South Korea

Is consent needed for cookie collection?

Prior consent
Requirement
Opt-in
Consent type
3 years
Record retention
KRW 30M
Max fine
The Short Answer

Yes, explicit consent is required before collecting or using cookies in South Korea, except for strictly necessary cookies.

What the Law Says

South Korea’s primary law governing cookies is the Act on Promotion of Information and Communications Network Utilization and Information Protection (the “Network Act”). It treats non-essential cookies as personal information requiring user consent.

Under the Network Act, operators must obtain prior, explicit (opt-in) consent before installing or using cookies that collect personal information — including identifiers like device IDs or tracking pixels — unless the cookies are strictly necessary for service delivery (e.g., login session cookies).

Consent must be informed: users must be clearly notified about the purpose, type, duration of storage, and third-party sharing of collected data. Pre-ticked boxes or implied consent (e.g., continued browsing) do not satisfy the legal standard.

Operators must retain records of consent for three years and allow users to withdraw consent easily at any time. Violations may result in administrative fines up to KRW 30 million.

Statutory Text

No person shall collect or use personal information without first obtaining the consent of the information subject.

Act on Promotion of Information and Communications Network Utilization and Information Protection, s. 44 — Collection and Use of Personal Information
Statutory Text

The provider of information and communications services shall notify the user of the purpose, method, and period of storage of personal information collected through cookies, and obtain the user’s consent thereto.

Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, s. 21-2 — Cookies

What to Do

1

Provide a clear, layered cookie notice explaining what cookies are used, why, and who they’re shared with.

2

Implement an opt-in mechanism (e.g., toggle switches or ‘Accept’ button) — no pre-checked boxes.

3

Record consent timestamps, user selections, and version of the notice for at least 3 years.

4

Offer easy withdrawal of consent (e.g., cookie preference center accessible from every page).

5

Exclude strictly essential cookies (e.g., shopping cart tokens) from consent requests — but document why each is exempt.

Sources

statuteAct on Promotion of Information and Communications Network Utilization and Information Protection, s. 44 — Collection and Use of Personal InformationstatuteEnforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, s. 21-2 — Cookies

Same Question, Other Jurisdictions

GermanyIrelandEuropean UnionUKCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.