APPI Compliance Guide (Japan)
ℹ️Compliance group:
opt-in — opt-in for sensitive data and cross-border transfers; opt-out for general third-party sharing. Use compliance: { type: 'opt-in' } in your ConsentiSetup config.Japan's Act on the Protection of Personal Information (APPI) was significantly revised in 2022 (enforced from April 2022) and is administered by the Personal Information Protection Commission (PPC). Unlike GDPR, APPI uses a mixed model: opt-in for sensitive data and cross-border transfers to foreign companies without adequate protection, but opt-out is permitted for certain third-party sharing of general data. Consenti supports APPI via regulation: 'appi'.
⚠️Consenti provides Partial coverage for APPI. The opt-in consent widget covers sensitive data and foreign transfer scenarios. The opt-out third-party sharing model (for general personal information under Art. 27) differs from a standard consent banner and requires additional implementation on your site.
Official references
Consent model breakdown
| Scenario | Required model |
|---|---|
| Sensitive personal information (health, race, religion, criminal record, disability, etc.) | Opt-in consent (Art. 20) |
| Third-party transfer to foreign entity without adequate protection | Opt-in consent (Art. 28) |
| Third-party transfer of general personal information (domestic) | Opt-out permitted — notify and allow objection (Art. 27) |
| Analytics / functional cookies (non-sensitive) | Consent recommended; legitimate interest available |
Key requirements
| Requirement | Detail |
|---|---|
| Purpose notification | Must notify data subjects of the purpose of use before or at the time of collection |
| Sensitive data | Explicit opt-in required (Art. 20) |
| Third-party transfer | Consent required unless within same enterprise group or an exception applies |
| Overseas transfer | Opt-in if destination country lacks adequate protection; provide information on protection level |
| Access and correction | Data subjects may request disclosure, correction, and deletion |
| Records | Controllers must maintain records of third-party provisions and receipts |
| Enforcer | Personal Information Protection Commission (PPC) |
Enabling APPI mode
Frontend widget
ts
new ConsentiSetup({
core: {
regulation: 'appi',
},
})In APPI mode, Consenti renders an opt-in banner for cookies classified as sensitive or involving overseas data transfer. Cookies without sensitive classification receive a lightweight notice with an opt-out link (the Art. 27 opt-out model).
Profile configuration
json
{
"regulation": "appi",
"appi": {
"businessName": "株式会社アクメ",
"purposeUrl": "https://yoursite.jp/privacy",
"overseasTransfer": true
}
}ℹ️Set
appi.overseasTransfer: true if any of your vendors (analytics, ads, CDN) store data outside Japan. This triggers the opt-in flow for those cookies even if they are not classified as sensitive.Erasure
http
DELETE /consenti/api/v1/consent/:visitorId