For foreign companies operating globally, determining where your legal liabilities lie is a complex challenge. In South Korea, the Personal Information Protection Act (PIPA) can apply extraterritorially. In other words, you do not need a physical office in Seoul to be subject to Korean privacy rules if you are providing services to people in Korea or meaningfully affecting them.
The Personal Information Protection Commission (PIPC) uses specific criteria to assess whether a foreign operator falls under PIPA. Below is a practical compliance checklist—plus examples aligned with regulator guidance - to help you evaluate whether your business is targeting or directly impacting users in Korea.
Related reading: If you need background on the law itself, see our guide to the South Korea Personal Information Protection Act (PIPA). If you may need local representation, review our article on PIPA Domestic Agent requirements for foreign companies.
The Core Test: Are You “Targeting” Korea?
The primary trigger for PIPA application is whether a foreign operator provides goods or services to Korean data subjects. A “Korean data subject” generally refers to an individual who resides in Korea or uses services within Korea, regardless of nationality.
Regulators look closely at intent. If your business is actively courting Korean users—through localization, market access, or Korea-facing operations - PIPA is likely to apply.
✅ Checklist: Indicators of targeting
If your business engages in any of the following, PIPA likely applies.
1) Language and domains
- The check: Do you operate a website using a Korean country-code domain (e.g., .kr) or a Korea-specific path (e.g., /ko, /kr)?
- The check: Do you offer a Korean-language version of your website or app?
Example: A global gaming company releases an app from Europe. If it sets the default language to Korean, or allows users to select “Korean” in settings, this indicates targeting Korean data subjects.
Example: A website includes South Korea in a “Select your country” dropdown menu - this can support an inference of Korea-facing service provision.
2) Currency and payment
- The check: Do you accept payments in Korean Won (KRW)?
- The check: Do you provide settlement or payment options tailored to the Korean market?
3) App stores and platforms
- The check: Is your mobile application available for download in the Korean region of the Apple App Store or Google Play?
4) Customer support and marketing
- The check: Do you provide customer service (email, chat, phone) in Korean?
- The check: Do you run digital advertising campaigns targeting Korean users (e.g., Korea-based audiences, Korean IP ranges, Korean-language creatives)?
Example: A travel booking site uses a chatbot that greets users in Korean (“안녕하세요”) and handles inquiries in Korean. This is a strong indicator of intent to serve the Korean market.
5) Logistics and shipping
- The check: Do you offer direct shipping to addresses in South Korea?
Example: An e-commerce platform lets users select “Korea” in a “Ship to” menu and enter a distinct Korean address format (e.g., Seoul, Dobong-gu). This supports a finding that services are being provided to Korea.
The Secondary Test: Direct and Substantial Impact
Even if you do not directly sell goods or services to Korean consumers, PIPA may still apply if your processing has a direct and substantial impact on individuals located in Korea.
6) Publishing personal data
- The check: Do you collect and publish personal information of individuals located in Korea?
Example: A foreign website runs a “digital pillory” or “bad actor” list and publishes names, photos, or addresses of people living in Korea. Even without selling a service to those individuals, the rights impact can be substantial - triggering PIPA application.
7) B2B services and API integration
- The check: Do you provide backend services (APIs, cloud tools, analytics, AI tools) to Korean companies that process their users’ data?
Example: A US-based company provides a chat API to a Korean shopping mall, processing chat logs and customer profiles. The US company may be subject to PIPA as an “entrusted” processor handling Korean data subjects’ information.
Example: A foreign AI provider receives customer data from a Korean partner to train an AI model. The foreign company may be subject to PIPA for how it manages, protects, and uses that transferred data.
The Presence Test: Place of Business
8) Physical presence
- The check: Do you have a branch office, liaison office, or subsidiary in Korea?
If you have a physical presence involved in personal data processing, PIPA is likely to apply. Note that even where a Korean subsidiary exists, if the foreign parent company is the entity actually collecting and controlling the data (e.g., a global platform), the foreign parent can remain the primary regulated entity, while the local entity may have additional obligations.
❌ When Does PIPA NOT Apply?
It is equally important to understand when you are not subject to the law. PIPA generally does not apply in cases of incidental use where there is no intent to target Korea and no direct/substantial impact.
1) Incidental offline use
Example: A Korean tourist stays at a hotel in Paris. The hotel collects passport data as part of an offline foreign transaction. PIPA generally does not apply because the service is provided offline in a foreign country.
2) Third-party shipping (forwarding)
Example: A Korean user buys products from a US website that does not ship to Korea (Korea is excluded from shipping). The user separately hires a freight forwarder. PIPA is less likely to apply to the US website based on shipping alone because the operator is not offering Korea delivery as part of its service.
3) Explicit blocking
Example: A streaming service blocks Korean IP addresses and does not release its app in the Korean app store. A user bypasses via VPN. PIPA generally does not apply because the operator actively excluded the Korean market.
4) Mere accessibility
Example: A website is English-only, accepts only USD, and offers no Korea shipping or Korea-facing services. The fact that a Korean user can technically visit the site is not, by itself, enough to trigger PIPA.
Summary Table: Am I Covered?
| Scenario | PIPA Application? |
|---|---|
| You have a website ending in .kr or have subdoamin of /ko or /kr. | YES |
| You run ads targeting Korean users. | YES |
| You ship directly to Korean addresses. | YES |
| You provide a B2B API that processes Korean user data. | YES |
| You have no Korean support/shipping, but a Korean user visits your English site. | NO |
| You actively block Korean IPs. | NO |
| You serve a Korean tourist offline in your home country. | NO |
Next Steps
If you answered YES to any “Targeting” or “Impact” checks above, your company may be treated as a personal information controller (or otherwise regulated processor) under South Korean law. In practice, you should plan to:
- Publish a privacy policy in Korean that reflects your actual data processing and transfers.
- Assess whether you must appoint a Domestic Agent - especially if you have no Korea office and meet applicable sales/user thresholds.
- Confirm your legal basis for processing and cross-border transfers (often consent, depending on context), and document controls with vendors and partners.
To go deeper on local representation and practical implementation, see our detailed guide on Korea PIPA Domestic Agent requirements for foreign companies. If you need end-to-end support, you can also use the same page to review our Domestic Agent service offering.
Disclaimer: This checklist is provided for informational purposes based on regulator guidance and common enforcement logic. It does not constitute legal advice. Applicability may vary depending on your specific business model and evolving regulatory interpretations.
