Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
The Civil Act, as amended in 2013, provides that majority is attained by a person upon reaching of 19 years of age.
Please note that there are different legal age thresholds for specific activities, such as voting (18 years old) or criminal responsibility (14 years old). Regarding the context of data protection and privacy, the Personal Information Protection Act stipulates that persons Please note that there are different legal age thresholds for specific activities, such as voting (18 years old) or criminal responsibility (14 years old). Regarding the context of data protection and privacy, the Personal Information Protection Act stipulates that persons under 14 years of age are considered “children” and therefore subject to stricter regulation on data processing.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
No.
Pursuant to the Constitution, treaties duly concluded and promulgated under the Constitution shall have the same effect as the domestic laws of Korea. As Korea ratified the UNCRC in 1991, it is considered to have the same status as domestic laws; however, the enforcement of the UNCRC may depend on its compatibility with existing domestic laws. Currently, the “Child Welfare Act” and the “Youth Protection Act” incorporate certain core principles of the UNCRC.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
No.
Korea does not have a centralized ombudsperson/commissioner for children with a national mandate. There are several cases where it is independently operated at the local government level.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
N/A.
N/A.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
Pursuant to Article 22-2(1), (2) of the Personal Information Protection Act, in order to process a child’s personal information, a data controller must obtain the consent of the child’s legal representative (one of the legal representative’s consent will suffice) and confirm whether the legal representative has granted consent. According to the Personal Information Protection Commission (PIPC) guidelines (“Guidelines for the Protection of Personal Information of Children and Adolescents”, 2022), an age gate can be in the form of requiring the user to either (i) affirm that s/he is 14 or older (e.g., check box), or (ii) type in his/her date of birth. The data controller does not have to go so far as requiring actual proof of age.
Only the minimum information necessary for obtaining the consent of a legal representative (i.e., the name and contact details of a legal representative) may be collected directly from the relevant child without consent of the legal representative.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Pursuant to Article 22-2(1) of the Personal Information Protection Act, children from 14 years of age can legally consent to the processing of their own personal information without parental permission/consent.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
The data controller shall confirm whether a legal representative has granted consent by any of the following methods:
(i) Requesting the legal representative to indicate whether they give consent on the website where the matters requiring consent are posted, and informing him/ her by mobile phone text message of the personal information for which the controller has obtained consent;
(ii) Requesting the legal representative to indicate whether they give consent on the website where the matters requiring consent are posted, and being provided with information on his or her card, such as a credit card or debit card;
(iii) Requesting the legal representative to indicate whether they give consent on the website where the matters requiring consent are posted, and verifying the identity of the legal representative through identity verification on his/ her mobile phone;
(iv) Issuing the legal representative a document specifying the matters requiring consent, either in person or by mail or fax, and requesting him or her to submit the document after signing and affixing a seal on it with respect to such matters;
(v) Sending the legal representative an electronic mail that specifies the matters requiring consent, and requesting him or her to send an electronic mail confirming consent;
(vi) Notifying the legal representative of the matters requiring consent by telephone to obtain consent, or providing him/ her with information on how to confirm consent, such as via a particular Internet address or by telephone;
(vii) Other methods equivalent to those prescribed in (i) through (vi) by which matters requiring consent are notified to the legal representative and an indication of his or her consent is confirmed.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no particular legal requirements concerning the processing of children’s personal data.
However, please note that Article 22-2 (3) of the Personal Information Protection Act stipulates that where a controller is notifying children under the age of 14 of matters related to the processing of their personal information, this must be done using an easy-to-understand format and clear and easy-to-understand language.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes. 14+
Pursuant to Article 38(2) of the Personal Information Protection Act, the legal representative of a child under 14 years of age may file a request for access, transmission, rectification or erasure of the personal information of the child with a data controller. The Personal Information Protection Committee explains through its guideline that this means that children under 14 years of age cannot directly exercise their data privacy rights and can only exercise their rights through their legal representative.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes. 14+
There is no specific legislation clearly regulating this matter; however, 14 years old is expected to apply to complaints made to regulators as well. For further information, see the response to this question.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
Pursuant to Article 22-2(1), (2) of the Personal Information Protection Act, the data controller must obtain the consent of the child’s legal representative and confirm whether the legal representative has granted consent when the consent of a child under 14 years of age is required to process the personal information of that child. This means that for children under 14 years of age, prior consent from the legal representative must be obtained when combining behavioural information with personally identifiable information to provide personalized advertisement.
Further, there are several “recommendations” under the Personal Information Protection Committee’s guidelines as follows:
- If an individual is not identified (e.g., using the service without logging in), and it is known that the individual is under the age of 14 or that the service is primarily used by children, behavioural information must not be collected or used for personalized advertising purposes. Additionally, personalized advertisements must not be provided to children under the age of 14 if their age is known.
- If the behavioural information (e.g., app/website visit history, search and purchase history) and personally identifiable information are used for personalized advertising targeting users aged 14 and above, the user must be clearly informed of the collection and usage of this personal information. This includes providing details about the purpose of usage, the types of information being combined, the retention period, and other relevant information; and the user’s consent must be obtained.
- Recommended not to use “nudge techniques” that negatively impact the privacy of children and adolescents (nudge techniques refer to methods where a provider uses psychological factors to guide a user’s decision-making in a desired direction). For example, children and adolescents should not be encouraged to provide excessive personal information or to disable or lower their privacy settings. Also, nudge techniques that hinder children from making careful and voluntary decisions when changing key privacy settings should also be avoided.
- When providing services to children and adolescents using AI speakers, chatbots, or other text/voice-based interactive methods, personal information must not be improperly collected during such usage. In particular, when offering services to children under the age of 14, efforts must be made to ensure that inappropriate content is not provided to the child.
- Other considerations for designing child and adolescent privacy protection:
(i) verify age through appropriate methods; (ii) set a high level of privacy protection as the default setting; (iii) avoid designing services where personal information is entered in exchange for rewards like cash or items; (iv) set location tracking options to disabled by default, and if location information is collected, ensure that children and adolescents can clearly recognize that tracking is taking place; (v) implement reasonable mechanisms to prevent misuse by children under 14 years old who might falsely declare their age.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
To date, there have been several enforcement actions by the Personal Information Protection Committee (PIPC) and the Korea Communications Commission (KCC) investigating and imposing fines for violating the obligation to obtain legal representative’s consent as below. (Please note that regulatory authority in relation to this point was transferred from the KCC to the PIPC in 2021.)
In 2020, the KCC imposed corrective orders and penalty surcharges on company A (e-book service; corrective order, penalty surcharge of 22.8 million KRW), company B (app deleting unwanted digital files; corrective order), company C (global social media platform; penalty surcharge of 180 million KRW).
In 2021, the PIPC imposed administrative fines and penalty surcharges on company D (AI company providing chatbot service and emotional analysis)’s three services: company E (administrative fine of 8 million KRW), company F (administrative fine of 8 million KRW, penalty surcharge of 19.5 million KRW), and company G (administrative fine of 7.8 million KRW, penalty surcharge of 9.8 million KRW).
In 2022, the PIPC imposed an administrative fine of 5 million KRW on company H.
In 2023, the PIPC imposed administrative fines and penalty surcharges on company I (podcast and streaming platform; administrative fine of 84.43 million KRW, penalty surcharge of 6 million KRW), company J (audio content platform; administrative fine of 19.96 million KRW, penalty surcharge of 6 million KRW), company K (digital content creation and distribution; administrative fine of 3.51 million KRW, penalty surcharge of 6 million KRW); company L (movie streaming; administrative fine of 9.23 million KRW, penalty surcharge of 6 million KRW), and company M (digital content creation and marketing; penalty surcharge of 6 million KRW). Also, the PIPC made improvement recommendations to company N (a global AI service provider) since it restricts membership for those under 13, which conflicts with the legal representative consent age of 14 as stipulated by the Personal Information Protection Act. Two shopping mall solution providers were imposed corrective orders of improvement recommendations due to the violation of the legal representative consent obligation.
(The administrative fine and penalty surcharges were calculated based on all violations found, including but not limited to the violation of legal representative consent obligation.)
Are there specific rules concerning electronic direct marketing to children?
No.
There is no specific regulation concerning electronic direct marketing to children.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are several “recommendations” under the Personal Information Protection Committee’s guidelines as follows:
- If an individual is not identified (e.g., using the service without logging in), and it is known that the individual is under the age of 14 or that the service is primarily used by children, behavioural information must not be collected or used for personalized advertising purposes. Additionally, personalized advertisements must not be provided to children under the age of 14 if their age is known.
- If the behavioural information (e.g., app/website visit history, search and purchase history) and personally identifiable information are used for personalized advertising targeting users aged 14 and above, the user must be clearly informed of the collection and usage of this personal information. This includes providing details about the purpose of usage, the types of information being combined, the retention period, and other relevant information; and the user’s consent shall be obtained.
- Recommended not to use “nudge techniques” that negatively impact the privacy of children and adolescents (nudge techniques refer to methods where a provider uses psychological factors to guide user’s decision-making in a desired direction). For example, children and adolescents should not be encouraged to provide excessive PI or to disable or lower their privacy settings. Also, nudge techniques that hinder children from making careful and voluntary decisions when children and adolescents are changing key privacy settings should also be avoided.
Are there specific rules concerning online contextual advertising to children?
Yes.
As contextual advertising, in general, does not the processing of involve personal information, privacy-related regulations do not apply. Other than the regulations on harmful media materials, there are no specific rules in relation to children concerning contextual advertising. For further information, see the response to this question
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There has been no enforcement specifically concerning advertising to children by the Personal Information Protection Committee or related authorities.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
The Civil Act defines the capacity of a minor, i.e., a person under the age of 19. Under Article 5 of the Civil Act, if a minor performs a legal act without the consent of his/her legal guardian, the act can be cancelled without any reason by the minor or his/her legal guardian. An exception to the foregoing consent requirement includes the case where the minor’s legal act relates solely to acquiring rights or relieving them from obligations.
Do consumer protection rules apply to children?
Yes.
The consumer protection rules including the right to revoke under the Civil Act and the right of withdrawal under the E-Commerce Act apply to consumers including children.
Are there any consumer protection rules which are specific to children only?
Yes.
Pursuant to Article 13(3) of the E-Commerce Act, when concluding a contract on the transaction of goods with a minor, a mail order distributor shall inform the minor (i.e., the child under 19 years old) of the fact that if his or her legal guardian does not agree to the contract, the minor or the legal guardian can cancel the contract.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
Yes.
To date, there have been several enforcement actions by the Korea Fair Trade Commission (KFTC) investigating and imposing fines for violating the obligation to inform minors of the fact that if the legal guardian does not agree to the contract, the minor or the legal guardian can cancel the contract pursuant to the E-Commerce Act.
On February 2019, the KFTC imposed a corrective order and fines on company O (social network platform; corrective order and administrative fine of 2million KRW) and company P (video streaming service; corrective order and administrative fine of 4 million KRW).
On July 2019, the KFTC found that 7 idol merchandise companies had violated the obligation to inform and imposed a corrective order and administrative fines of total 31 million KRW.
Additionally, on June 2020, the KFTC found 7 online shopping mall businesses had violated the obligation to inform and imposed a corrective order and administrative fines of total 33 million KRW.
(The administrative fine was calculated based on all violations found, including but not limited to the violation of legal representative consent obligation.)
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
Pursuant to the Personal Information Protection Act, a data controller must obtain the consent of the child’s legal representative and confirm whether the legal representative has granted consent when the consent of a child under 14 years of age is required to process the personal information of such child.
Therefore, if the child’s access to online/digital services involves the data processing of a child under 14 years old (e.g., the child’s sign-up), then the legal representative’s consent shall be obtained.
Further, the Youth Protection Act defines harmful media materials for youth as those containing obscene and violent content that are inappropriate for distribution, including codes, texts, sounds, or video information transmitted via telecommunications, as well as internet newspapers and internet news services. The Youth Protection Committee, the Video Rating Board, the Korea Communications Standards Commission, and the Game Rating and Administration Committee are the relevant authorities responsible for reviewing harmful media for youth. Based on the results of these reviews, access to such media may be restricted for minors under the Youth Protection Act (i.e., individuals under the age of 19).
Are there any specific requirements relating to online/ digital safety for children?
Yes.
The Personal Information Protection Committee explains through its guidelines that services for children and adolescents should be planned and designed in accordance with privacy principles, considering the following:
(i) verify age through appropriate methods; (ii) set a high level of privacy protection as the default setting; (iii) avoid designing services where personal information is entered in exchange for rewards like cash or items; (iv) set location tracking options to disabled by default, and if location information is collected, ensure that children and adolescents can clearly recognize that tracking is taking place; (v) implement reasonable mechanisms to prevent misuse by children under 14 years old who might falsely declare their age.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
Where a child under the age of 14, the online service provider must obtain consent from the child’s legal guardian and verify whether the legal guardian has given consent. Please refer to the example below.
Example of a legal representative’s Personal Information Protection Act- compliant consent process:
1. At the initial sign-up screen, select “Age 14 or above” or “Under the age of 14”.
2. When selecting “Under the age of 14”, enter the minimum information required to obtain consent from the legal guardian, such as the child’s name, age, the legal guardian’s name, e-mail address and contact information).
3. Verify consent of the legal guardian by sending him/her a text message on consent details and a link and requesting him/her to access the website through the link to express consent.
4. The child to enter the relevant information and sign up for membership.
On a related note, some platform service providers only allow membership to persons of 14 years or above so as to avoid having to obtain consent from legal guardians and verifying such consent in connection with children under the age of 14. However, even in this case, at the very least, the platform service provider would have to implement an age gate mechanism requiring the user to confirm whether he/she is 14 or older in order to minimize potential liability in case it inadvertently ends up processing children’s data without parental consent due to users under 14 entering false age information.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
No.
N/A
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
The regulatory enforcement actions by the Personal Information Protection Committee and the Korea Fair Trade Commission have focused on violations of the legal representative consent obligation and the obligation to notify the right to cancel, as mentioned above. There have been no particular online safety related investigations or dispositions.
Are there any existing requirements relating to children and AI in your jurisdiction?
No.
N/A
Are there any upcoming requirements relating to children and AI in your jurisdiction?
No.
N/A
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
Currently, the Personal Information Protection Committee (PIPC) is internally focused on whether consent is actually obtained from the legal representatives of children under the age of 14. In other words, the PIPC’s view is that even if age gates are in place, it shall be necessary to directly monitor whether the user is truly over the age of 14 and block the service if the user is found to be under the age of 14. However, there is no legal basis yet for such monitoring to be required in relation to online service providers; therefore, a wait-and-see approach regarding the age gate requirement is needed.
Contributors
Juho Yoon
BKL
Taeuk Kang
BKL
Jiyoung Sohn
BKL
Sean Jeong
BKL
Ju Eun Lee
BKL
Junsung Park
BKL
Sihou Lim
BKL
