Localizing for Japan's APPI:
Privacy Policy, Consent UI, and Data Handling Copy for Japanese Compliance

TL;DR

Key Takeaways

• APPI applies to foreign SaaS companies — the 2022 amendment extended extraterritorial application to foreign businesses handling personal information of individuals in Japan who supply services to people in Japan.
• A translated GDPR privacy policy is not APPI compliance — the required disclosure categories (利用目的, 第三者提供, 開示等の請求), the legal framework for data controller identification (個人情報取扱事業者), and the terminology all differ from GDPR.
• Cookie consent under APPI is structurally different from GDPR — APPI does not mandate the same prior explicit consent for non-essential cookies, but linked cookie data that identifies individuals is subject to APPI's personal information rules.
• 委託 and 共同利用 are distinct legal relationships — both describe data sharing, but they carry different disclosure obligations and different liability structures under APPI.
• PrivacyMark matters for Japanese enterprise sales — it is not obtainable directly by a foreign-headquartered company, but ISO 27001 and GDPR certification are meaningful substitutes if explained correctly in Japanese.

APPI vs GDPR: 5 Key Differences That Affect SaaS UI

The mistake most foreign SaaS teams make when preparing for Japan is treating APPI as a lighter version of GDPR — same concept, different language. It is not. APPI and GDPR share a common concern (protecting individuals' personal information) but they express it in different legal frameworks, use different consent models, define personal information differently in edge cases, and impose different disclosure obligations. The five differences that most directly affect SaaS UI and product copy are:

The practical consequence for product teams: the privacy policy structure, the consent UI trigger points, the data subject rights flow, and the third-party sharing disclosures all need to be redesigned for APPI — not just translated. A product whose privacy UI was built for GDPR will have gaps in each of these five areas when deployed to Japanese users.

The 2022 APPI Amendment: What Changed for Foreign Companies

Japan's APPI was significantly amended in 2022 (effective April 2022). For foreign SaaS companies, the most relevant change was the extraterritorial application provision. Under the amended law, APPI applies to foreign businesses that handle personal information of individuals in Japan in connection with the supply of goods or services to people in Japan. This brings a foreign SaaS product with Japanese users directly into APPI's scope, regardless of where the company is headquartered or where its servers are located.

The 2022 amendment also strengthened several provisions that affect product UI and privacy policy content: opt-out rights were extended — individuals in Japan can now opt out of having their data provided to third parties via opt-out procedures, and the opt-out mechanism must be disclosed in the privacy policy. Sensitive personal information (要配慮個人情報 — information about race, creed, social status, medical history, criminal record, and certain other categories) now requires explicit prior consent for collection and use, with no opt-out alternative. And the amendment introduced new rules around the provision of personal information to foreign third parties, requiring disclosure of the country of destination and an assessment of whether equivalent protection is in place.

For a foreign SaaS company collecting data from Japanese users and processing it on servers outside Japan, the last point is directly material. The privacy policy must now disclose that data is being transferred to a foreign country, the name of that country, and information about the data protection system in that country — or the basis on which the transfer is made (such as the user's consent). This is a disclosure gap that a GDPR-focused privacy policy almost never addresses explicitly for Japan.

Privacy Policy Translation: Legally Required Disclosures in Japanese

A Japanese APPI-compliant privacy policy (プライバシーポリシー or 個人情報保護方針) has a specific set of required disclosure sections. These are not optional headings to organize the document — they are the legal disclosure obligations under APPI, and their absence or mislabeling creates compliance gaps. The following sections are the minimum required disclosures:

• 利用目的 (Purpose of use) — for each category of personal information collected, the specific purpose(s) for which it will be used. APPI requires that the purpose be specified as concretely as possible; vague purpose statements ("to improve our services") do not satisfy the specificity requirement.
• 個人情報取扱事業者の名称等 (Data controller identification) — the business name, address, and name of the representative of the 個人情報取扱事業者 (personal information handling business operator). This is a required named disclosure, not an optional contact section.
• 第三者提供 (Third-party provision) — the categories of third parties to whom personal information may be provided, the data categories provided, and the legal basis (prior consent, opt-out, or a named exception such as 委託 or 共同利用).
• 開示等の請求 (Data subject requests) — the procedure and contact point by which individuals in Japan can make requests to disclose, correct, delete, or suspend the use of their personal information. APPI permits charging a fee for disclosure requests; if a fee applies, it must be disclosed.
• 外国にある第三者への提供 (Provision to foreign third parties) — if personal information is transferred to processors or recipients outside Japan, the destination country, and whether equivalent data protection applies, must be disclosed.

Consent UI: Opt-In vs Opt-Out Framing Under APPI

APPI's consent model is more nuanced than GDPR's opt-in mandate. Under APPI, the default requirement is to notify the user of the purpose of use (利用目的の通知) — this can be satisfied by publishing a privacy policy that is accessible to users, without requiring an active consent click for most data categories. Active opt-in consent (同意) is specifically required for: collection and use of sensitive personal information (要配慮個人情報), provision of personal information to foreign third parties where equivalent protection is uncertain, and situations where the purpose of use changes from what was originally disclosed.

For the majority of personal information that standard SaaS products collect — name, email, usage data, billing information — APPI requires purpose disclosure and a mechanism for users to make data subject requests, but does not require an active consent click at collection time in the way GDPR's Article 7 requires for consent-basis processing. This means a blanket "click to consent" flow applied to all data collection is GDPR-style over-engineering for Japan — not harmful, but not what the law requires, and potentially confusing to Japanese users who will read a mandatory consent gate as implying a higher level of risk than the law actually mandates.

Where consent UI does need to appear in Japanese products: before collecting any sensitive personal information (medical data, financial distress indicators, race or creed information); when changing the stated purpose of use for previously collected data; and when sending personal data to a foreign third party without an adequacy determination or a user's explicit consent to the transfer.

Cookie Consent Under APPI: How It Differs from GDPR

The GDPR + ePrivacy Directive framework requires prior explicit consent for non-essential cookies — analytics cookies, advertising cookies, and functional cookies beyond what is strictly necessary for the service. This is what drives the cookie consent banners that now appear on almost every website with EU users. APPI does not have an equivalent explicit prior consent mandate for cookies.

Under APPI, a cookie is not personal information in itself unless it can be linked to an identified or identifiable individual. An anonymous session cookie is outside APPI's scope. However, if a cookie value is linked in a database to a user's name, email, or other personal information — which is the case for any logged-in user tracking, CRM integration, or ad retargeting that uses a user ID — the linked data becomes personal information subject to APPI, and the purpose of use for that data must be disclosed in the privacy policy.

The practical guidance: a full EU-style cookie consent banner with prior opt-in controls for analytics and advertising cookies is not required by APPI, but it is not prohibited and is common among Japanese companies that also have EU users. The minimum APPI obligation for cookie-related data is disclosure in the privacy policy of what cookie data is collected, how it is used, and that it may be linked to personal information. A footer link to a clear cookie policy or privacy policy section covering cookies satisfies this. Japanese B2B enterprise users have come to expect this disclosure; its absence — not an EU-style banner's presence — is the compliance risk.

The 個人情報取扱事業者 Label: Identifying the Data Controller in Japanese UI

APPI uses a specific term for the entity responsible for handling personal information: 個人情報取扱事業者 (kojin jōhō toriatsukai jigyōsha — "personal information handling business operator"). This is the APPI equivalent of the GDPR data controller, but it is not interchangeable in Japanese legal documents. A Japanese privacy policy that uses データ管理者 (the literal translation of "data controller") instead of 個人情報取扱事業者 signals that the document was translated from GDPR, not drafted for APPI.

The 個人情報取扱事業者 disclosure in a Japanese privacy policy must include: the business operator's name (legal entity name or sole proprietor's name), the address (in Japanese address format), and the representative's name. For a foreign company, this means either the name of the overseas entity with its overseas address, or the name of any Japanese subsidiary or representative office if one exists. If the overseas entity is the 個人情報取扱事業者, the overseas address is acceptable — but it should be formatted consistently with the disclosure's formality level.

This label also appears in the product UI at specific points: the registration flow should reference the 個人情報取扱事業者 in the context where personal information is first collected; the account settings or privacy section should identify who holds the user's data; and the data subject request flow (開示等の請求) should state clearly to which 個人情報取扱事業者 the request is being directed.

Data Subject Request (開示等の請求) UI

APPI grants individuals in Japan the right to request disclosure, correction, addition, deletion, suspension of use, suspension of third-party provision, and notification of purpose of their personal information held by the 個人情報取扱事業者. These rights are collectively called 開示等の請求 (disclosure etc. requests) and the law requires the business operator to establish a procedure for receiving and responding to them.

For a SaaS product, the practical requirements are: there must be a discoverable contact point or procedure for making these requests (a web form, an email address, or a mailing address — any of these satisfies the requirement); the procedure must be disclosed in the privacy policy; the business operator must respond within a reasonable period; and if a fee is charged for a disclosure request, the fee must be disclosed in advance. The law does not mandate a specific UI pattern, but Japanese enterprise users — particularly in procurement roles — will look for the 開示等の請求 section in the privacy policy and a reachable contact point for exercising it.

委託 and 共同利用: Third-Party Data Sharing in Japanese Privacy Notices

APPI distinguishes between two types of data sharing that are often lumped together in GDPR-style privacy policies: 委託 (itaku — entrustment or commissioned processing) and 共同利用 (kyōdō riyō — joint use). Understanding which applies to your product's actual data flows determines what you need to disclose and how.

委託 describes the relationship between the 個人情報取扱事業者 and a processor acting on its instructions — a cloud hosting provider, a third-party analytics platform, a customer support tool that handles ticket data. Under APPI, 委託 is a named exception to the third-party provision rules: the data controller (個人情報取扱事業者) does not need to obtain user consent to share data with a 委託先 (commissioned processor), but it must supervise the processor adequately and bears responsibility if the processor mishandles the data. The privacy policy should disclose that data may be entrusted to third parties for service provision, without necessarily naming every processor (unlike GDPR, which requires disclosure of processor categories).

共同利用 describes a situation where two or more named business operators share personal information for a common purpose — for example, a group of affiliated companies sharing a customer database, or a platform and its verified resellers sharing user information for joint service delivery. 共同利用 is also a named exception to the third-party provision rules under APPI, but it comes with more explicit disclosure requirements: the privacy policy must name the joint users, specify the data categories shared, the purpose, and identify which joint user is responsible for managing the personal information.

PrivacyMark and Trust Signals for Japanese Enterprise

PrivacyMark (プライバシーマーク, Pマーク) is a Japanese privacy management certification administered by JIPDEC (Japan Information Processing Development Corporation). It certifies compliance with JIS Q 15001, the Japanese personal information protection standard, and is widely recognized by Japanese enterprise buyers, government agencies, and regulated-industry procurement teams as a meaningful trust signal. Many large Japanese corporations include PrivacyMark or an equivalent certification as a vendor evaluation criterion.

The limitation for foreign SaaS companies is structural: PrivacyMark requires a Japanese legal entity. A US or European-headquartered company cannot hold the certification directly; only its Japanese subsidiary can. This means a foreign SaaS company without a Japanese legal entity must rely on substitute trust signals. The most effective alternatives in Japanese enterprise procurement are:

• ISO 27001 — widely recognized in Japan's enterprise market and often treated as an equivalent indicator of systematic information security management. The Japanese enterprise market understands ISO 27001; explaining it does not require extensive translation of the concept.
• SOC 2 Type II — recognized in tech-adjacent enterprise procurement, though less universal than ISO 27001. The certification name should be used as-is (SOC 2); a brief Japanese-language explanation of what it covers is helpful for non-technical procurement reviewers.
• GDPR compliance statement — carries weight in Japanese enterprise procurement because Japanese enterprise buyers know GDPR as a high-standard regime; documenting GDPR compliance with a Japanese-language explanation of what it means in practice is more persuasive than simply citing the regulation name.

These substitutes should be presented on the Japanese product website's security or trust page in clear Japanese, with sufficient explanation of what each certification covers — not as a logo-only badge row. Japanese procurement reviewers often need to present the certification evidence to an internal committee; a one-sentence Japanese explanation of what ISO 27001 means is more useful to that process than the logo alone.

APPI Localization Compliance Checklist

Frequently Asked Questions