South Korea

Can you place cookies without consent?

Under the current interpretation of the Korean legal requirements, there is no need for a separate cookie consent.

However, if the use of cookies involves collection and transfer of personal data, a lawful processing basis (e.g. consent) is required.

To date, there have not been any clear precedents or guidance that directly clarifies whether cookie ID or similar online identifiers (e.g. ADID) fall under the scope of "personal data" on a standalone basis. However, if such online identifier is combined with other personal data (such as name, email address, phone number), then such online identifier constitutes personal data.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes. While there are no specific regulations on operation of cookies (except that the data controller only needs to provide in its privacy policy a general explanation with respect to (i) its use of cookies and (ii) methods to opt-out from usage of such cookies), requirements are generally followed and enforced in practice.

Are there any exemptions if consent is required?

Please refer to our answer to question # 1 above.

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

Please refer to our answer to question #1 above.

Regardless of what kind of cookie it is, as long as it does not involve processing of personal data, it can be placed without requiring consent (as such cookie is not considered personal data in and of itself).

Whether the use of cookies involves collection and transfer of personal data is a dispositive factor in deciding whether or not opt-in consent is required.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

There is no need to obtain consent for use of cookies.

However, if the use of cookies involves personal data, explicit opt-in consent must be obtained (just like any other type of personal data).

Can you set cookies without a cookie notice? 

There is no requirement to set up a separate cookie notice.

However, a data controller is required to include in its privacy policy a description of (i) its use of cookies and (ii) methods to out-out from usage of such cookies.

Can you set cookies without a cookie banner/ management tool?

Yes, a cookie banner / management tool is not required. The only requirement is to include in its privacy policy a description of (i) its use of cookies and (ii) methods to opt-out from usage of such cookies.

Are you able to use cookie walls? 

Yes.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

No.

Are there any current consultations relating to ad tech/cookies?

There is controversy over whether cookie ID or similar online identifiers (e.g. ADID) independently fall within the scope of personal data.

In the Meta/Google case, PIPC (the Personal Information Protection Commission, the regulatory authority over personal data matters) opined that Google and Meta combined the online identifier with users’ personal data, therefore making the online identifiers “personal data” which requires Meta/Google to obtain consent from its users.

Currently the relevant regulators are working on developing personalized advertising guidelines but the draft is not available to the public yet (it will be announced in 2024).

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

Please refer to our answer to question #10 above.