Leaking Personal Information... 11 Types of Deceptive Design Discovered
Mobile App 3 Major Vulnerability Areas Inspection
Compliance Check with Personal Information Protection Act
As a result of inspecting dark patterns in mobile applications such as online shopping, social networking services (SNS), and games, it was confirmed that such patterns appeared at all stages of personal information processing, from the registration phase to usage and withdrawal.
On the 11th, the Personal Information Protection Commission announced that it conducted a personal information status inspection on three major vulnerable areas appearing in mobile apps: dark patterns, overseas transfer, and protection of personal information of children and adolescents.
The inspection revealed 11 representative types of dark patterns related to the protection of users' personal information. Among the dark pattern types discovered by the Commission were cases where consent for the collection and use of personal information was not separately obtained, but consent was acquired through the full text of the privacy policy and terms of use. It was also identified that for optional consent items such as marketing information provision and personal information sharing, settings were pre-configured, requiring users to enter the personal information settings screen to check and modify them, or that users could not verify or modify the personal information they entered at the time of registration.
The Commission presented 11 representative cases: at the registration stage, ▲ blanket consent or deemed consent ▲ inappropriate default settings ▲ use of misleading phrases ▲ expressions that are significantly unbalanced and impair readability ▲ hiding information; at the usage stage, ▲ inability to manage personal information afterward ▲ forced additional consent for optional items ▲ persistent and repetitive consent requests ▲ forced cookies for personalized advertising; and at the withdrawal stage, ▲ withdrawal obstruction ▲ appeals to emotions.
The number of domestic application services transferring personal information overseas increased from 696 in 2022 to 769 last year. Personal information was mainly transferred to the United States, Japan, Singapore, etc., and due to the use of cloud services, it was transferred to Amazon Web Services, Google Cloud, and others. However, the proportion of consignment types for customer service consultation and complaint handling purposes, which involve overseas transfer of personal information, decreased from 66.6% to 55.6% during the period. In contrast, the type of information provision for advertising and statistical analysis increased significantly from 11.9% to 32%.
A focused inspection was also conducted on compliance with the Personal Information Protection Act and the guidelines for protecting personal information of children and adolescents. As a result of investigating 20 apps frequently used by children and adolescents, it was found that most had procedures to verify age under 14, but measures to prevent false age entry were insufficient.
Some overseas apps set the age criterion for children at under 13 years old. Additionally, although the guidelines for protecting personal information of children and adolescents recommend providing privacy policies in an easy-to-understand manner and setting a high level of personal information protection as the default, overall compliance was found to be insufficient except for a few cases. While guidance on various rights exercise procedures is recommended, it was generally found lacking except for some operators.
A Commission official stated, "Based on the results of this status inspection, we plan to organize and guide major app operators on proper personal information collection and use matters and precautions for users during app service development and operation." They added, "Separately, for major violations of the Personal Information Protection Act, we will initiate investigations after additional fact verification, and for minor issues, we will encourage prompt improvements through guidance measures in cooperation with related agencies."
Meanwhile, the Commission also inspected compliance with the Personal Information Protection Act for the top 5,000 mobile apps with high usage rates. Among 39 inspection items?8 for collection, 23 for use and provision, 2 for protection measures, and 6 for user rights?the non-compliance rate for failing to meet even one item was 69.5% last year, improving by 10.7 percentage points from 80.2% in 2022.
However, in some apps, notifications regarding third-party provision and destruction procedures in the privacy policy were insufficient, and many cases were identified where some items were not notified or blanket consent was obtained through the privacy policy. Furthermore, visibility guidance on rights exercise procedures to ensure data subjects clearly understand and exercise their rights was also lacking.
Hot Picks Today
!["Stock Set to Double: This Company Smiles Every Time a Data Center Is Built [Click e-Stock]"](https://cwcontent.asiae.co.kr/asiaresize/93/2026050416112750184_1777878687.jpg)
"Stock Set to Double: This Company Smiles Every...
- "Continuous Groundwater Pumping Causes Mexico City to Sink 24cm Annually... 'Gia...
- “She Shouted, ‘The Rope Isn’t Tied!’... Chinese Woman Falls from 168m Cliff ...
- Samsung Electronics Officially Decides to Withdraw Some Home Appliance Businesse...
- "Prime Minister in Underwear?"... Italy's Meloni Posts Herself to Warn of Deepfa...
The Commission plans to initiate investigations on major violations after additional fact verification and to encourage voluntary and prompt improvements through guidance measures in cooperation with related agencies.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
