Protection Act (PIPA), the Policy Direction provides detailed guidance on specific obligations and recommended practices for both advertisers[1] and advertisement publishers[2].

This newsletter aims to examine the primary elements of each policy initiative addressed by the Policy Direction.

  1. Clarifying the Roles and Responsibilities of Stakeholders in Targeted Advertising

One of the key features of the Policy Direction is that it outlines the specific obligations and recommendations for both advertisers and advertisement publishers.

(a) Obligations and Recommendations for Advertisers

The Policy Direction provides distinct guidelines for advertisers depending on whether behavioral data (including online identifiers) are used to identify specific individuals. In cases where the identification of a specific individual is involved in the processing of behavior data (i.e., processing behavioral data containing explicitly identifiable information or combining such data with other information that may enable the identification of specific individuals), the advertisers are required to comply with all applicable obligations mandated by PIPA, as the behavioral data used to identify specific individuals may be classified as personal information under PIPA.

On the other hand, in instances where specific individuals are not identified, the advertisers are required to refrain from combining behavioral data with other information that could potentially lead to the identification of specific individuals. To do so, the Policy Direction offers four specific methods: (i) operating separate systems for processing personal information and behavioral data; (ii) refraining from creating matching keys that link personal information with behavioral data; (iii) ensuring that the processed behavioral data does not contain personal information; and (iv) avoiding the use or inclusion of information in online identifiers that carries a high probability of identifying specific individuals.

In addition to the above, the Policy Direction recommends several additional measures for advertisers who process behavior data that does not involve identification of specific individuals. For instance, to enhance transparency, advertisers are advised to, among other things, disclose in their privacy policy information regarding the collection and use of behavior data. Moreover, they are also advised to feature an ⓘ icon on all targeted advertising and provide detailed information (e.g., the fact that behavioral data is being collected and used for targeted advertising, the name of the advertiser, the items of behavioral data being collected and used, etc.) via the ⓘ icon.

Finally, to improve the data subject’s control over their information, the Policy Direction recommends that advertisers provide users an option to refuse behavioral data collection and targeted advertising when clicking the ⓘ icon. Additionally, to mitigate the risk of specific individuals becoming identifiable in the future, it is further recommended that advertisers retain and manage behavioral data for a limited duration, preferably no longer than six months.

(b) Obligations and recommendations for advertisement publishers

The obligations and recommendations outlined for advertisers above are also applicable to advertisement publishers if they process behavioral data by themselves. However, when advertisement publishers permit the collection of behavioral data through third-party tools, the Policy Direction recommends that they disclose specific information in their privacy policy, including details such as the name and type of the collection tool used, the involved third parties, the collected information, its purpose, and methods of control.

(c) Targeted advertising directed at children

In addition to the specific obligations and recommendations for advertisers and advertisement publishers explained above, the Policy Direction also imposes additional restrictions that are applicable to targeted advertising aimed at children under the age of 14. Advertisers intending to provide targeted advertising to children under 14, by combining behavioral data with other personally identifiable information, must obtain prior consent from their legal representatives. Furthermore, even in cases where the identification of specific individuals is not intended, services primarily used by children are advised to refrain from collecting and using behavioral data for targeted advertising purposes. As for advertisement publishers, they are recommended not to install behavioral data collection tools for targeted advertising purposes if their websites or mobile applications primarily target children under the age of 14.

(d) Protection measures for data subjects regarding in-app browsers[3]

The Policy Direction also introduces certain obligations and recommendations applicable to in-app browser operators.

For instance, in-app browser operators are required to comply with the requirements of PIPA regarding the processing of personal information if they process behavioral data that can be used to identify specific users. This includes securing adequate legal bases, such as obtaining explicit consent from users, as well as disclosing information about such processing in their privacy policy. Additionally, the in-app browser operators must also ensure that the collection of information is limited to what is necessary for the intended service objectives so that it does not pose any concerns for privacy infringement.

Moreover, the in-app browser operators are recommended to provide alternative means for users to open web pages in their preferred browser through app settings to allow users more control over their browsing preferences.

  1. Plans for Conducting Compliance Surveys and Privacy Policy Evaluation

In the Policy Direction, the PIPC also discusses its plans to conduct compliance surveys related to targeted advertising practices in the first half of 2024. Also, in line with the “Privacy Policy Evaluation System” under the amended PIPA that came into effect in September 2023, the PIPC also reveals its plans to conduct a comprehensive evaluation of privacy policies regarding the collection and use of behavioral data by advertisers and website/mobile application operators starting this March.

  1. Establishing PIPC Guidelines in Cooperation with Private Sectors

The PIPC plans to establish a public-private consultation group in the first quarter of this year that will collaboratively develop updated guidelines for matters related to targeted advertising by the end of the year.


Footnotes

[1] ”Advertiser” refers to a business operator who collects user behavior data through its own or third-party websites or mobile applications, and delivers targeted advertising to its own or third-party websites or mobile applications.

[2] ”Advertisement publisher” refers to a business operator that offers advertising space on its websites and mobile applications for the display of targeted advertising.

[3] ”In-app browser” refers to a web browser embedded within mobile applications that helps users access web links while using the mobile application.

More from Lee & Ko