Japan's Cookie Regulation Framework
Two laws primarily govern cookie use in Japan:
| Law | Key Rule | Effective Date |
|---|---|---|
| Telecom Business Act (amended) | External transmission rules for user information | June 16, 2023 |
| APPI | Personally-related information third-party provision rules | April 1, 2022 |
Telecom Business Act: External Transmission Rules
Who is covered: Operators of digital services (websites, apps) that transmit user device information (cookies, local storage) to third parties via tracking tags (Google Analytics, Meta Pixel, ad tags, etc.).
Obligations — operators must do at least one of: 1. Notify/publish: Disclose what information is sent, to whom, and for what purpose on the website 2. Obtain consent: Get user consent instead of notification 3. Provide opt-out: Allow users to stop external transmission
Practical approach: Publication in the Privacy Policy (with specific disclosure of each tracking tool) is the standard approach.
APPI: Personally-Related Information Rules
Cookie IDs, IP addresses, and browsing histories qualify as personally-related information (Article 26-2). Providing such information to a third party that will link it to personal data requires prior individual consent (Article 31).
This primarily affects retargeting advertising — publishers must confirm whether ad networks will link cookie data to personal records, and obtain consent if so.
Consent Banner (CMP) Implementation
- For notification-only approach: Display a banner linking to the Privacy Policy
- For consent-based approach: Implement accept/reject buttons, defaulting to off
- For GDPR compliance (EU users): Use a CMP platform (OneTrust, Cookiebot, etc.) that meets GDPR consent requirements
Summary
Japanese cookie compliance requires addressing both the Telecom Business Act external transmission rules and the APPI personally-related information provisions. At minimum, update your Privacy Policy with specific disclosures for each tracking tool; for EU-facing services, implement a full CMP solution.