Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Japan 日本国 / Nihon-koku

WEB ANALYTICS · COOKIE COMPLIANCE · EASTERN ASIA · JP

Japan — analytics & cookie compliance reference

What you can run on a Japan-targeted website without a PPC recommendation — GA4, cookies, vendor stack, and the rules behind them. APPI + Telecommunications Business Act 2023 cookie rule · Japanese-language disclosure expected.

Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Japan. Disclosure must be in Japanese for sites with a Japanese-language UI or .jp targeting. Sectoral rules (financial, telecom, healthcare) are touched only where they intersect with the analytics layer.

National addons

Country-specific statutes layered on the EU baseline.

APPI
Act on the Protection of Personal Information
Standalone Japanese omnibus data-protection statute. Governs personal-information handling by businesses (PIHBs) targeting residents of Japan, including foreign businesses under Art 75 (extraterritorial reach since 2017 amendment).
  • Art 17 Specification + restriction of utilization purpose — must be disclosed at collection
  • Art 21 Notice of utilization purpose at acquisition (or public disclosure in privacy notice)
  • Art 27 Third-party provision — opt-in consent or opt-out with PPC notification
  • Art 28 Cross-border transfer — opt-in consent OR adequacy OR equivalent-safeguards contract
  • Art 75 Extraterritorial application to foreign businesses targeting Japan residents
Act No. 57 of 2003; major amendments 2017 (extraterritorial scope + foreign-transfer rules), 2020 (in force 1 Apr 2022 — direct fines + breach notice + pseudonymized info category), 2022 reform (¥100M corporate cap), 2024 triennial review still pending.
APPI Enforcement Rules
Cabinet Order + PPC Enforcement Rules + PPC Guidelines
Operational detail for APPI — defines pseudonymized information, anonymized information, sensitive personal information categories, breach-notification triggers (within 3-5 days for serious incidents), foreign-transfer adequacy list maintenance, and child-consent guidance (under 15).
  • Rules Art 7 Breach notification — preliminary report 3-5 days, final 30-60 days
  • Guidelines §3-1-5 Children below 15 — guardian consent expected for sensitive uses
  • Guidelines (Foreign Transfers) §5-2 Adequate countries — EU/EEA + UK; equivalent-safeguards contract template
Cabinet Order No. 507 of 2003 (latest amendment 2022); PPC Enforcement Rules (Rules of the PPC No. 3 of 2016, multiple amendments); PPC General Guidelines + Guidelines on Foreign Transfers + Q&A.
TBA 2023 — External Transmission Rule
Telecommunications Business Act, Article 27-12 (Gaibu-Sōshin Kitei)
Notification rule for any web service that transmits user-terminal information (cookies, device IDs, ad IDs, browser fingerprint signals) to external third parties. Applies to telecom-business-defined operators including most websites with login/messaging/search/news features. Notification (publish, prior consent, or opt-out) must list each external recipient + purpose.
  • Art 27-12 External transmission — operator must notify users of recipient + items + purpose before transmission occurs
  • MIC Guidelines §3 Three lawful methods — publication in privacy notice, prior consent, or opt-out — operator chooses
  • MIC Guidelines §4 Exemptions — strictly-necessary cookies (auth, cart, security) are out of scope
Act No. 86 of 1984, amended Jun 2022, in force 16 Jun 2023. MIC Ministerial Order + Guidelines (May 2023).
MIC Telecom Privacy Guidelines
Ministry of Internal Affairs and Communications — Guidelines on the Protection of Personal Information in the Telecommunications Business
Sector-specific guidelines for telecom operators (and quasi-telecom services such as search, messaging, content delivery). Layers on top of APPI + TBA Art 27-12. MIC retains supervisory authority over telecom operators in parallel with PPC's general APPI authority.
  • §5 Web tracking — alignment with TBA Art 27-12 notification model
  • §7 Location data — heightened consent expectation
MIC Notification No. 152 of 2022 (in force together with the External Transmission Rule, 16 Jun 2023).

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
PPC · Personal Information Protection Commission (個人情報保護委員会)
Single national authority for APPI across all sectors (private + public since 1 Apr 2022 unification). Issues guidelines, conducts on-site inspections, issues recommendations and orders, and (since 2022 amendment) administrative fines up to ¥100M.
https://www.ppc.go.jp/en/

Coordination body

PPC ↔ MIC · Personal Information Protection Commission ↔ Ministry of Internal Affairs and Communications
Japan has no prefectural DPAs for the private sector — PPC is the single APPI regulator. However, MIC retains separate authority over the Telecommunications Business Act (including the 2023 External Transmission Rule on cookies) for telecom-business operators. The two regulators coordinate but issue independent guidance. Web operators frequently fall under both.
  • 2023-06-16 · External Transmission Rule — MIC and PPC publish coordinated FAQ on TBA Art 27-12 — clarifies that the rule sits alongside APPI consent rules, not in place of them. Sites must satisfy both regimes when cookies carry personal information.
  • 2023-04-01 · LINE / Yahoo cross-border supervision — PPC reaffirms that 2017 + 2020 APPI amendments cover LINE Corp's cross-border data handling. Joint MIC-PPC supervision of integrated LY Corp continues.
  • 2024-06 · Generative AI + APPI — PPC publishes guidance on training-data scraping under APPI Art 18 (purpose limitation) and Art 20 (sensitive data). Cross-references MIC AI guidelines.
https://www.ppc.go.jp/en/aboutus/cooperation/

Notable enforcement

Japan's enforcement model is structurally different from the EU. PPC operates a graduated ladder — guidance → administrative recommendation (kankoku) → administrative order (meirei) → criminal prosecution. Fines are not directly imposed by PPC on a discretionary basis as in GDPR Art 83; instead, PPC issues an order, and only failure to comply with the order is criminally punishable (historically: imprisonment up to 1 year or fine up to ¥1M for individuals; up to ¥100M for corporations after the 2022 amendment raised the corporate cap). The 2020 APPI amendment (in force 1 Apr 2022) added direct administrative fines for procedural breaches (e.g., failure to notify breaches) but the PPC remains conservative in headline-monetary terms compared to EU DPAs. Enforcement signal therefore reads through recommendations and orders, not fine totals.

GA4 status

GA4 is usable in Japan with reasonable care: the privacy notice must specify the utilization purpose (APPI Art 17/21), Google must be disclosed as an external transmission recipient under TBA Art 27-12 with items + purpose listed, and US transfer must rest on opt-in consent or the equivalent-safeguards route under APPI Art 28. PPC is pragmatic on Google compared to EU regulators — there is no Japanese equivalent of the Austrian/Italian/French GA4 decisions. Japanese-language disclosure is expected for Japan-targeted sites.

DPAStance
PPCPragmatic — accepts GA4 with proper purpose specification + foreign-transfer consent route. No headline action against GA4 to date.
MICTelecom-track — focused on TBA Art 27-12 disclosure quality. Cookie-banner notification format must clearly identify Google as external recipient.

Cross-border transfers + Schrems II

Japan operates a closed-list adequacy regime under APPI Art 28. PPC-recognized adequate jurisdictions include the EU/EEA (mutual adequacy in force 23 Jan 2019) and the UK (added 31 Jan 2023). Transfers to all other countries — including the US — require either (a) opt-in consent specifically referencing the foreign-transfer purpose, or (b) a contract or BCR-style scheme establishing equivalent safeguards (PPC Guidelines on Foreign Transfers §5). Since 1 Apr 2022 the operator must additionally provide the data subject with information about the destination country's data-protection regime when relying on the safeguards route.

PPC publishes a non-binding model contract template for the equivalent-safeguards route (PPC Guidelines on Foreign Transfers, Appendix). Many Japanese-business GA4 deployments rely on the consent route plus Google's DPF certification (recognized in practice as part of the controller's accountability story, but not as a substitute for APPI Art 28 consent or contract).

Topic: International transfers

Employee data

Key thresholds

Child consent age
15 years
Article 27 representative
Required
Marketing consent
Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Japan vs South Korea
COMPARE
Japan vs Singapore
COMPARE
Japan vs Australia

Common questions

Is Google Analytics legal in Japan in 2026?
Yes, with reasonable care. Japan has no GA4-specific ban. PPC takes a pragmatic stance — GA4 is usable when (a) the privacy notice in Japanese specifies the utilization purpose under APPI Art 17/21, (b) Google is disclosed as an external transmission recipient under TBA Art 27-12 with items + purpose listed, and (c) US transfer rests on opt-in consent or the equivalent-safeguards route under APPI Art 28.
How is APPI different from GDPR?
APPI is a standalone Japanese statute, not a GDPR transposition. Key differences: (1) No formal lawful-basis taxonomy — the operating concept is purpose specification + notice rather than Art 6 grounds. (2) Enforcement is a graduated ladder (guidance → recommendation → order → prosecution) with direct fines added only by the 2022 amendment. (3) DPO is not mandatory at any headcount threshold. (4) Cross-border transfers use a closed-list adequacy regime (EU + UK only) plus consent or equivalent-safeguards contract. (5) Child-consent age is 15, with guardian consent expected below.
Do I need a Japanese DPO?
No — APPI does not impose a GDPR-style mandatory DPO threshold. PPC Guidelines recommend appointing a personal-information-protection manager (kojin jouhou hogo kanrisha) but this is a soft expectation, not a statutory headcount trigger. Many large Japanese employers appoint one as a matter of governance practice.
Does APPI apply to my non-Japanese business?
Yes if you offer goods or services to data subjects in Japan or process their personal information in connection with such offering. APPI Art 75 (extraterritorial scope, in force since the 2017 amendment) catches foreign businesses targeting Japan residents — including websites with Japanese-language UI, JPY pricing, .jp domain, or Japan-targeted advertising.
What does the 2023 Telecommunications Business Act cookie rule require?
TBA Art 27-12 (External Transmission Rule, in force 16 Jun 2023) requires telecom-business operators — including most websites with login, messaging, search, content-delivery features — to notify users of any external transmission of terminal information (cookies, device IDs, browser fingerprints, ad IDs). Operators choose one of three methods: publication in the privacy notice, prior consent, or opt-out. The notice must list each external recipient, the items transmitted, and the purpose. Strictly-necessary cookies (auth, cart, security) are exempt.
What is the child-consent age in Japan?
PPC Guidelines indicate that for children below approximately 15 years old, consent should generally be obtained from a parent or guardian when sensitive uses are involved. There is no statutory age fixed in APPI itself — the 15 threshold is a PPC interpretive position, lower than GDPR's 16 (or 13–16 by member-state choice) but consistent with Japanese civil-law minor-protection norms.
Are there direct PPC fines like GDPR Art 83?
Partially since the 2022 amendment. Historically, PPC operated only the graduated ladder (guidance → recommendation → order → prosecution); fines arrived only via prosecution for non-compliance with an order. The 2020 APPI amendment (in force 1 Apr 2022) added direct administrative fines and raised the corporate cap to ¥100M (approximately €620K at 2026 rates). PPC is conservative in headline-monetary terms compared to EU DPAs — the signal usually arrives via recommendation or order, not fine totals.
Do I need a Japan representative?
Yes if you are a foreign business subject to APPI Art 75 (offering goods/services to Japan residents). The 2020 amendment introduced an obligation to designate a representative in Japan, similar in concept to GDPR Art 27. Failure to designate is itself a basis for PPC supervisory action.
What's the difference between 'anonymized' and 'pseudonymized' information under APPI?
APPI distinguishes two technical-de-identification categories: anonymized information (匿名加工情報, tokumei kakō jōhō, since 2017) — irreversibly de-identified data that falls partly outside APPI obligations and can be shared more freely. Pseudonymized information (仮名加工情報, kamei kakō jōhō, added by the 2020 amendment, in force 2022) — reversible de-identification that retains internal-analytics value while reducing certain APPI duties (no breach-notification duty internally, no individual-rights handling) provided the linkage key is segregated. Web-analytics deployments rarely qualify for either category by default — both require formal de-identification procedures and documented controls.
What language must my privacy notice be in?
Japanese for sites with a Japanese-language UI, .jp domain, JPY pricing, or other Japan-targeting signals. PPC and MIC Guidelines presume Japanese-language disclosure; English-only is treated as insufficient notice. The TBA Art 27-12 external-transmission notification specifically must be in a form a Japanese-resident user can readily understand — in practice a Japanese disclosure layer alongside any English version.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Japan's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.