APPI Compliance

Personal Information (個人情報)

Under APPI, "personal information" is information about a living individual that can identify the specific individual, including:

• •Information containing name, date of birth, or other descriptors
• •Individual identification codes (e.g., passport numbers, driver's license numbers, My Number)
• •Biometric data that can identify an individual (fingerprints, facial recognition, voiceprints)

For Cookies: Cookie identifiers linked to other data that can identify an individual qualify as personal information. Most analytics and marketing cookies fall under this definition when they create user profiles.

Personal Data (個人データ)

"Personal data" is personal information that is part of an organized database. This is a subset of personal information subject to stricter requirements regarding:

• •Data security
• •Disclosure to third parties
• •Individual access rights

Sensitive Personal Information (要配慮個人情報)

APPI specifically protects "sensitive personal information" which includes:

• •Race, creed, social status
• •Medical history, disability status, health checkup results
• •Criminal record or fact of being a crime victim
• •Information deemed to unjustly discriminate against or prejudice the individual

Sensitive personal information requires special handling and cannot be obtained without opt-in consent (except in specific circumstances defined by law).

1. Purpose Specification and Limitation

Business operators must:

• •Specify the purpose of use of personal information as concretely as possible
• •Publicly announce or notify individuals of the purpose when acquiring personal information
• •Not use personal information beyond the specified purpose without consent

For Cookies: You must clearly state WHY you're using cookies (e.g., "to analyze website traffic," "to deliver targeted advertising") before placing them.

2. Proper Acquisition

Business operators must:

• •Not acquire personal information through deception or fraudulent means
• •Not acquire sensitive personal information without opt-in consent (with specific exceptions)
• •Obtain consent from a parental authority when acquiring personal information of minors under 16 for certain purposes

3. Security Management

Business operators must take necessary and appropriate measures to:

• •Prevent leakage, loss, or damage of personal data
• •Safely manage personal data
• •Supervise employees who handle personal data
• •Supervise contractors who process personal data on their behalf

This includes implementing organizational, personnel, physical, and technical security measures appropriate to the risk.

4. Accuracy of Data

Business operators must endeavor to keep personal data accurate and up-to-date within the scope necessary for achieving the purpose of use.

5. Transparency and Publication of Privacy Policy

Business operators must make the following information publicly available:

• •Name of the business operator
• •Purposes of use of personal information
• •Procedures for individual rights requests (disclosure, correction, suspension of use)
• •Contact information for complaints

This is typically done through a privacy policy accessible from your website.

6. Restrictions on Third-Party Provision

Personal data cannot be provided to third parties without the individual's opt-in consent, UNLESS:

• •Based on laws and regulations
• •Necessary for protecting life, body, or property when obtaining consent is difficult
• •Necessary for improving public health or promoting sound child-rearing when obtaining consent is difficult
• •Necessary for cooperating with national or local government agencies when obtaining consent might impede such cooperation
• •Using the opt-out procedure (see below)

Opt-Out Provision to Third Parties

The 2020 amendments restricted the opt-out procedure. You can provide personal data to third parties with an opt-out mechanism ONLY if:

• •You publicly announce specific items beforehand
• •You notify or make easily accessible to individuals specific information
• •The data is NOT "personal data requiring special care" (sensitive data)
• •The data was NOT obtained from another party using opt-out

Important: Third-party sharing of cookie data typically requires opt-in consent, especially for advertising and analytics platforms.

7. Cross-Border Data Transfer Restrictions

The 2020 amendments introduced new requirements for transferring personal data outside Japan. You must obtain opt-in consent UNLESS:

• •The foreign country has been designated by the Personal Information Protection Commission (PPC) as having an equivalent level of protection (currently only the EU/EEA and UK)
• •The recipient has established an appropriate system recognized by the PPC (e.g., through Privacy Shield successor frameworks, Standard Contractual Clauses, Binding Corporate Rules)
• •One of the statutory exceptions applies

For Cookies: If you use third-party services (Google Analytics, Facebook Pixel, etc.) that transfer data to servers outside Japan, you need to comply with cross-border transfer rules.

8. Individual Rights

Individuals have the right to request:

• •Disclosure: Disclosure of their personal data, purposes of use, recipients of third-party provisions
• •Correction: Correction, addition, or deletion of inaccurate personal data
• •Suspension of Use: Suspension of use or erasure if personal data is being used beyond the specified purpose or was improperly acquired
• •Suspension of Third-Party Provision: Cessation of providing personal data to third parties

2020 Amendment Enhancement: Individuals can now request suspension of use or deletion not only for improper use but also when they believe the data is no longer necessary.

9. Handling of Anonymously Processed Information

The 2015 amendments introduced rules for "anonymously processed information" (匿名加工情報) - data processed to prevent identification of individuals. If properly anonymized, this data can be used more freely for analysis and sharing.

Requirements for creating and using anonymously processed information include:

• •Following PPC rules and standards for anonymization
• •Implementing safety control measures
• •Publicly announcing the items of information included
• •Not attempting to re-identify individuals

10. Record Keeping for Third-Party Transactions

When providing personal data to or receiving it from third parties, business operators must create and retain records including:

• •Date of provision/receipt
• •Name of third party
• •Items of personal data
• •Means of acquisition (when receiving from third parties)

PPC Guidance on Cookies

According to PPC guidance:

• •Cookie identifiers alone may not constitute personal information, BUT when combined with other data that identifies individuals, they become personal information
• •Most analytics and behavioral tracking cookies qualify as personal information because they create identifiable user profiles
• •Consent requirements depend on how cookies are used and what data is collected

When Do You Need Consent for Cookies?

Third-Party Cookie Sharing

When cookies result in sharing personal data with third parties (analytics providers, ad networks), you must:

• •Obtain opt-in consent for the third-party provision
• •Clearly disclose which third parties will receive data
• •Comply with cross-border transfer rules if data goes outside Japan
• •Maintain records of third-party data sharing

Purpose Specification and Limitation

• ✓Clear Purpose Disclosure: Each cookie category clearly explains its purpose
• ✓Granular Categories: Separate categories for Necessary, Functional, Analytics, and Marketing cookies
• ✓Purpose-Based Blocking: Scripts are blocked until consent for their specific purpose is obtained

Proper Acquisition and Consent

• ✓Opt-In Consent: Users must actively consent to non-essential cookies
• ✓No Pre-Checked Boxes: All non-essential categories are unchecked by default
• ✓Clear Affirmative Action: Users must click to consent (no implied consent through browsing)
• ✓Informed Consent: Users are informed of purposes before consent is requested

Transparency

• ✓Privacy Policy Link: Direct link from banner to detailed privacy policy
• ✓Clear Information: Banner explains what cookies are used and why
• ✓Third-Party Disclosure: Can document which third parties receive cookie data
• ✓Customizable Text: You can specify exact cookie usage for Japanese users (including in Japanese language)

Third-Party Provision Compliance

• ✓Opt-In for Third Parties: Analytics and marketing cookies (which share data with third parties) require active consent
• ✓Category-Based Control: Users can accept some third-party services while rejecting others
• ✓Consent Logging: Records of third-party data sharing consent are maintained

Individual Rights Support

• ✓Access to Consent History: Users can view their consent decisions
• ✓Easy Modification: Users can change preferences at any time (withdrawal of consent)
• ✓Data Export: Consent records can be exported for disclosure requests
• ✓Suspension of Use: Users can revoke consent, causing cookies to be deleted and scripts to be blocked

Security Management

• ✓Secure Storage: Consent data is securely stored with encryption
• ✓Access Controls: Only authorized users can access consent logs
• ✓Audit Trail: Complete logging of all data processing activities

What Constitutes a Reportable Breach?

You must report a breach to the Personal Information Protection Commission (PPC) if:

• •Leakage of personal data has occurred or is likely to occur; AND
• •The breach poses a risk of harm to individuals' rights and interests

Notification Requirements

• •Notify PPC: Report to the PPC without delay
• •Notify Affected Individuals: Notify individuals whose data was breached without delay
• •Public Announcement: In some cases, public announcement may be required

What to Include in Notification

• •Overview of the breach
• •Categories and approximate number of affected individuals
• •Types of personal data leaked
• •Cause of the breach
• •Secondary damage that has occurred or may occur
• •Measures taken or to be taken
• •Contact information for inquiries

Enforcement Powers

The PPC can:

• •Conduct investigations and on-site inspections
• •Issue guidance, recommendations, and orders
• •Impose administrative fines
• •Publicly announce violations
• •Refer cases for criminal prosecution

Administrative Fines (Introduced in 2020 Amendments)

The 2020 amendments introduced administrative monetary penalties for APPI violations:

• •For violations of orders: Up to ¥100 million (approximately $750,000 USD)
• •For violations of certain obligations: Up to ¥50 million

Factors considered when determining penalties:

• •Nature and severity of the violation
• •Number of individuals affected
• •Whether the violation was intentional or negligent
• •Size and resources of the business
• •Whether this is a repeat violation
• •Cooperation during investigation
• •Remedial measures taken

Criminal Penalties

In addition to administrative fines, certain APPI violations can result in criminal penalties:

• •Unlawful acquisition or provision of personal information for profit: Up to 1 year imprisonment or ¥500,000 fine (or both)
• •Database theft for profit: Up to 1 year imprisonment or ¥500,000 fine (or both)
• •False reporting to PPC: Up to ¥500,000 fine
• •Obstruction of PPC investigation: Up to ¥300,000 fine

Recent Enforcement Actions

• •LINE Corporation (2021): Administrative guidance for inadequate oversight of third-party access to user data and insufficient disclosure of cross-border data transfers to China and South Korea
• •Facebook Japan (2021): Guidance for inadequate notification about third-party data sharing and cross-border transfers
• •Rikunabi (2019): Administrative guidance for using web tracking to predict job applicants' likelihood of leaving companies without proper consent
• •Various Companies (2020-2023): Guidance and orders for inadequate cookie consent mechanisms and failure to properly disclose third-party data sharing

1. No Privacy Policy or Inadequate Disclosure

Mistake: Not having a privacy policy, or having one that doesn't adequately explain cookie usage, third-party sharing, or cross-border transfers.

Why It's Wrong: Violates APPI's transparency and publication requirements.

Solution: Create a comprehensive privacy policy that clearly describes all cookie types, purposes, third-party recipients, and cross-border transfers. Provide a Japanese-language version for Japanese users.

2. Collecting Personal Information Without Specifying Purpose

Mistake: Placing cookies and collecting data without clearly specifying and disclosing the purpose of use.

Why It's Wrong: Violates APPI's purpose specification requirement.

Solution: Before placing cookies, clearly specify and disclose the purpose (e.g., "to analyze website traffic and improve user experience," "to deliver targeted advertising").

3. Ignoring Cross-Border Transfer Rules

Mistake: Using third-party services (Google Analytics, Facebook, etc.) that transfer data outside Japan without obtaining consent or implementing appropriate safeguards.

Why It's Wrong: Violates APPI's cross-border transfer restrictions introduced in the 2020 amendments.

Solution: For each service that transfers data outside Japan, either obtain explicit opt-in consent OR verify that the service has appropriate data protection measures (SCCs, BCRs) and disclose this to users.

4. Third-Party Data Sharing Without Consent

Mistake: Sharing cookie data with third parties (analytics providers, ad networks) without obtaining opt-in consent.

Why It's Wrong: Violates APPI's restrictions on third-party provision of personal data.

Solution: Obtain explicit opt-in consent before sharing personal data with third parties. Clearly disclose which third parties will receive data and for what purposes.

5. No Record Keeping for Third-Party Transactions

Mistake: Not maintaining records of when and to whom personal data was provided.

Why It's Wrong: Violates APPI's record-keeping requirements for third-party data provision.

Solution: Maintain detailed records of all third-party data sharing, including dates, recipients, types of data, and legal basis for sharing.

6. Inadequate Security Measures

Mistake: Not implementing appropriate technical and organizational security measures to protect personal data collected through cookies.

Why It's Wrong: Violates APPI's security management obligation.

Solution: Implement comprehensive security measures including HTTPS encryption, access controls, employee training, vendor supervision, and incident response procedures.

7. Not Responding to Individual Rights Requests

Mistake: Ignoring or significantly delaying responses to requests for disclosure, correction, or suspension of use of personal data.

Why It's Wrong: Violates APPI's individual rights provisions.

Solution: Establish clear procedures for handling individual rights requests. Respond promptly (APPI expects response "without delay," typically interpreted as within 2-4 weeks).

8. Using Personal Information Beyond Specified Purpose

Mistake: Collecting cookies for one purpose (e.g., website analytics) but using the data for another purpose (e.g., targeted advertising) without obtaining new consent.

Why It's Wrong: Violates APPI's purpose limitation requirement.

Solution: Only use cookie data for disclosed purposes. If you want to use data for new purposes, specify the new purpose and obtain consent before doing so.

9. Retaining Data Indefinitely

Mistake: Keeping cookie data and personal information indefinitely without defined retention periods.

Why It's Wrong: Best practice under APPI is to delete data when it's no longer necessary for the specified purpose.

Solution: Set appropriate cookie expiration dates and retention periods. Regularly delete or anonymize data that's no longer needed for the stated purpose.