DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

🇯🇵 Asia-Pacific

Cookie consent in 日本

Consent and privacy law in 日本

In short
Japan's APPI, overseen by the PPC, follows a notice and purpose specification model rather than broad opt-in for all processing. Consent is required for sensitive data and for transferring personal data to third parties, with some exceptions. Japan holds mutual EU adequacy, so data flows both ways with safeguards. A 2022 amendment strengthened breach reporting, individual rights, and rules on pseudonymised data and cross border transfers, which now require informing individuals about the destination country's regime. Privacy notices in Japanese are expected. For cookies, Japan introduced rules on user-related information that require confirmation when certain identifiers are shared with third parties.
Authority
Personal Information Protection Commission (PPC)
Status

Act on the Protection of Personal Information, amended substantially in force from 2022

Primary law
APPI
Languages

ja

Who must comply

Business operators that handle personal information of individuals in Japan, including overseas operators that handle data of people in Japan.

Penalties

Penalties up to 100 million yen for corporate violations of PPC orders

Key obligations

  • Specify and notify the purpose of use
  • Obtain consent before transferring data to third parties
  • Get opt-in consent for special-care sensitive data
  • Honor disclosure, correction and suspension-of-use requests
  • Report serious data breaches to the commission and affected individuals

Local guidance

  • Rely on the mutual EU-Japan adequacy arrangement
  • Obtain consent for sensitive data and third party transfers
  • Inform individuals about destination countries for transfers
  • Provide notices in Japanese

How ConsentX helps

  • Purpose-of-use notice in the banner
  • Opt-in consent for sensitive data and third-party sharing
  • Rights request intake for disclosure and suspension
  • Consent receipts for evidence
  • Region rule engine tuned for Japan
Get started free
yoursite.com
🇯🇵 Japan

We value your privacy

We ask for your consent before any non-essential cookie, with the rules that apply in your region.

Allow allReject non-essentialManage preferences

This page is a plain-English summary for general information and is not legal advice. Confirm your obligations with qualified local counsel.

How to comply with Japan using ConsentX

  1. 1

    Scan your website

    Run a free scan to find every cookie and tracker on your site, so you know exactly what needs consent under Japan.

  2. 2

    Show a geo-aware consent banner

    Add the ConsentX banner. It detects each visitor region and shows the consent experience that Japan requires, automatically.

  3. 3

    Block trackers until consent

    Keep non-essential cookies and trackers blocked until the visitor agrees, so nothing fires before consent.

  4. 4

    Record tamper-evident proof

    Every choice is stored as a tamper-evident consent receipt you can produce in a Japan audit.

  5. 5

    Handle data requests on time

    Use the built-in DSAR workflow with SLA timers to answer access, deletion and opt-out requests within the legal deadline.

Frequently asked questions

Does Japan have EU adequacy?+

Yes. Japan and the EU have a mutual adequacy arrangement, allowing personal data to flow between them with agreed safeguards in place.

When is consent required under Japan's APPI?+

Consent is required for handling sensitive data and for transferring personal data to third parties, with some exceptions. Much ordinary processing relies on notice and purpose specification rather than broad opt-in.

Governing law

🇯🇵 APPI

Other countries in Asia-Pacific

🇮🇳 भारत🇸🇬 Singapore🇹🇭 ประเทศไทย🇨🇳 中国🇰🇷 대한민국🇦🇺 Australia🇳🇿 New Zealand / Aotearoa🇮🇩 Indonesia🇻🇳 Việt Nam🇲🇾 Malaysia🇵🇭 Pilipinas