Under the current interpretation of the Korean legal requirements, there is no need for a separate cookie consent.
However, if the use of cookies involves collection and transfer of personal data, a lawful processing basis (e.g. consent) is required.
To date, there have not been any clear precedents or guidance that directly clarifies whether cookie ID or similar online identifiers (e.g. ADID) fall under the scope of "personal data" on a standalone basis. However, if such online identifier is combined with other personal data (such as name, email address, phone number), then such online identifier constitutes personal data.
Yes. While there are no specific regulations on operation of cookies (except that the data controller only needs to provide in its privacy policy a general explanation with respect to (i) its use of cookies and (ii) methods to opt-out from usage of such cookies), requirements are generally followed and enforced in practice.
Please refer to our answer to question # 1 above.
Please refer to our answer to question #1 above.
Regardless of what kind of cookie it is, as long as it does not involve processing of personal data, it can be placed without requiring consent (as such cookie is not considered personal data in and of itself).
Whether the use of cookies involves collection and transfer of personal data is a dispositive factor in deciding whether or not opt-in consent is required.
There is no need to obtain consent for use of cookies.
However, if the use of cookies involves personal data, explicit opt-in consent must be obtained (just like any other type of personal data).
There is no requirement to set up a separate cookie notice.
However, a data controller is required to include in its privacy policy a description of (i) its use of cookies and (ii) methods to out-out from usage of such cookies.
Yes, a cookie banner / management tool is not required. The only requirement is to include in its privacy policy a description of (i) its use of cookies and (ii) methods to opt-out from usage of such cookies.
Yes.
No.
There is controversy over whether cookie ID or similar online identifiers (e.g. ADID) independently fall within the scope of personal data.
In the Meta/Google case, PIPC (the Personal Information Protection Commission, the regulatory authority over personal data matters) opined that Google and Meta combined the online identifier with users’ personal data, therefore making the online identifiers “personal data” which requires Meta/Google to obtain consent from its users.
Currently the relevant regulators are working on developing personalized advertising guidelines but the draft is not available to the public yet (it will be announced in 2024).
Please refer to our answer to question #10 above.