Breaking down data rules from around the globe

Privacy laws

Appi

Japan’s Act on the Protection of Personal Information (APPI)

Japan was one of the first Asian countries to implement a comprehensive data protection framework. Japan’s Act on the Protection of Personal Information (APPI), also known as Act No. 57 of 2003, came into effect in 2003, 15 years before the GDPR took effect.

The APPI sets standards for how businesses and organizations must collect, store, and manage the data they collect from individuals.

The law was updated multiple times to reflect changing technologies and individuals’ attitude to online privacy. The most recent amendments were passed in 2020 and 2022.

With the recent updates, APPI is now closely aligned with the strictest data privacy regulations in the world like the GDPR.

Let’s break down the APPI requirements, user rights, and how businesses can stay compliant.

What Is Japan’s Act on the Protection of Personal Information?

The Act on the Protection of Personal Information (APPI) is Japan’s personal information protection law that regulates how individuals and organizations collect, store, and process personal information.

APPI, also called Act No. 57 of 2003, came into effect in 2003.

It was amended in 2015 and 2020. The latest amendments came into force in 2021 – 2022.

With the recent updates, Japan’s APPI is the most GDPR-aligned data privacy law in Asia.

Like Europe's GDPR, the APPI has extra-territorial reach. This means that the APPI applies to any business or organization that processes the personal data of Japanese citizens independently, regardless of where the business or organization is located.

The APPI is enforced by the Personal Information Protection Commission (PPC), a regulatory body established under the 2015 amendments to the APPI.

The PPC has the following functions:

  • Issues guidelines and interpretations of the law.
  • Issues recommendations and administrative guidance.
  • Investigates businesses suspected of violating the APPI.
  • Can impose fines and penalties for serious violations.
  • Cooperates with foreign regulators in cross-border cases.

Who Must Comply With the APPI?

The APPI applies to:

  • Japanese companies handling personal data.
  • Foreign companies offering goods, services, or conducting marketing toward Japanese citizens.

Even small businesses are subject to the law if they process the personal data of Japanese citizens for commercial purposes, regardless of the number of individuals whose personal information they process.

Key Principles of Japan’s Data Protection Law

The APPI sets several key principles:

  1. Transparency
    Organizations must implement transparent privacy notices that clearly explain the purpose of data collection and provide users with the ability to opt in and opt out of data collection.
  2. Purpose limitation
    Organizations can only use the collected data for the purposes disclosed at the time of collection.
  3. Data minimization
    Organizations must collect and retain only the necessary data needed for the specified purpose.
  4. Strong individual rights
    Individuals have strong individual rights over their data.
  5. Security safeguards
    Organizations must implement appropriate technical and organizational data safety measures.

Rights of Individuals Under the APPI

The APPI grants individuals, called data subjects, these rights:

  • Right to data access (disclosure)
    Individuals can request details about their personal data held by an organization. The disclosure includes not only details about what personal data is being stored, but also the reasons why it was collected, how the data is used, how long it will be kept, and third-party disclosures.
  • Right to data rectification
    If the stored personal data is inaccurate, incomplete, or outdated, individuals may request correction or addition of the data. Organizations must provide simple methods for individuals to update or correct their data.
  • Right to deletion
    Individuals have the right to request deletion of their personal data under certain conditions, such as:
    The data was collected illegally.
    The data was used beyond the stated purpose.
    The data was obtained through fraud or other improper means.
    The data is no longer needed when the purpose for which the data was collected is fulfilled. Individuals withdraw user consent, or
    In cases where data retention might violate legal obligations.
  • Right to withdraw consent
    Individuals may withdraw user consent for their data processing at any time, particularly in cases where data processing serves marketing or data profiling purposes. Businesses must offer easy withdrawal options and stop processing upon withdrawal.
  • Right to data portability
    The right to data portability allows individuals to easily transfer their personal data between service providers. For example, users can transfer their data from one social media platform to another without losing contacts or content. Businesses must provide the data in a structured, commonly used, and machine-readable format.
  • Right to object
    Individuals have the right to oppose certain data processing activities, especially for purposes like unwanted marketing and automated decision-making.
  • Right to be informed about third-party transfers
    When personal data is transferred to third parties, individuals have the right to be informed about the third-party recipient, purpose, and safeguards in place. The right also includes cross-border data transfers.
  • Right to stop provision to third parties
    Individuals can demand to stop their personal data sharing with third parties if it is being disclosed without proper consent or legal basis.
  • Right to file complaints
    Individuals can file complaints with the Personal Information Protection Commission (PPC) if they believe their rights under APPI have been violated.

Japan’s APPI Consent Requirements

Under Japan’s APPI, basic personal data can be collected without user consent, if the businesses meet the following conditions:

They specify the purpose of data use clearly and limit processing to that purpose.

The information is collected through lawful and fair means, without using fraudulent methods such as dark patterns.

For example, collecting customer names and addresses to ship a product they purchased usually does not require explicit user consent.

However, explicit consent is mandatory in the following cases:

  1. Collecting sensitive personal information
    Businesses that collect or process sensitive information, such as medical, biometric, criminal records, social status, sexual orientation, or political data, require explicit consent before data collection.
  2. Cross-border data transfers
    Businesses must obtain explicit consent from individuals before transferring their personal data internationally to countries lacking adequate data protection standards, as recognized by Japan’s PPC, unless they use contractual safeguards. Businesses must inform individuals about the data protection regulations and security measures in the destination country.
  3. Consent for transferring data to third parties
    Businesses must obtain explicit consent and have a contract before sending data to third parties. However, consent for third-party data sharing excludes data sharing with a processor for a designated purpose.
  4. Changes to the purpose of use
    If an originally disclosed purpose for data collection has changed, businesses must obtain separate, explicit consent for data collection.

The APPI does not set out specific requirements for the use of cookies, since cookies are not considered personal information. However, businesses need to obtain consent for placing cookies on users’ browsers when they transfer cookies to third parties, such as third-party vendors that place personalization and advertisement cookies on a website. In this case, the cookie can be used to identify an individual, so it becomes “person-related information.”

Example: In the Rikunabi case, a job-seeking platform used cookies without consent to record students’ browsing history and to profile them based on this information. Rikunabi calculated the likelihood of a student declining a job offer. Then the company transferred students’ personal data and the data obtained through cookies to third-party job advertisers. The PPC ruled that these cookies were “person-related information” and the website was required to inform students about such practices and needed to obtain their consent.

Not sure if your website uses cookies and tracks users without obtaining Cookie Consent? Scan your website for free with CookieScript Cookie Scanner:  

Obligations for Businesses Under the APPI

Japan’s APPI sets strict requirements for organizations that process user personal information. The obligations include:

  • Data Protection Officer (DPO)
    Organizations must designate a DPO to oversee data protection measures and serve as a contact point for inquiries from individuals and regulatory authorities.
  • Transparency
    Companies must clearly explain why personal information is being collected and give users the ability to opt in and opt out of data collection.
  • Purpose limitation
    Organizations must only collect personal data for the purposes disclosed at the time of collection and not process it further in a manner incompatible with those original purposes.
  • Data minimization
    Organizations must collect and retain only the necessary data needed for the specified purpose.
  • Security safeguards and risk management
    Organizations must implement appropriate security measures, such as encryption, access control, and staff training to prevent data leaks or misuse.
  • Risk assessments
    Organizations must perform regular risk assessments to identify vulnerabilities in data handling practices and ensure data security.
  • Data breach notification requirements
    In case of a data breach, businesses must notify both affected individuals and the Personal Information Protection Commission (PPC). If there is a breach at a third party, personal information controllers (PIC) are responsible for notification and remediation of the incident.
  • Employee training
    Organizations must train employees on data privacy principles and best practices to reduce the likelihood of human error for data breaches.

Cross-Border Data Transfers in Japan

When transferring personal data internationally, organizations must ensure that the receiving country provides an adequate level of data protection standards. Businesses should:

  • Transfer data only to countries on the PPC’s adequate protections list, which includes countries that have equivalent data protection standards.
  • Evaluate the recipient country’s data protection laws to confirm they align with APPI standards.

Thus, when transferring personal data outside Japan, companies must:

  • Use adequacy decisions recognized by Japan’s PPC
    Transfer data only to countries on the PPC’s adequate protections list, or transfer data only to those countries that align with APPI requirements.
  • Obtain consent
    The APPI mandates organizations to obtain consent before their data is transferred internationally, particularly to jurisdictions that lack adequate data protection standards. Consent must be informed and explicit, meaning that organizations should clearly explain the purpose of the transfer and the risks involved.
  • Implement contractual safeguards
    For data transfers to countries with lower data protection standards, personal information controllers should implement contractual clauses with the recipient to ensure equivalent safeguards and privacy. The contracts should allow the transferring organization to periodically verify compliance with APPI standards.

Penalties for Non-Compliance With Japan’s APPI

Businesses that fail to comply with Japan’s Act on the Protection of Personal Information may face:

  • Fines imposed by the PPC.
  • Orders to suspend or change operations.
  • Loss of consumer trust.

Recent amendments have increased penalties, making compliance more critical than ever. The PPC can impose significant fines for APPI violations, which are calculated based on the severity of the data breach or infringement. In addition to fines, organizations often experience additional costs for legal fees, remedial actions, and potential lawsuits from affected customers.

Penalties for APPI non-compliance include potential fines up to ¥100 million (approx. $700,000 USD) for businesses and up to ¥1 million (approx. $7,000 USD) for individuals. In severe cases, the APPI allows criminal prosecution against responsible individuals. These severe cases of data breaches may result in imprisonment for up to one year.

An example of serious non-compliance cases includes failing to notify individuals or the PPC of a sensitive data breach.

Reputational damage due to public disclosure of violations could lead to loss of customer trust, loss of customers, or competitive disadvantages.

Fortunately, the PPC typically allows businesses and individuals to modify their data processing practices before issuing fines and other penalties.

Use CookieScript CMP to comply with the APPI and avoid penalties:

Register for free Show pricing plans

APPI vs GDPR: Key Differences and Similarities

While both laws share common principles, there are some notable differences.

Similarities between Japan’s APPI and Europe’s GDPR:

  • Both APPI and GDPR emphasize transparency, requiring companies to clearly explain why personal information is being collected.
  • Both APPI and GDPR require purpose limitation, requiring organizations to collect personal data only for the purposes disclosed at the time of collection.
  • Both privacy laws respect individual rights, such as the right to data access, the right to data rectification, the right to deletion, the right to data portability, and others.
  • Both apply extraterritorially to foreign businesses.
    While both the GDPR and the APPI apply to pseudonymous data, only the APPI includes anonymously processed information within its scope.

 

The key differences between Japan’s APPI and Europe’s GDPR include:

  • Consent 
    Under the GDPR, consent is needed for all types of personal data. Under Japan’s APPI, consent is needed only for collecting sensitive personal data.
  • Cross-border data transfers 
    Both APPI and GDPR rely on user consent and adequacy decisions. However, the APPI focuses heavily on cross-border transfers and domestic enforcement by the PPC.
  • Penalties for violation
    Penalties under GDPR are significantly higher than those under the APPI. Under the GDPR, penalties for violation could reach up to €20 million or 4% of global turnover, whichever is higher.

How to Ensure APPI Compliance in 2025?

If your business operates in Japan or handles data from Japanese citizens, APPI compliance is not optional- it’s a legal requirement. Non-compliance with the APPI could lead to numerous negative consequences, including fines.

To stay compliant with Japan’s APPI, implement these measures:

  1. Appoint a Data Protection Officer (DPO)
    While not always mandatory, appointing a DPO helps businesses oversee compliance, handle data subject requests, and communicate with the PPC.
  2. Be transparent
    Use cookie notices to clearly explain why you collect personal information and give users an option to opt in and opt out of data collection.
  3. Put a Privacy Policy in place  
    Clearly state your purposes for processing data within your Privacy Policy.
  4. Respect purpose limitation and data minimization principles
    Only collect personal data for the purposes disclosed at the time of collection and not process it further in a manner incompatible with those original purposes. Collect only the necessary data needed for the specified purpose.
  5. Implement cybersecurity measures
    Implement appropriate security measures, such as encryption, access control, and staff training to prevent data leaks or misuse.
  6. Conduct Data Privacy Impact Assessments (DPIAs)
    Regular assessments help identify risks in how personal data is collected, stored, and transferred.
  7. Perform risk assessments
    Organizations must perform regular risk assessments to identify vulnerabilities in data handling practices and ensure data security.
  8. Employee training
    Train employees on data privacy principles and best practices to reduce the likelihood of human error for the data breaches.
  9. Breach notification
    Report any data breaches to the PPC and take immediate action to minimize damages.
  10. Implement Consent Management Solutions
    A consent management platform (CMP) can notify users about their data collection and help businesses collect, store, and respect user consent according to the APPI rules.

 

CookieScript is one of the best CMPs on the market. It provides essential features and functionalities such as:

 

CookieScript CMP also offers many features that other CMPs are missing, including:

  • geo-targeting
    geo-targeting is an important feature that ensures that the right consent banner appears based on the user’s location, enabling compliance with many privacy laws. This means that you can have different cookie banners designed for different privacy laws. For example, when a user from Japan visits your website, they are presented with a Cookie Banner, designed to comply with Japan’s APPI. The CookieScript geo-targeting feature is available for 250 countries and 50 US states.
  • Cookie banner sharing
    CookieScript allows you to share your banners with multiple users. It is a requested functionality for web agencies that have many customers. Web agencies can select between read-only vs full-access Cookie Banner sharing, Moreover, it is possible to share a banner with any user, even if the one does not have an account at CookieScript.
  • Cross-domain cookie consent sharing
    CookieScript enables both sub-domain and cross-domain Cookie Consent sharing. Cross-domain consent allows website owners to store Cookie Consent settings from a single user across multiple domains. Website visitors will only see a cookie banner on their first visit to a website and will not see the banner on subsequent visits to that site or other linked sites.
  • CookieScript API
    The CookieScript API allows you to customize the behavior of cookie banners, manage Cookie Consent and scans, retrieve and update cookie declarations, and control individual cookies automatically.

CookieScript CMP is evaluated by users on peer-review sites. In 2024, CookieScript CMP was ranked by users on G2 as the best CMP for small and medium-sized companies.

Ultimately, CookieScript offers one of the best pricing plans on the market, starting with just €8 /month/domain for the entry-level (Lite Plan). The Plus pricing plan includes all features and costs €19 /month/domain.

CookieScript also has a FREE pricing plan and a free trial of the Plus plan. 

Register for free Show pricing plans

Frequently Asked Questions

What is the Act on the Protection of Personal Information (APPI)?

The APPI is Japan’s personal information protection law that regulates how individuals and organizations collect, store, and process personal information. It applies to both Japanese organizations and foreign companies handling Japanese data. Use CookieScript CMP to comply with the APPI.

Does the APPI require consent to collect personal data?

Consent is not always required. Businesses can collect basic personal data without consent if they specify the purpose of data use clearly, limit processing to that purpose, and the collection is fair. However, consent is mandatory when processing sensitive information, transferring data overseas to non-adequate countries, or changing the original purpose of data use.

Do you need to obtain consent for cookies in Japan?

The APPI does not specify requirements for the use of cookies, as cookies are not considered personal information. However, businesses need to obtain consent for placing cookies on users’ browsers when they transfer cookies to third parties, such as third-party vendors that place personalization and advertisement cookies on a website.

What are the penalties for non-compliance with the APPI?

Penalties for APPI non-compliance include potential fines up to ¥100 million (approximately $700,000 USD) for businesses and up to ¥1 million (approximately $7,000 USD) for individuals, alongside potential criminal penalties of up to one year in prison. Use CookieScript CMP to comply with the APPI and avoid penalties.

Who enforces the APPI?

The Personal Information Protection Commission (PPC) enforces Japan’s APPI. It oversees compliance, issues guidelines, conducts investigations, and can impose penalties or operational restrictions on organizations that violate the law. Use CookieScript CMP to comply with the APPI and avoid penalties.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.