APPI

Act on the Protection of Personal Information

Flag of JP
JapanOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
April 1, 2005
Enacted
May 30, 2003
Enforcing Authority
Personal Information Protection Commission (PPC)
Consent Model
Opt-in
Fulfillment Time
30 days
Applies To
Any business handling personal information of individuals in Japan, including foreign businesses (extraterritorial)

Overview

Japan's APPI is the country's primary data protection law, with specific cookie and tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing person-related identifiers (cookies, IPs, device IDs) to third parties that will link them to identified individuals. The PPC conducts mandatory three-year review cycles.

What This Means for Your Website

  • Consent is required before providing cookies, IP addresses, and device IDs to third parties that link them to identified users
  • First-party cookies and essential technical data (OS, browser, language) are exempt
  • The purpose of data use must be specified and publicly available
  • Breach notification to the PPC and affected individuals is mandatory
  • Cross-border transfers require adequacy, consent, or contractual safeguards
  • Foreign businesses serving Japanese users are subject to extraterritorial application

Key Requirements

The PPC enforces APPI with penalties up to 100 million JPY for legal entities and 1 year imprisonment for individuals. The 2026 Policy Direction proposes stricter rules for minors under 16, administrative monetary penalties, and collective redress schemes. Draft amendments are expected to take effect around 2027.

How ConsentStack Handles This

ConsentStack detects Japanese visitors and manages cookie consent in compliance with both APPI and the Telecommunications Business Act, blocking third-party tracking until consent is given.

Penalties

Individuals: up to 1 year imprisonment or 1M JPY. Legal entities: up to 100M JPY. Marketing violations: up to 30M JPY for entities.

Maximum Fine
JPY100,000,000 per violation

Key Requirements

  • Opt-in consent before providing person-related identifiers to linking third parties
  • Notification or disclosure about cookie usage required
  • Purpose of use must be specified and publicly available
  • Mandatory breach notification to PPC and affected individuals
  • Cross-border transfer restrictions with adequacy, consent, or contractual safeguards

Notable Provisions

  • Mandatory three-year PPC review cycle
  • 2026 Policy Direction proposes stricter minors rules and administrative penalties
  • Telecommunications Business Act adds specific cookie transparency obligations
  • First-party cookies and essential technical data are exempt

Data Subject Rights

Access your data30 days

Right to request disclosure of retained personal data

Correct your data30 days

Right to request correction, addition, or deletion of inaccurate retained personal data

Stop use of your data30 days

Right to request cessation of utilization or provision to third parties of retained personal data

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
Indonesia PDP LawIndonesia
Indonesia's first comprehensive data protection law provides individuals greater control over personal data. Explicit, informed, specific consent is required including for cookies collecting personal data. Despite the transitional period ending October 2024, the Indonesian DPA has not yet been established, creating a current enforcement gap.

Frequently Asked Questions

Does Japan require cookie consent?

Yes for third-party tracking. The APPI and Telecommunications Business Act require consent before providing cookies, IPs, and device IDs to third parties that link them to identified users.

What are the APPI penalties?

Up to 100 million JPY for legal entities and 1 year imprisonment for individuals. The 2026 reforms may introduce administrative surcharges.

Are first-party cookies regulated in Japan?

First-party cookies and essential technical data are generally exempt. The focus is on person-related information provided to linking third parties.

Does APPI apply extraterritorially?

Yes. Foreign businesses providing goods or services to individuals in Japan are subject to APPI.

Stay compliant with APPI

ConsentStack helps you implement Opt-in consent for Japan automatically.

Get started