South Korea’s Personal Information Protection Commission (PIPC) has sanctioned Meta Platforms, Inc. with a fine of KRW 21.6 billion (approximately $15 million USD) for collecting and using sensitive personal information without a legal basis. During its 18th plenary session on November 4, the PIPC ruled that Meta, which owns Facebook, violated the nation’s Personal Information Protection Act by collecting and using data on users’ religious beliefs, political views, and same-sex marital status without proper consent. The sanctions include a corrective order, requiring Meta to take immediate steps to ensure compliance.

Sensitive Data Used for Targeted Ads

The PIPC’s investigation found that Meta collected sensitive information from roughly 980,000 South Korean Facebook users. The company then shared this data with around 4,000 advertisers. Meta analyzed users’ behavior—including page likes and ad interactions—to generate targeted advertising topics tied to religion, sexual orientation, and other sensitive traits. Some ad categories even included North Korean defector status. Under South Korean law, this type of information receives special protection. Companies may only process it when they have explicit consent or another clear legal basis. Investigators concluded that Meta failed to obtain that level of consent, instead relying on broad language in its Data Policy that did not meet statutory requirements.

Consent Failures and Limited User Access

Although Meta began adjusting its practices during the investigation—ending the collection of sensitive data in August 2021 and deleting sensitive ad categories in March 2022—the Commission said these changes did not resolve the violations. The PIPC also found that Meta declined users’ requests to access specific personal data, such as retention periods and consent history. Article 41 of the Enforcement Decree requires companies to disclose this information. The Commission determined that Meta’s refusal unjustifiably restricted users’ rights.

Security Oversight Allowed Unauthorized Account Access

Investigators identified a separate security failure involving an inactive account recovery page. Hackers used the page to submit fake identification documents and trigger password resets for other users. This flaw led to unauthorized access to ten accounts in South Korea. Regulators concluded that Meta failed to implement adequate safeguards to prevent these breaches.

PIPC Warns Global Companies Operating in Korea

The Commission’s decision sends a clear signal to multinational companies. PIPC Chair Koh Hak-soo stressed that global services operating in South Korea must comply with the country’s data protection rules. He noted that local standards apply fully to sensitive data and to user rights, including access to personal information. The corrective order issued to Meta requires the company to establish a legitimate basis for processing sensitive information, adopt stronger security controls, and respond properly to user access requests. The PIPC plans to monitor Meta closely and has committed to strict enforcement for global companies that serve South Korean users.

Need Help?

If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.