Do cookies qualify as personal information?

APPI Article 2
Legal definition
1 year
Penalty term
¥1M
Max fine
2023
Amendment year
The Short Answer

Yes, cookies can qualify as personal information under Japan’s Act on the Protection of Personal Information (APPI) if they can identify a specific individual, either directly or when combined with other information.

What the Law Says

Japan’s Act on the Protection of Personal Information (APPI) defines personal information broadly—and cookies may fall within that definition depending on how they are used and whether they enable identification of an individual.

Under the APPI, 'personal information' means information about a living individual that can identify a specific person—either by itself or when combined with other information. This includes names, birthdates, addresses, and also identifiers like device IDs or cookies—if they allow identification.

The 2023 amendment to the APPI clarified that identifiers such as cookies, IP addresses, or advertising IDs are considered personal information when they can be linked—alone or in combination—to an identifiable individual.

Organizations handling such cookies must comply with APPI obligations: obtaining consent (where required), limiting use to stated purposes, ensuring security, and responding to requests for disclosure or deletion.

Statutory Text

‘Personal information’ means information about a living individual which can identify a specific individual by name, date of birth or other description contained in such information, including information which can be easily cross-referenced with other information to identify a specific individual.

Act on the Protection of Personal Information, s. 2(1) — Definition of Personal Information
Statutory Text

Information that does not currently identify a specific individual but is likely to do so when combined with other information shall be treated as personal information.

Act on the Protection of Personal Information, s. 2(2) — Deemed Personal Information

What to Do

1

Determine whether your cookies (e.g., tracking, advertising, analytics) can identify users—alone or when combined with logs, accounts, or device data.

2

If yes, treat them as personal information: obtain prior opt-in consent (unless exempted), document purpose, and implement security measures.

3

Update your privacy policy to disclose cookie usage, categories, retention period, and third-party sharing.

4

Appoint a personal information protection officer if your business handles large volumes of personal data (as defined by Cabinet Order).

5

Conduct regular audits and train staff on APPI compliance—including cookie-related obligations.

Sources

statuteAct on the Protection of Personal Information, s. 2(1) — Definition of Personal InformationstatuteAct on the Protection of Personal Information, s. 2(2) — Deemed Personal Information

Same Question, Other Jurisdictions

GermanyIrelandEuropean UnionUKSouth KoreaCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.