The Private Data Safety Committee (PIPC) has determined to advocate that Coupang, which induced a private data leak affecting 33.7 million folks, simplify its membership withdrawal procedures. Moreover, the committee advisable enhancements to clauses stating that Coupang bears no accountability in case of hacking.
The PIPC made these choices on the twenty sixth plenary session held on Dec. 10. The committee first confirmed that Coupang had made membership withdrawal procedures advanced and withdrawal menus troublesome to seek out. The committee considered Coupang’s withdrawal process configuration as doubtlessly violating the Private Data Safety Act, which stipulates that “withdrawal shouldn’t be tougher than registration,” and determined to advocate process simplification.
After criticism poured in that Coupang had made membership withdrawal procedures troublesome following the non-public data leak incident, the corporate not too long ago made some enhancements. It eradicated the “transfer to PC model” step, permitting withdrawal from the cellular app with out shifting to the PC model, and altered subjective surveys from obligatory to non-obligatory.
Nonetheless, the PIPC judged that membership withdrawal procedures nonetheless had not been sufficiently improved. In accordance with the committee’s investigation, Coupang’s membership registration requires solely 3 steps: choosing the membership registration button, agreeing to non-public data assortment and use, and coming into data to finish registration. In distinction, the withdrawal process requires greater than 7 steps. Significantly, even after enhancements have been mirrored, the method of discovering the withdrawal button alone requires 3 steps together with My Coupang-member data modification-password entry, making it virtually troublesome to even enter the withdrawal process. A PIPC official stated, “If somebody is a Wow membership member, they must exit the withdrawal process, undergo the Wow membership cancellation process first, then return to finish withdrawal,” including “Whereas the 7-step process has been improved, we determined it was not adequate.”
Following this determination, Coupang should notify the Private Data Safety Committee of motion outcomes inside 7 days of receiving the choice notification. If the committee judges that motion outcomes are nonetheless inadequate or not correctly carried out, it could subsequently take measures together with corrective orders and effective imposition.
The committee additionally advisable enhancements to phrases of use. Coupang established an exemption clause in November final yr stating it might not be chargeable for damages brought on by unlawful entry by third events similar to hacking. The PIPC views this as doubtlessly violating a number of provisions of the Private Data Safety Act and plans to offer suggestions for enchancment in addition to current opinions to the Truthful Commerce Fee, the competent authority for phrases and circumstances.
The PIPC additionally urged strengthening response methods to forestall leaked account data from circulating on the web or darkish net to forestall secondary harm. The committee said, “Recognizing the severity of this large-scale leak incident, we’re intently investigating the circumstances of the leak and authorized violations,” including “If Coupang’s authorized violations are confirmed, we plan to impose strict sanctions.”
