Japan's approach to cookies surprises people used to the GDPR. Under the Act on the Protection of Personal Information (APPI), a bare cookie identifier, on its own, generally isn't "personal information" at all, because it doesn't identify a specific living individual by itself. Collecting and using cookies for your own purposes usually doesn't require consent.
So where's the catch? Japan built its cookie rule around a different pressure point: the moment you hand cookie-based data to a third party who can link it to a real person. That's the personally-referable-information rule, and it's the thing to understand. This guide covers how APPI actually treats cookies today, the third-party-sharing consent boundary, who enforces it, cross-border transfers, and the amendment that's coming.
Personally Referable Information: The Key Concept
The 2020 amendment to the APPI (in force since 1 April 2022) created a category called personally referable information (kojin kanren joho). It covers data that relates to a person but isn't personal data in the provider's hands: cookie IDs, advertising identifiers, browsing history, and similar signals that can't identify someone on their own but could once combined with other information.
The operative rule sits in Article 31 of the current APPI. When a business provides personally referable information to a third party, and the provider anticipates that the third party will acquire it as personal data (that is, will link it to an identifiable individual on their end), the providing business must confirm that the third party has obtained the individual's consent for that acquisition. In plain terms: you can't offload cookie data to a partner who'll de-anonymise it unless that partner has the person's consent, and you have to check.
This is aimed squarely at ad-tech data sharing and cookie syncing. It's a narrower trigger than the GDPR's blanket opt-in, but it's a real obligation, and it's where Japanese cookie compliance actually bites.
What This Means for a Cookie Banner
Because first-party cookie use often falls outside the consent requirement, Japan's statutory floor is closer to a notice-and-transparency model than a European opt-in gate. The core obligations under the APPI are to specify and disclose your purpose of use, handle the data appropriately, and honour the third-party-sharing rules.
But there are two reasons most Japan-facing businesses still run a consent-style banner. First, the personally-referable-information rule means any tracker that shares data with third parties for advertising needs a consent mechanism to be defensible. Second, the practical guidance from Japan's regulator has trended toward clearer opt-in for tracking that feeds third parties. So the honest position is: Japan doesn't require blanket opt-in the way the GDPR does, but if your trackers share data with ad partners, you need consent at that boundary, and running opt-in is the clean way to guarantee it.
Who Enforces It
The regulator is the Personal Information Protection Commission (PPC), Japan's independent data protection authority. It issues guidelines, investigates, and can order businesses to fix violations. Its English-language resources, including the APPI text and guidance, are at the PPC's official site.
One structural note that's changing: the current APPI relies mainly on corrective orders rather than large direct administrative fines, with penalties following only if you ignore an order. That's a softer enforcement posture than the GDPR or Korea's PIPA, and it's one of the things the pending amendment aims to strengthen.
Cross-Border Transfers
If your trackers send Japanese users' data offshore, the APPI's cross-border rules apply. In general you need the individual's consent for the transfer, or the recipient must be in a country the PPC recognises as having an equivalent standard (the EU and UK qualify under mutual arrangements), or the recipient must have equivalent safeguards in place. When you rely on consent, you have to inform the person about the destination country and the receiving environment, so a bare "we may transfer your data abroad" line isn't enough.
What's Coming: The APPI Amendment
Japan reviews the APPI roughly every three years, and the PPC has been consulting on the next round. Its interim proposals point toward a meaningfully tougher regime, including:
- Administrative monetary fines and emergency corrective orders, moving away from the order-first, penalty-later model.
- Tighter rules on personally referable information and third-party provision.
- Stronger protections for children's data.
A draft bill was expected to be published around 2025, with commentary estimating it could take effect around 2027. As of mid-2026, the timing and final content aren't settled, so treat the effective date as unconfirmed and watch the PPC. A useful English overview of the proposals is available from the IAPP. The direction of travel is clear even if the date isn't: Japan is tightening, not loosening.
A Practical Setup for Japanese Traffic
- Disclose your purpose of use clearly, in Japanese, which is the APPI's baseline transparency obligation.
- Gate third-party sharing behind consent. Any tracker that provides data to an ad partner who can identify the user needs consent at that point, and you need to confirm the partner has it.
- Handle transfers properly. Name the destination country when you rely on consent for offshore transfers.
- Log decisions. Keep timestamped records of consent, especially for third-party provision, since that's where you may need to prove it.
- Plan for the amendment. Choose tooling that can tighten from notice to full opt-in without a rebuild, because monetary fines are on the way.
How CookieBeam Handles Japan
CookieBeam ships an APPI framework preset for Japan. It defaults to opt-in, which is a deliberately conservative setting. Being straight about it: Japan's current law doesn't force blanket opt-in for first-party cookies, so the preset sits above the strict statutory floor. That's on purpose. Opt-in cleanly satisfies the personally-referable-information consent boundary, it matches where the pending amendment is heading, and it means you don't have to re-architect when fines arrive. If you want to track the statutory minimum more precisely, you can configure a lighter notice model for Japan instead.
Through the regional consent engine, a visitor in Japan gets the Japanese behaviour and language while other regions get their own, from one banner. Every decision is logged with a timestamp and purpose, which is the evidence you'd want for a third-party-provision consent. Verify the current PPC guidance and the amendment's status before you finalise; this guide reflects mid-2026.
Related Guides
For the third-party-sharing boundary in general, see first-party vs third-party cookies. For neighbouring Asian regimes, read our South Korea PIPA guide and China PIPL guide. For the EU contrast, see the GDPR cookie compliance checklist. For serving different rules per country, read regional consent for global sites.