Graphics by Yang In-sung

Meta, the U.S.-based parent company of Facebook and Instagram, has been fined approximately 21.6 billion won (around $15.43 million) for using sensitive personal information from 980,000 Facebook users in South Korea for targeted advertising. The data included details such as users’ religious beliefs, political views, and sexual orientation. Although Meta and other tech giants like Google have faced penalties in the past for collecting user activity without consent for targeted ads, this is the first case involving the misuse of such sensitive personal data.

South Korea’s Personal Information Protection Commission (PIPC) announced the 21.6 billion won fine on Nov. 5, along with an additional administrative penalty of 10.2 million won (about $7,200), for Meta’s violations of the Personal Information Protection Act.

Graphics by Yang In-sung

This fine is the third-largest ever imposed by the PIPC. The commission issued its highest penalty of 69.2 billion won to Google in 2022, while Meta itself received the second-largest fine of 30.8 billion won that same year for tracking user activity on third-party websites linked to Facebook accounts without consent.

According to the PIPC, Meta collected and monetized sensitive personal information from nearly one million South Korean Facebook users between July 2018 and March 2022. This data included information on users’ religious affiliations, political preferences, status as North Korean defectors, and same-sex relationship statuses. Over 4,000 advertisers used this information for targeted advertising.

Facebook users can input details like religion and relationship status in their profiles, which Meta reportedly leveraged for personalized ads. The PIPC’s investigation also found that Meta analyzed users’ “likes” on Facebook posts to refine ad targeting. A representative from the commission explained that Meta organized users globally into 97,000 distinct categories for “micro-targeted ads.” For instance, if an organization focused on economic cooperation between North and South Korea requested ads aimed at North Korean defectors, Meta would deliver the ad to users in the “North Korean defector” category.

The PIPC ruled that Meta’s actions violated South Korea’s data protection laws. Under the country’s Personal Information Protection Act, companies must obtain explicit consent to use sensitive information, such as religious beliefs or political views. However, Meta reportedly did not seek specific user consent. The PIPC representative further noted that while Meta’s “Data Policy” page broadly mentioned data collection, it failed to clearly specify the types of data collected or the purposes behind their use.