What Is the APPI?
The Act on the Protection of Personal Information (APPI) is Japan's primary data protection law. Originally enacted in 2003 as Act No. 57, it was one of the first comprehensive privacy regulations in Asia - predating the EU's GDPR by fifteen years.
The law has been amended several times. A major overhaul in 2015 created the Personal Information Protection Commission (PPC), an independent supervisory authority responsible for issuing guidelines, investigating violations, and enforcing the law. Further amendments passed in June 2020 and took effect on 1 April 2022, strengthening individual rights, tightening cross-border transfer rules, and introducing the concept of personally referable information (PRI) - a category that directly affects how websites handle cookies.
A built-in review clause requires the Japanese government to reassess the APPI every three years. The PPC published an Interim Summary in June 2024 outlining proposed changes for the next amendment round, expected to be drafted in 2025 and take effect around 2027.
Who Must Comply?
The APPI applies to any business that processes the personal data of individuals in Japan for commercial purposes. Earlier versions only covered organisations holding records on at least 5,000 individuals; the 2020 amendments removed that threshold entirely.
Scope is extraterritorial. If your website offers goods or services to people in Japan, or collects data from visitors located there, you fall within the APPI's reach regardless of where your company is based. This mirrors the approach taken by the GDPR, the LGPD, and the CCPA.
Key Definitions That Affect Cookie Compliance
Personal information means information about a living individual that can identify them, either on its own or combined with other readily available data. Names, dates of birth, and individual identification codes (passport numbers, biometric identifiers) all qualify.
Personal data is a narrower subset: personal information forming part of a systematically organised database. Restrictions on third-party transfers apply specifically to personal data.
Special care-required personal information covers sensitive categories - race, creed, social status, medical history, and criminal record. Collecting this data always requires prior opt-in consent.
The 2020 amendments introduced personally referable information (PRI). PRI is data that cannot identify an individual on its own but may become identifying once a third-party recipient combines it with other data they hold. Cookie identifiers, browsing histories, and IP addresses frequently fall into this category. If you transfer PRI to a third party who will use it to identify individuals, you must confirm that the recipient has obtained consent.
How Japan Regulates Cookies
Japan's approach diverges sharply from the EU's. Under the ePrivacy Directive, storing or accessing information on a user's device requires prior consent unless strictly necessary. The APPI has no equivalent rule. Cookies are not automatically classified as personal information.
Cookies do become regulated in two scenarios. First, if cookie data is linked to an identifiable individual (because a user logs in, for example), it qualifies as personal information. Second, if cookie data is transferred to a third party that can combine it with other data to identify people, it qualifies as PRI.
The Rikunabi scandal in 2019 illustrated the risk. The job-seeking platform tracked students' browsing behaviour via cookies, calculated the probability each student would decline a job offer, and sold those scores to corporate recruiters without consent. The PPC issued formal recommendations and the case directly prompted the 2020 PRI rules.
The Telecommunications Business Act (TBA)
While the APPI does not directly regulate cookie technology, the amended Telecommunications Business Act does. Its External Data Transmission Rule, effective since 16 June 2023, is Japan's first direct regulation of cookies and tracking scripts.
The rule applies to online services with a "significant impact on user interests" - social media, messaging, e-commerce marketplaces, search engines, and streaming platforms. Simple corporate websites displaying only the company's own information are generally excluded.
When a covered service transmits device-stored user information (cookie identifiers, browsing histories) to a third party, the operator must either notify users in advance about what data is transmitted and to whom, obtain the user's consent, or provide a functioning opt-out mechanism. First-party cookies, authentication data, and information needed for security or load balancing are exempt.
APPI vs GDPR: Key Differences
| Aspect | Japan APPI | EU GDPR |
|---|---|---|
| Cookie consent | Not required by default; PRI rules apply when data is shared with third parties | Required for all non-essential cookies under the ePrivacy Directive |
| Legal bases | Purpose specification and notification; consent for sensitive data and certain transfers | Six lawful bases including consent, contract, and legitimate interest |
| Sensitive data | Race, creed, social status, medical history, criminal record | Broader: includes biometrics, political opinions, trade union membership |
| Supervisory authority | Personal Information Protection Commission (PPC) | National DPAs (e.g. CNIL, ICO) |
| Breach notification | Preliminary report promptly; final report within 30 days (60 for cyberattacks) | 72 hours under Article 33 |
| Maximum fines | 100 million yen (~$700,000 USD) | 20 million euros or 4% of global turnover |
| Cross-border transfers | Consent, adequacy, or contractual safeguards | Adequacy, SCCs, BCRs, or other mechanisms |
| DPO requirement | Recommended, not mandatory | Mandatory in specific cases |
The EU-Japan Mutual Adequacy Decision
In January 2019, the European Commission adopted an adequacy decision recognising Japan's framework as providing adequate safeguards for EU personal data. Japan's PPC reciprocated, creating the world's first mutual adequacy arrangement.
The decision is supplemented by Supplementary Rules issued by the PPC, which impose additional protections on EU-origin data. The European Commission completed its first review in April 2023 and confirmed that Japan continues to provide adequate protection, extending the review cycle from two to four years.
For website owners, personal data can flow freely between the EU and Japan without standard contractual clauses or other transfer mechanisms - provided the Japanese recipient complies with both the APPI and the Supplementary Rules.
Enforcement and What Comes Next
The PPC enforces the APPI through a graduated approach: administrative guidance first, formal recommendations second, binding orders as a last resort. Criminal penalties apply only when a PPC order is violated or in cases of deliberate misconduct.
Current maximum penalties include fines of up to 100 million yen (~$700,000 USD) for businesses. Individuals face up to 1 million yen or imprisonment of up to one year. These figures are far below GDPR penalties.
That gap may narrow. The PPC's 2024 Interim Summary proposes introducing administrative monetary penalties, broadening criminal liability, establishing collective action rights for consumer organisations, and creating specific rules for biometric data and children's data (those under 16). If the amendments pass as proposed, enforcement will look substantially more aggressive by 2027.
Practical Steps for Website Owners
Audit your cookies and tracking scripts. Identify which ones transmit data to third parties. If those third parties can use the data to identify individuals, you are handling PRI. A cookie scanner helps map what your site sets.
Check whether the TBA applies. If you operate an e-commerce marketplace, social platform, or other covered service, you must notify users about external data transmissions, obtain consent, or offer opt-out controls.
Update your privacy notice. The APPI requires you to specify the purpose of data collection. If you transfer data internationally, describe the destination country and its data protection standards.
Implement consent for third-party sharing. Even without blanket cookie consent requirements, sharing cookie data with advertising networks or analytics providers that identify users triggers PRI obligations. A consent management platform with geo-detection handles this across multiple jurisdictions.
Document everything. Maintain records of what personal information you collect, why, how long you keep it, and who receives it. Build processes to handle deletion requests and other data subject rights promptly.
Frequently Asked Questions
Does the APPI require cookie consent for all websites?
No. The APPI does not treat cookies as personal information by default. Consent is required when cookie data is shared with third parties who can use it to identify individuals (under the PRI rules), or when cookies collect special care-required personal information. First-party cookies used for site functionality generally do not require consent under Japanese law.
What is the External Data Transmission Rule under the TBA?
Effective since June 2023, it requires certain online service providers to inform users when device-stored data (including cookies) is transmitted to third parties. Operators must notify users, obtain consent, or provide an opt-out mechanism. It covers services such as social media, messaging, e-commerce marketplaces, and search engines.
Does the APPI apply to websites outside Japan?
Yes. The APPI applies extraterritorially to any business that handles personal information of individuals in Japan in connection with offering goods or services, regardless of where the business is located.
What are the penalties for APPI non-compliance?
Businesses face fines of up to 100 million yen (~$700,000 USD). Individuals may be fined up to 1 million yen or face imprisonment of up to one year. The PPC typically issues guidance before escalating to formal orders and penalties.
How does the APPI compare to the GDPR?
Both protect personal data and grant individual rights, but differ in key areas. The GDPR requires opt-in consent for non-essential cookies; the APPI does not. GDPR fines reach 20 million euros or 4% of turnover; APPI fines cap at ~$700,000 USD. Japan and the EU share a mutual adequacy decision allowing free data flows.
Can data flow freely between the EU and Japan?
Yes. A mutual adequacy arrangement has been in place since January 2019, confirmed as functioning well in the 2023 review. No standard contractual clauses are needed, provided the Japanese recipient complies with the APPI and its Supplementary Rules.
What changes are expected in the next APPI amendment?
The PPC's 2024 Interim Summary proposes administrative fines, expanded protections for biometric and children's data, broader criminal penalties, and potential rules for generative AI training. Draft legislation is anticipated in 2025, taking effect around 2027.
Get Your Cookie Compliance Right Across Jurisdictions
If your website serves visitors in Japan alongside the EU, UK, or other regulated markets, managing different consent requirements gets complicated. Kukie.io detects cookies, applies region-specific consent rules through geo-detection, and keeps records of user choices - so you meet the APPI's transparency requirements and the GDPR's opt-in rules from a single dashboard.
