The Changing Landscape of Cookie Laws in APAC
How are Cookie laws changing in APAC?
We recently covered the move away from the use of third-party tracking cookies (in our article on how cookies are losing their flavour). Big tech companies, including Google, Facebook, and Apple, are already contemplating how they will adapt to a world without third-party cookies – and regulators are increasingly turning their head to the issue, too.
In the Asia Pacific region, some regulators are now joining the game, turning their attention to cookies, introducing changes specifically directed at certain cookies and making their use more difficult. However, this is not uniform and for many jurisdictions, cookies still need to be considered under general privacy regulation.
Cookie laws in Australia
Australian privacy law does not include any specific regulation of cookies.
In October 2021, the Federal Government released a discussion paper covering many possible changes to the Privacy Act which included a proposal to clarify that the definition of personal information captures technical data and other online identifiers, including cookies. If converted into regulation, it will clarify the application of the Privacy Act to cookies in Australia without lifting the bar for their use.
Cookie laws in Singapore
Currently under Singapore’s Personal Data Protection Act, there are no specific requirements relating to cookies. However, an organisation is obliged to comply with the PDPA if it engages in the collection, use or disclosure of personal data – including online.
Cookies probably fall under the general obligations of the PDPA since it defines personal data very broadly. If the PDPA does apply, an organization must think about obtaining consent before use of any cookies that collect personal information from individual.
Cookie laws in China
In August 2021, the People’s Republic of China enacted a sweeping national data privacy law, the Personal Information Privacy Law (PIPL. The law will come into effect on November 1.
Cookie laws in India
Cookie laws in South Korea
South Korea’s Personal Information Protection Act 2011 (PIPA) is a national comprehensive privacy law – and one of the strictest privacy regimes in the world. In South Korea, cookies are considered to be personal information where they may enable the identification of a specific individual person, including when the information is combined with other information. If the cookie contains personal information, then consent must be obtained.
Cookie laws in Japan
Japan’s national privacy law, the Act on the Protection of Personal Information (APPI), governs the handling of personal information in Japan and extraterritorially. Cookies are not directly regulated under the APPI, however any personal data collected by an organisation (including through cookies) is covered.
- makes it possible for an organisation to identify a data subject when the information collected can be easily referenced to other accessible information, such as a membership or registration, and
- is used by the organisation;
The APPI is subject to review every three years and was amended in 2020 following the triennial review. While it is yet to be confirmed, it is likely that consent will be required in the future in circumstances where online identifiers (including cookies):
- are provided to third parties, and
- the third party may identify an individual based on the information provided to them.
These requirements are stricter than the existing law.
It is worth noting that the Japan amendments are directed at third party cookies, where information will be shared with third parties (typically for analytics and marketing purposes).
The amended APPI will come into force on 22 of April 2022. You can read more here.
This blog contains general information. Although every effort has been made to ensure accuracy it should not be relied on as legal advice.