PIPA Compliance

Configure your forms for South Korea's Personal Information Protection Act.

What is PIPA?

The Personal Information Protection Act (PIPA) is South Korea's comprehensive data protection law. Originally enacted on September 30, 2011, it was significantly amended in 2023 to strengthen enforcement powers and align with modern data protection standards. PIPA is widely regarded as one of the strictest data protection laws in Asia, comparable in rigor to the GDPR.

PIPA is enforced by the Personal Information Protection Commission (PIPC), an independent regulatory body with broad investigative and punitive authority. The PIPC has demonstrated a willingness to take aggressive enforcement action against both domestic and foreign organizations.

The law applies to any personal information processor — any individual, corporation, organization, or public body that processes personal information directly or through a third party. This includes:

Organizations in South Korea — any entity processing personal information of individuals within the country.
Organizations outside South Korea — if they process personal information of individuals in South Korea, regardless of where the processing takes place.

If your web form collects data from people in South Korea — even if your business is headquartered elsewhere — PIPA applies to you.

Consent requirements — granular and prescriptive

PIPA's consent requirements are notably more prescriptive than the GDPR. While the GDPR requires that consent be freely given, specific, informed, and unambiguous, PIPA goes further by dictating exactly what information must be included in the consent notice.

Before collecting personal information, the consent notice presented to the individual must include all of the following:

Items of personal information collected — you must list the specific data fields (e.g., name, email address, phone number), not just categories.
Purpose of collection and use — each purpose must be stated clearly, not bundled into vague language.
Retention and use period — the exact timeframe for how long the data will be kept.
Right to refuse consent — the individual must be informed that they can refuse.
Consequences of refusal — you must explain what happens if consent is refused (e.g., inability to process the inquiry).

For web forms, this means your consent message should be specific and detailed. Instead of a generic "I agree to the privacy policy," use something like:

I consent to ZNX Ltd collecting my name, email address, and message
for the purpose of responding to my inquiry. This data will be retained
for 1 year and then deleted. I may refuse this consent, in which case
my inquiry cannot be processed.

Consent for different purposes must be separately obtained. If you want to use submitted data for both responding to inquiries and sending marketing communications, you need two separate checkboxes — not one bundled consent.

Key difference from GDPR: PIPA requires that the consent notice explicitly state the right to refuse and the consequences of refusal. This is not optional — omitting either element makes the consent invalid. GDPR does not have this specific requirement.

What the PIPA preset configures

Setting	Value	Why
Consent checkbox	Required	PIPA mandates specific, informed consent before any collection of personal information. The checkbox with a detailed notice serves as the consent mechanism.
IP anonymization	Yes	IP addresses are personal information under PIPA. Anonymizing the last octet reduces the scope of personal data stored and aligns with the data minimization principle.
User-agent storage	Enabled	User-agent strings assist with troubleshooting and fraud detection. They are not singled out for special treatment under PIPA.
Data retention	365 days	PIPA requires that data be deleted once the retention period stated in the consent notice expires. One year is a reasonable default; adjust to match the period you disclose to users.
Privacy policy URL	Required	PIPA requires a publicly accessible privacy policy that details your data handling practices, third-party disclosures, and individual rights.

Set up the PIPA preset

Account level

Go to Account Settings in the sidebar.
Scroll to Compliance.
Select PIPA (South Korea) from the dropdown.
Click Save.

Per form

Open the form in your dashboard.
Go to the Compliance tab.
Select PIPA (South Korea) from the preset buttons or region dropdown.
Click Save.

Breach notification — 72 hours

One of PIPA's hallmarks is its strict breach notification requirement. When a personal information breach occurs, you must notify both the affected individuals and the PIPC within 72 hours of becoming aware of the breach.

The notification must include:

What personal information was breached — list the specific data items that were compromised.
When the breach occurred — the date and time, or best estimate if the exact time is unknown.
What measures you have taken — the steps you have implemented to contain the breach and prevent recurrence.
How affected individuals can minimize damage — practical advice such as changing passwords or monitoring accounts.
Contact information for your privacy officer — a direct way for affected individuals to reach someone who can help.

The 72-hour window is tight. To prepare, keep an incident response plan ready with pre-drafted notification templates and clear internal escalation procedures. Know in advance who your privacy officer is and how to reach the PIPC.

Practical note: FormBlade encrypts data in transit (TLS) and at rest. If you suspect a breach involving your FormBlade account (e.g., unauthorized dashboard access), contact us immediately so we can assist with containment and provide the information you need for your PIPC notification.

De-identification and anonymization

PIPA has detailed rules distinguishing between pseudonymization and anonymization, which were clarified in the 2023 amendments.

Anonymized data — data that has been processed so that an individual can no longer be identified, even when combined with other information — is exempt from PIPA entirely. Once data is truly anonymized, it is no longer personal information and can be used freely.

Pseudonymized data — data where identifying elements have been replaced with artificial identifiers, but the original identity could be reconstructed with additional information — receives special treatment:

It can be processed for statistical purposes, scientific research, and public interest archiving without obtaining separate consent.
However, it must be handled with appropriate safeguards: access controls, separation of the re-identification key, and technical measures to prevent unauthorized re-identification.
Pseudonymized data must not be used to re-identify individuals. Attempting to do so is a violation of PIPA.

For form backends, this distinction matters when you aggregate submission data for analytics or reporting. Removing names and email addresses from an export does not automatically make it anonymous — if the remaining fields (timestamps, IP addresses, free-text responses) could identify someone when combined, the data is pseudonymized, not anonymized.

Cross-border transfer

PIPA imposes specific requirements on transferring personal information outside South Korea. You must satisfy one of the following conditions:

Consent — the individual has been informed of the transfer destination, the recipient, and the purpose, and has given separate consent to the transfer.
Contract necessity — the transfer is necessary to perform a contract with the individual (e.g., delivering a service they requested).
Adequate protection — the destination country or recipient has been recognized by the PIPC as providing an adequate level of protection.
Standard contractual clauses — the transfer is covered by PIPC-approved standard contractual clauses between the data exporter and importer.

Regardless of which mechanism you use, the cross-border transfer must be disclosed in your privacy policy. The disclosure should include the country of destination, the name of the recipient, and the purpose of the transfer.

Practical impact: FormBlade servers are located in the EU. If you collect data from individuals in South Korea, you are transferring personal information to the EU. Ensure your privacy policy discloses this transfer and that you have a valid legal basis (consent or contract necessity are the most straightforward options for form submissions).

Children's data — guardian consent required

PIPA defines a child as anyone under 14 years old. When collecting personal information from children under 14, you must:

Obtain consent from a legal guardian before collecting any personal information. The child's own consent is not sufficient.
Verify the guardian's identity — you must take reasonable steps to confirm that the person providing consent is actually the child's legal guardian. A simple checkbox is not sufficient.
Minimize collection — collect only the minimum personal information necessary. Do not request information beyond what is required for the stated purpose.

If your form is intended exclusively for adults (e.g., business inquiries, job applications), these rules are less likely to apply. However, if your form is on a site that children may visit — educational platforms, gaming sites, general-purpose contact forms — you should implement age verification and guardian consent mechanisms beyond what FormBlade's compliance preset provides.

Penalties — criminal and administrative

PIPA's enforcement regime is one of the most aggressive among data protection laws worldwide. Unlike the GDPR (which imposes only administrative fines) or the DPDPA (which caps penalties at financial amounts), PIPA includes both criminal and administrative penalties.

Criminal penalties

Up to 5 years imprisonment or a fine of up to 50 million KRW (approximately $37,000 USD) for serious violations, including unauthorized use or disclosure of personal information, obtaining personal information through deception, and unauthorized destruction or alteration of personal information.
Criminal liability can apply to individuals within an organization, not just the organization itself.

Administrative fines

The 2023 amendment introduced revenue-based fines of up to 5% of relevant revenue, bringing PIPA closer to the GDPR's penalty model.
The PIPC can also issue corrective orders, including suspension of processing, deletion of data, and public disclosure of violations.

Enforcement track record

The PIPC has a strong enforcement track record. It has imposed significant fines on both domestic South Korean companies and foreign technology companies for violations including insufficient consent mechanisms, inadequate breach notification, and unauthorized cross-border transfers. The possibility of criminal prosecution makes PIPA violations a serious matter for individuals in leadership and compliance roles.

Practical recommendations

To ensure your forms are PIPA compliant, take these steps:

Apply the PIPA preset. This configures consent, IP anonymization, retention, and privacy policy requirements to align with PIPA's core obligations.
Write a detailed consent notice. List the specific data fields you collect, the purpose for each, the retention period, the right to refuse, and the consequences of refusal. This is not optional under PIPA — a vague notice invalidates the consent.
Separate consent by purpose. If you use form data for multiple purposes (e.g., responding to inquiries and sending newsletters), use separate checkboxes for each purpose.
Disclose cross-border transfers. If your form data is processed outside South Korea (as it will be on FormBlade's EU servers), state the destination country, recipient, and purpose in your privacy policy.
Prepare a breach response plan. The 72-hour notification window is strict. Have notification templates, escalation contacts, and PIPC reporting procedures ready before you need them.
Appoint a privacy officer. PIPA requires personal information processors to designate a Chief Privacy Officer (CPO) responsible for data protection compliance. This person's contact information must be in your privacy policy.
Set an accurate retention period. The retention period you state in your consent notice is binding. If you tell users their data will be kept for one year, you must delete it after one year. FormBlade's automatic retention purge handles this — just ensure the configured period matches what you disclose.
Audit forms accessible to children. If children under 14 might use your form, implement guardian consent verification. A simple age-gate checkbox is not sufficient under PIPA.