Privacy Policy Generator한국어

Privacy Policy Guide (PIPA · GDPR · CCPA)

Writing a bilingual privacy policy for a Korean service with global users.

1. Scope & triggering laws

  • Korea PIPA: applies to every personal information controller; the PIPC updated the official drafting guideline in April 2025.
  • EU GDPR: applies when you offer goods/services or monitor behaviour of EEA data subjects.
  • CCPA/CPRA: applies to California residents if your business meets the revenue, volume or sale/share thresholds.

2. Required PIPA sections (Article 30)

  1. Purposes of processing
  2. Categories of personal information
  3. Retention and use period
  4. Sharing with third parties
  5. Outsourcing / processors (Art. 26)
  6. Data subject rights and how to exercise them
  7. Security measures (Art. 29)
  8. Data Protection Officer (name, department, contact)
  9. Cookies & automated collection
  10. International transfers (Art. 28-8)

The April 2025 PIPC guideline adds explicit requirements to disclose (a) each cross-border transfer with country, recipient and safeguards, (b) each automated collection tool individually (GA4, Meta Pixel, Hotjar, etc.), and (c) any pseudonymised processing.

3. Mapping to GDPR

  • Art. 13/14: controller identity, purposes and legal bases, recipients, international transfers, retention, rights, right to complain.
  • Art. 6 legal bases: consent, contract, legal obligation, legitimate interests, vital interests, public task.
  • Art. 44–49 transfers: adequacy, SCCs, BCRs or explicit consent.

4. CCPA/CPRA disclosure

  • Categories of personal information collected in the previous 12 months.
  • Whether you sell or share (contextual ads included) and a "Do Not Sell or Share My Personal Information" link.
  • Right to limit the use of Sensitive Personal Information.
  • Non-discrimination and verification of requests (45 days, extendable once).

5. Cookies & automated tools

PIPA recommends disclosure and consent for non-essential cookies; ePrivacy (EU) requires prior opt-in for non-essential cookies. Disclose every tool individually (Google Analytics 4, Meta Pixel, Hotjar, Naver Analytics, Sentry, etc.).

6. Children

  • Korea PIPA Art. 22-2: legal-guardian consent for children under 14.
  • US COPPA: parental consent for children under 13.
  • GDPR Art. 8: age of digital consent is between 13 and 16 depending on the member state.

7. Retention

  • Destroy without delay once the purpose is achieved (PIPA Art. 21).
  • Korean e-Commerce Act mandates 5 years for contract/payment records, 3 years for complaint records, 6 months for display records.
  • Telecom Secrets Protection Act: 3 months for website visit logs.

8. Update cadence

  • Minor edits: 7-day advance notice (PIPA guideline 4.1).
  • Material changes (new recipient, new transfer destination, new category): 30-day notice or renewed consent.
  • Review at least once or twice a year and immediately after adding new processors or tools.

9. Penalties

  • PIPA Art. 30 violation: up to KRW 10,000,000 administrative fine.
  • Unauthorised third-party sharing: up to 5 years imprisonment or KRW 50,000,000 fine.
  • GDPR: up to €20m or 4% of global turnover (higher tier).
  • CCPA: USD 2,500 per violation, USD 7,500 for intentional violations (AG enforcement).

10. References

Back to generator · FAQ