Logo Logo
Cookiebot

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.
The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Consent is important in Japan's APPI

Published August 25, 2021.


Japan’s wide-ranging Act on the Protection of Personal Information (APPI) was passed in 2003 and amended in 2015 and again in 2020.

Not unlike many other data privacy laws, its purpose is to protect an individual’s rights and interests while also considering the utility of personal information. It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity and it only applies when the information is handled in the course of business operations.

With the 2020 amendment requiring end-user consent for the transfer of personal data to third parties, Cookiebot CMP is the optimal solution if you are looking for help to ensure that your website is not in violation of the APPI Japan.

In this blogpost, we will break down Japan’s APPI, so you know what it means for your website’s use of cookies – and how you can become compliant.


APPI in Japan, quick summary


Japan’s data protection law, condensed

Japan’s wide-ranging Act on the Protection of Personal Information (APPI) was passed in 2003, amended in 2015 and again in 2020, with the latter going into effect in 2021/2022. The overhaul in 2015 came after a series of high-profile data breaches had shocked Japan, making it clear that the APPI’s requirements no longer met the present-day needs.

The 2015 overhaul brought with it the establishment of the Personal Information Protection Commission (PPC), which is an independent agency that protects the rights and interest of individuals while encouraging the appropriate and effective use of personal information.

Not unlike many other data privacy laws, its purpose is to protect individuals’ rights and interests, while at the same time supporting that personal information is valuable and often necessary data in order to conduct absolutely normal and legal day-to-day business operations.

The APPI in Japan is applicable to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business, and ‘business’ is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as business operations under the given social conventions.

Japan’s APPI applies to companies that offer goods and services in Japan, whether they are located in the country or abroad. This means that Japan’s APPI, just like the EU’s GDPR and Thailand’s PDPA, has both territorial and extraterritorial scope.

The original 2003 version of Japan’s data protection law only applied to business operators with at least 5,000 identifiable individuals in their database during the previous six months. The latest amendment to the APPI on the other hand, removed this restriction and broadened its reach. This means it now includes all business operators that process personal information for business purposes no matter the number of individuals.


Scan your website for free to see all cookies and trackers in use


Exempt from the Japanese APPI’s application are central government organizations, local governments, local incorporated administrative agencies and independent administrative agencies.

APPI Japan and consent

Regarding consent, a PIC must notify the data subject of the purpose of utilization prior to the collection of personal information and obtain consent before acquiring sensitive information. When it comes to the transfer of personal data to third parties, it is prohibited to do so without the prior consent of the data subject unless an exception applies.

APPI Japan and penalties

The fines for breaching the APPI Japan vary, but with the 2020 amendment the penalty was increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as we know them from the EU’s GDPR were considered but ultimately abandoned, primarily because fines are rarely mentioned in the APPI Japan.



Japan's APPI aims to protect the privacy rights of the data subject.



APPI in Japan – timeline




Scan your website for free to see all cookies and trackers in use

Try Cookiebot CMP free for 30 days – or forever if you have a small website.



APPI in Japan – Quick breakdown




Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot consent management platform (CMP) for free


APPI Japan compliance with Cookiebot CMP


Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.

Implement Cookiebot CMP to make sure that your website complies with all the major privacy laws around the world, including Japan’s APPI, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and South Korea’s PIPA.

The APPI in Japan requires consent from the users in Japan, before you can use cookies and trackers as an integral part of your website.

Our unrivaled website scanner detects all cookies and trackers, delivering an exhaustive report on all personal data processing cookies and trackers on your website.

Cookiebot CMP is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.



Implement Cookiebot CMP to comply with Japan's APPI.


What is Cookiebot CMP?

How exactly does Cookiebot CMP work, you might wonder?

Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete APPI cookie compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.

Cookiebot CMP offers you a detailed scan report including details about your website’s cookies such as purpose, provider, duration and what third parties it shares end-user data with.

Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.



Consent banner by Cookiebot CMP for APPI compliance in Japan



Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with the APPI in Japan along with many other data privacy regulations around the world.


Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for APPI compliance in Japan


APPI – Japan’s Act on Protection of Personal Information, in detail


With the quick overview of the Japanese APPI fresh in mind, the blog post will now take a closer look at Japan’s data privacy law’s key characteristics. Hopefully this will help you understand what it means for you and your website.


Scope of application of the APPI in Japan

The APPI in Japan is applicable to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. Before the first amendment there were an exception for PIC’s handling the personal information of less than 5,000 individuals, but after the amendment there is no minimum requirement of individuals. However, the General Guidelines of the APPI Japan ‘relax’ the standards of security measures for ‘small or medium sized business operators.

The APPI in Japan only applies when a PIC handles personal information in the course of their business operations. A ‘business’ in the APPI Japan is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions. It does not distinguish between profit or nonprofit businesses.

Exceptions to the above definition are broadcasting institutions, newspaper publishers, professional writers, religious bodies, political parties and universities, which are not included in the scope.

Japan’s APPI has both territorial and extraterritorial scope. This means that not only is it applicable to companies that offer goods and services in Japan with a location within the country, but it also applies to companies located outside of the country of Japan who offer the same goods and services to people located in Japan.

The extraterritorial scope is not always stated in data privacy laws, but other examples of this type of scope can be found in the EU’s GDPR and Thailand’s PDPA.

The PPC’s responsibilities

The Personal Information Protection Commission Japan (PPC) is the primary regulator under the APPI. This section will quickly outline their main responsibilities, duties and powers.

These include:



Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP free for 30 days – or forever if you have a small website

APPI Japan – key definitions

Japans Act on the Protection of Personal Information (APPI) operates with a set of key definitions. To get the full understanding of the Japanese APPI it is important to familiarize yourself with them, since they are the foundation of the data privacy law.

Unlike other data privacy laws, the APPI in Japan has a lot of definitions, but to keep it short and to the point, these are the five key definitions we will focus on.

  1. Personal information
  2. Sensitive information
  3. Data controller
  4. Data processor
  5. Anonymized information and anonymized information controller

Personal information is information that can identify an existing individual in Japan, either by itself or in combination with other information.

Personal information includes numbers found in passports, driver’s licenses, social security ID’s and resident’s cards. It also includes personal identifier codes such as characters, symbols or numbers for computer use which represent certain detailed personal physical characteristics. This contains for example DNA, fingerprints and facial appearance.

Sensitive information was not added to Japan’s APPI until 2017, but they include information relating to race, disabilities, medical records and treatments, criminal records, creed and religion.

A data controller is not defined explicitly in Japan’s APPI, but a personal information controller (PIC) is. It is a business operator using a personal information database for its business and are therefore comparable with a data controller.

A data processor is, just like a data controller, not defined by Japan’s APPI either. Due to it being a familiar concept in other data privacy regulations, and because it is, despite not being explicitly explained, still relevant, it will be presented here. It is an entity which have been entrusted by a PIC to handle personal data within the scope necessary for the achievement of the purpose of utilization.

Anonymized information is information regarding an individual which has been processed by deleting or replacing information, so it is unusable to identify an individual. An anonymized information controller is a business operator handling the anonymized information



It is important to know and recognize the key definitions to understand Japan's APPI.


Rights and responsibilities

As explained above, we differentiate between a data controller (in this case a PIC) and a data processor. The responsibilities they have and the rights they possess will be explained in detail here.

Even though it is not a general requirement that a PIC has to be registered under the APPI, they still have some rights and responsibilities. For example, they have to make certain things easily accessible, including the name of the PIC, the purpose of any utilization of personal information, information about how the data subject can correct their personal data and where to complain about the PIC.

Besides this, a PIC must:


The Japanese APPI does not impose any direct obligations on data processors. On the other hand, it is important that the PIC exercise the necessary and appropriate supervision over any third parties delegated to handle personal data.

For that reason, it is important that there are agreements between the PIC and a potential data processor. This ensures that the data processor provides the appropriate security measures, while also giving the PIC the power to instruct and investigate the data processor in association with its handling of personal data assigned to it.

Data subjects

The data subjects have the right receive the personal data held about them. If requested, the PIC must disclose in writing (unless the data subject has agreed to receive it electronically) and without any delay the information gathered about the data subject. There are only a couple of exceptions to this right. These are instances that would result in:


Additionally, the data subjects have the right to revise, correct, amend or delete their personal data. They are also entitled to get their data deleted if it is being used for another purpose than originally stated or if the data was acquired by unlawful means.

The data subjects are also entitled to access a PIC’s record of data transfers to third parties under the 2020 amendments. The 2020 amendment also requires end-user consent for the transfer of personal data to a third party. This will for example occur every time a Google or Facebook cookie is activated on a website, making Cookiebot CMP an optimal solution to ensure that your website is not in violation of the APPI Japan.



The 2020 amendment requires end-user consent for the transfer of personal data to a third party.



Sanctions

The fines for breaching the APPI Japan vary, but with the 2020 amendment they were increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as known from the EU’s GDPR were considered but ultimately abandoned, primarily because fines are rarely invoked in the APPI Japan.


Scan your website to discover what cookies and trackers are in use on your website

Try Cookiebot CMP for APPI compliance in Japan


Summary of APPI, Japan’s Act on Protection of Personal Information


Japan’s Act on the Protection of Personal Information (APPI) is one of the many data privacy laws around the world. Its purpose is to protect an individual’s right and interests while also considering the utility of personal information.

It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business.

Japan’s APPI was first approved in 2003 and has since been amended several times, with the latest one coming into full effect in 2022.

The latest amendment requires end-user consent for the transfer of personal data to a third party. Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including Japan’s APPI, to make sure that your website is not in violation of the APPI Japan.


Try Cookiebot CMP for APPI compliance


FAQ


What is Japan’s APPI?

The Japanese Act on Protection of Personal Information (APPI) is a data privacy law. Just like the EU’s GDPR, its purpose is to protect the privacy rights of the data subjects, by making sure that companies or organizations do not abuse data about their users. The APPI Japan helps ensure that this works successfully.

Learn more about Japan’s APPI


How can my website be in compliance with Japan’s APPI?

To comply with Japan’s APPI on your website you are required to notify the data subjects about the purpose of utilization before collecting any personal information, to obtain consent from the data subjects before acquiring any sensitive information about them and not to collect personal information in ways that can be seen as unlawful or fraudulent.

It is also important that you give the users the option to access and correct their personal data whenever they wish to.

Try our free website scanner for compliance with Japan’s APPI


Who does Japan’s APPI apply to?

Japan’s APPI is applicable to a personal information controller (PIC) in Japan. It does not matter if the PIC is a person or an entity. It is only applicable when the PIC handles personal information in the course of their business. To clarify this, the Japanese APPI defines ‘business’ as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions.

Try our free website scanner to see if the Japanese APPI applies to you.


Does Japan’s APPI have extraterritorial scope?

Japan’s APPI applies not only to companies that offer goods and services in Japan with offices located within the country. It also applies to those who handle data about people living in Japan from offices outside of Japan. By doing so the APPI in Japan has both territorial and extraterritorial scope, not unlike the EU’s GDPR.

Try our free website scanner to see if the Japanese APPI applies to you.


What is the penalty for breaching the Japanese APPI?

There are different penalties in order to stop people breaching the Japanese APPI. One of them is a fine, which with the 2020 amendment was increased from up to 500,000 yen to up to 100 million yen.

With the implementation of the 2020 amendment, it was also discussed whether or not business revenue-based penalties, as known from the EU’s GDPR, should be a part of the APPI but ultimately it was not implemented.

Don’t want to breach the APPI? Try our free website scanner


How can I scan my website for cookies and trackers?

By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.

Try the Cookiebot CMP website scanner for free


Resources


See the full Japanese Act on the Protection of Personal Information law text (In English)


Get started with Cookiebot CMP and Google Consent Mode


Learn more about the Personal Information Protection Commission (PPC)


Learn more about the EU’s GDPR and consent

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free