The government told Coupang, where the personal information of 33.7 million people was leaked, to improve its complex account deletion process.
The Personal Information Protection Commission said it held its 26th plenary meeting on the afternoon of the 10th to review Coupang's personal information protection response and handling practices, and demanded improvements on multiple issues.
The Personal Information Protection Commission took issue with Coupang's terms of service revised last month. Coupang added a disclaimer to the revised terms stating that it "is not responsible for damages caused by a third party's illegal access to the server." The Personal Information Protection Commission determined that this clause could conflict with the purpose of the Personal Information Protection Act and could confuse users.
Under the Personal Information Protection Act, a personal information controller must take the technical, administrative, and physical measures necessary to ensure security so that personal information is not leaked, and, if damage occurs due to a violation of the law, the controller must prove the absence of intent or negligence. The Personal Information Protection Commission will demand that Coupang improve its terms and will also submit related opinions to the Fair Trade Commission, the ministry in charge of terms.
The Personal Information Protection Commission also found that Coupang made the account deletion process complex and operated it so the deletion menu was hard to find. In particular, for "Wow Membership," a paid service, it said Coupang made membership cancellation a mandatory condition for account deletion, required users to go through multiple steps to cancel, and made the process difficult by reconfirming the intent to cancel. Some members were found to be unable to cancel until the remaining membership period ended.
The Personal Information Protection Commission (PIPC) viewed this as potentially violating Article 38, Paragraph 4 of the protection act, which requires that the method and procedure for requesting suspension of personal information processing or withdrawal of consent must not be more difficult than the method and procedure for collection. It therefore demanded that, to guarantee users' exercise of their rights, Coupang simplify the deletion process and disclose it in a way that is easy to find.
It also said that notification of the personal information leak and measures to prevent secondary damage should be improved. On the 3rd, in accordance with the Personal Information Protection Commission's emergency resolution, Coupang changed the term "exposure" of personal information to "leak," issued a new notice including leaked items that had been omitted, such as shared entrance passwords, and posted a notice on its website and app.
It also urged the company to strengthen its own monitoring and rapid response system regarding allegations that Coupang account information is being distributed on the internet or the dark web. The Personal Information Protection Commission required Coupang to submit the results of measures taken on these demands within seven days. A Personal Information Protection Commission (PIPC) official said, "We will closely investigate the circumstances of the leak and any legal violations, and will impose stern sanctions if violations are confirmed."