Active on every WordPress site

Japan · APPI

WordPress hosting with APPI plugin built into the platform.

Purpose-of-use notices, sensitive personal information opt-in, third-party provision controls, privacy portal, and signed DPA — handled by Yovale's compliance MU-plugin. Japan has GDPR adequacy with the EU, so data flows freely between regions. You don't install the plugin. You don't update it. You don't pay for it. It's how every Yovale site ships, on every plan.

Effective: May 30, 2003 (revised 2024)Penalty: up to ¥100 millionJurisdiction: Japan

Start free trial See pricing

yoursite.com

Privacy preferencesJapan detected

We use cookies and similar technologies to measure traffic and improve the site. The purpose of use is shown below. Sensitive personal information requires your explicit consent.

handled by Yovale · no plugin installed

what APPI requires

Six obligations every operator owes.

The Act on the Protection of Personal Information, in force since 2003 and substantially revised in 2017, 2022, and 2024, gives Japanese residents enforceable rights over their personal information. Any site that handles personal data of people in Japan — including foreign operators — must comply. The Personal Information Protection Commission can impose fines up to ¥100 million on corporations, with criminal sanctions on top.

01
Specify purpose of use
Before you collect any personal information, publish a specific, narrow purpose of use. Vague language like 'for our business' fails. The purpose must be available in Japanese and can't be quietly broadened later.
02
Lawful acquisition
Personal information must be obtained by appropriate means. No deception, no scraping, no buying lists with unclear provenance. For minors and sensitive categories, the bar is higher.
03
Security measures
Implement organisational, human, physical, and technical safeguards proportionate to the data handled. Loss, leak, or destruction must be reported to the PPC and to affected individuals.
04
Third-party provision restrictions
You can't share personal information with another business without opt-in consent, an opt-out filing with the PPC, or a statutory exception. Keep a record of every provision and reception.
05
Cross-border transfer
Sending personal information outside Japan requires explicit consent with information about the destination country, or an adequacy finding (EU/UK), or contractual safeguards equivalent to APPI.
06
Sensitive personal information
Race, creed, social status, medical history, criminal record, and victimisation require explicit opt-in consent. Opt-out is not available for these categories.

how Yovale handles it

Built into the platform. Not a plugin you install.

Yovale ships APPI compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.

Japan-aware consent UI

Geo-aware. Visitors from Japan see a purpose-of-use notice in Japanese before any non-essential script fires, with a separate explicit opt-in flow for sensitive personal information. Renders in 8 locales. Configurable in the dashboard.

Privacy portal

/.well-known/privacy on every Yovale site. Visitors view, export, or delete the personal information you hold about them without filing a support ticket. Every request lands in the Compliance dashboard tab.

Audit log

Every consent given, withdrawn, modified, every third-party provision, and every cross-border transfer is logged at the Cloudflare edge worker layer. Tamper-proof, queryable, retained long enough to satisfy PPC requests.

Signed DPA

Pre-signed Data Processing Agreement covering APPI third-party provision restrictions, cross-border transfer safeguards, and sub-processor disclosure (Cloudflare, Anexia, R2). PDF download for your records.

plugin vs platform

Why infrastructure beats a plugin.

Typical WordPress APPI plugin

Adds 200-500ms to every page load (banner JS, cookie scan, DB writes)
Stores consent records in wp_options — slow, untyped, breaks with object caching
Updates through wp-admin — you maintain it, you break it, you debug conflicts
Japanese-market plugins charge ¥30,000-¥60,000/year per site
Breaks when you migrate hosts; consent history and purpose-of-use records lost

Yovale's built-in approach

0ms latency — consent state computed at the edge worker, cached in the CDN
Audit log in a dedicated database, queryable, never blocks page render
Updates ship through the platform — you don't see them, you don't break them
Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
Travels with your site forever — consent history is yours to export

Your dashboard

14 regulations. One toggle each. All automatic.

Regulations14

OPT-IN

APPI

Act on the Protection of Personal Information

OPT-IN

GDPR

General Data Protection Regulation

PDPA (TH)

Personal Data Protection Act 2019

DPDPA

Digital Personal Data Protection Act

CCPA

California Consumer Privacy Act

+ 9 more regulations · all opt-in

APPI

Act on the Protection of Personal Information

OPT-IN

Effective

May 30, 2003

Consent mode

Opt-in

Authority

PPC

Max penalty

¥100M

Key requirements

Specify purpose of use
Lawful acquisition + security measures
Third-party provision restrictions
Cross-border transfer safeguards
Explicit consent for sensitive data

common questions

APPI + Yovale, answered.

Does APPI apply to my site if my company is outside Japan?

Yes, when you handle personal information of people in Japan in connection with supplying goods or services to them. APPI has extraterritorial reach since the 2017 amendments. The Personal Information Protection Commission can investigate foreign operators and coordinate with overseas authorities for enforcement.

How does the EU adequacy decision affect my data flows?

Japan and the EU recognise each other under their respective adequacy frameworks. Personal data flows freely between Japan and the EEA without standard contractual clauses. Yovale's signed DPA reflects this — your transfers between EU infrastructure and Japanese visitors don't need extra paperwork.

What counts as sensitive personal information under APPI?

Race, creed, social status, medical history, criminal history, and being a victim of a crime. These categories need explicit opt-in consent — opt-out is not available. Yovale's Japan-aware consent UI surfaces a separate explicit-consent dialog before any sensitive category is collected or processed.

What about cross-border transfers to countries without adequacy?

You need explicit consent with information about the destination country's data-protection environment, or contractual safeguards equivalent to APPI. Yovale's DPA lists every sub-processor location (Cloudflare global edge, Anexia in the EU, R2) so you can disclose them to visitors and to the PPC if asked.

What does the privacy portal handle for Japanese visitors?

Visitors at /.well-known/privacy can review the purpose of use, request a copy of their retained personal data, ask for correction or deletion, and stop third-party provision. Requests requiring human review appear in your dashboard Compliance tab with an SLA timer aligned to PPC expectations.

Do I still need to file with the PPC?

Yovale handles the consent, audit log, DPA, and visitor-facing portal. Statutory filings — opt-out third-party provision notifications, in particular — remain your responsibility as the operator. The audit log gives you the evidence trail the PPC asks for during inquiries.

Ship an APPI-compliant WordPress site in 60 seconds.

Every Yovale site is APPI-ready from the moment you deploy. Purpose-of-use notices, sensitive-data opt-in, third-party provision controls, signed DPA. No plugin to install. Start the free Growth trial and see your first compliance dashboard.

Start free trialfree Growth trial · no credit card · APPI active from minute one