Practical Guidance: Why Privacy Settings Can’t be Set to “Consent” by Default

On September 14, South Korea’s Personal Information and Protection Commission (the “Commission”) announced it will levy more than $70 million in fines against Alphabet Inc.’s Google (Google) and Facebook’s parent Meta Platforms Inc. (Meta) over alleged privacy violations. According to the Commission, these companies collected and utilized personal information for targeted advertising without obtaining user consent.

The Wall Street Journal reports that Google failed to inform South Korean consumers about the collection of their personal information when they entered their data into new account signup pages. Additionally, the data storage settings were limited in scope at the time, and the setting for consent was set to “agree” by default since 2016. Similarly, Facebook’s new account sign-up page did not disclose the intended uses of a person’s data and did not request consent for this usage.

According to Yoon Jong-in, chairperson of the Personal Information Protection Commission, “accumulation of user-specific data collection activities can result in serious privacy violations . . . In that respect, we consider these acts to be grave violations.”

Due to the seriousness of their alleged violations, Google will be fined 69.2 billion won, which is the equivalent of $49.6 million, and Meta will be fined 30.8 billion won, which is the equivalent of $22.1 million. Additionally, the Commission ordered the companies to ensure that users can “easily and clearly” understand and exercise their consumer rights to their personal information.

In response, Google and Meta have released statements. Google’s spokesperson reportedly stated, “we’ve always demonstrated our commitment to making ongoing updates that give users control and transparency, while providing the most helpful products possible. We remain committed to engaging with the PIPC to protect the privacy of South Korean users.”

A Meta spokesperson said “while we respect the commission's decision, we are confident that we work with our clients in a legally compliant way that meets the processes required by local regulations. As such, we do not agree with the commission's decision, and will be open to all options including seeking a ruling from the court.”

The Commission is not the only international organization to take action against data privacy violations. On September 15, 2022, Ireland’s Data Protection Commission issued a €405 million fine, which is reportedly the second largest fine the European Union has ever assessed, against Instagram for allegedly mishandling children’s data or data relating to children.

As such, organizations should be sure to comply with all applicable data practices and guidance to ensure that their business can be shielded from similar regulatory scrutiny.