How do PIPA and GDPR differ?

PIPA relies primarily on explicit consent and applies to every controller in Korea. GDPR allows six legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). PIPA requires disclosure of business registration and DPO; GDPR requires controller contact and legal basis. Global services combine both.

Must I disclose cookies separately?

Yes. The April 2025 PIPC guideline requires disclosing each automated-collection tool (Google Analytics, Meta Pixel, Hotjar, etc.) individually. For EU visitors, ePrivacy also mandates a prior opt-in consent banner for non-essential cookies.

Does using AWS or GCP count as an international transfer?

Yes. If data is stored or processed outside Korea, PIPA Art. 28-8 requires you to disclose the country, recipient, items and retention. This includes AWS us-east-1, GCP us-central1 and Cloudflare’s global network. A lawful basis (consent, adequacy decision, SCCs, etc.) must also be in place.

What if I process data of children under 14?

You must obtain verifiable legal-guardian consent (Korea PIPA Art. 22-2) and provide a way to verify that consent. Add a dedicated section describing guardian rights (access, correction, deletion, restriction). For US users under 13, COPPA applies.

Do I need to collect consent again when I update the policy?

It depends. Minor wording fixes only need a 7-day advance notice. Material changes (new third-party sharing, new processor, new transfer destination, new categories/purposes) require separate prior consent.

Can I collect Resident Registration Numbers (RRN)?

Only when a Korean statute specifically permits it (PIPA Art. 24-2). Sign-up or generic KYC is not sufficient. Where collection is required by law, you must still offer alternative verification (mobile auth, i-PIN) first.

Where must I publish the privacy policy?

On the main screen or a screen reachable in one click/tap, using the exact label "Privacy Policy" (개인정보처리방침). Ensure it is visually distinguishable from other documents such as Terms of Service.

Does CCPA only apply to California residents?

Legally yes, but global services usually include a dedicated "California residents" section. If you sell or share personal information, a "Do Not Sell or Share My Personal Information" link must always be visible.

Do I need a privacy policy if I only collect emails?

Yes. Even collecting only an email address makes you a controller. You must disclose at minimum the items collected, purpose, retention period, and withdrawal mechanism.

Do I need a separate notice for Google Analytics 4?

Yes. The 2025 PIPC guideline requires listing each automated-collection tool individually, including GA4: measurement ID, purpose (service analytics), cookie lifetime and the opt-out link (https://tools.google.com/dlpage/gaoptout).

Who should be the Data Protection Officer (DPO)?

Under PIPA Art. 31, the owner/representative or the executive overseeing personal-information handling is appointed. Small businesses may designate the representative themselves — just make sure the email/phone actually works.

Should I use HTML or PDF export?

HTML is easiest to embed on your website (styling included). PDF is ideal for contracts, IR and public filings. Markdown pastes cleanly into GitHub README, Notion or other developer-doc platforms.

Where is my input stored?

Only in your browser localStorage. No server upload, no account required. Clearing browser data deletes it. The same device/browser will auto-restore your input on the next visit.

Is the output legally binding?

This generator reflects the April 2025 PIPC guideline plus common GDPR/CCPA requirements. It cannot account for niche circumstances (pseudonymised data, MyData, regulated financial or medical services), so a final review by qualified counsel is strongly recommended.

How do I use the bilingual output?

Global SaaS/e-commerce typically host Korean at /privacy and English at /privacy/en. The generator's "한국어 + English" mode combines both into one document, which is handy for PDFs and printed materials where a single source of truth is needed.

Frequently Asked Questions

PIPA · GDPR · CCPA disclosure, cookies, children and updates.

Author 김지광 (운영자)Last updated May 16, 2026bal.pe.kr 마이크로 SaaS

Q1. How do PIPA and GDPR differ?: PIPA relies primarily on explicit consent and applies to every controller in Korea. GDPR allows six legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests). PIPA requires disclosure of business registration and DPO; GDPR requires controller contact and legal basis. Global services combine both.
Q2. Must I disclose cookies separately?: Yes. The April 2025 PIPC guideline requires disclosing each automated-collection tool (Google Analytics, Meta Pixel, Hotjar, etc.) individually. For EU visitors, ePrivacy also mandates a prior opt-in consent banner for non-essential cookies.
Q3. Does using AWS or GCP count as an international transfer?: Yes. If data is stored or processed outside Korea, PIPA Art. 28-8 requires you to disclose the country, recipient, items and retention. This includes AWS us-east-1, GCP us-central1 and Cloudflare’s global network. A lawful basis (consent, adequacy decision, SCCs, etc.) must also be in place.
Q4. What if I process data of children under 14?: You must obtain verifiable legal-guardian consent (Korea PIPA Art. 22-2) and provide a way to verify that consent. Add a dedicated section describing guardian rights (access, correction, deletion, restriction). For US users under 13, COPPA applies.
Q5. Do I need to collect consent again when I update the policy?: It depends. Minor wording fixes only need a 7-day advance notice. Material changes (new third-party sharing, new processor, new transfer destination, new categories/purposes) require separate prior consent.
Q6. Can I collect Resident Registration Numbers (RRN)?: Only when a Korean statute specifically permits it (PIPA Art. 24-2). Sign-up or generic KYC is not sufficient. Where collection is required by law, you must still offer alternative verification (mobile auth, i-PIN) first.
Q7. Where must I publish the privacy policy?: On the main screen or a screen reachable in one click/tap, using the exact label "Privacy Policy" (개인정보처리방침). Ensure it is visually distinguishable from other documents such as Terms of Service.
Q8. Does CCPA only apply to California residents?: Legally yes, but global services usually include a dedicated "California residents" section. If you sell or share personal information, a "Do Not Sell or Share My Personal Information" link must always be visible.
Q9. Do I need a privacy policy if I only collect emails?: Yes. Even collecting only an email address makes you a controller. You must disclose at minimum the items collected, purpose, retention period, and withdrawal mechanism.
Q10. Do I need a separate notice for Google Analytics 4?: Yes. The 2025 PIPC guideline requires listing each automated-collection tool individually, including GA4: measurement ID, purpose (service analytics), cookie lifetime and the opt-out link (https://tools.google.com/dlpage/gaoptout).
Q11. Who should be the Data Protection Officer (DPO)?: Under PIPA Art. 31, the owner/representative or the executive overseeing personal-information handling is appointed. Small businesses may designate the representative themselves — just make sure the email/phone actually works.
Q12. Should I use HTML or PDF export?: HTML is easiest to embed on your website (styling included). PDF is ideal for contracts, IR and public filings. Markdown pastes cleanly into GitHub README, Notion or other developer-doc platforms.
Q13. Where is my input stored?: Only in your browser localStorage. No server upload, no account required. Clearing browser data deletes it. The same device/browser will auto-restore your input on the next visit.
Q14. Is the output legally binding?: This generator reflects the April 2025 PIPC guideline plus common GDPR/CCPA requirements. It cannot account for niche circumstances (pseudonymised data, MyData, regulated financial or medical services), so a final review by qualified counsel is strongly recommended.
Q15. How do I use the bilingual output?: Global SaaS/e-commerce typically host Korean at /privacy and English at /privacy/en. The generator's "한국어 + English" mode combines both into one document, which is handy for PDFs and printed materials where a single source of truth is needed.