Japan’s amended regulations on cookie information will start on 16 June 2023. The amended regulations now capture an even wider range of businesses, such as SNS platforms, various content sharing services, and certain online search tool businesses. It is important to consider whether your business is within the scope of the amended regulations and to take appropriate measures to ensure compliance, such as updating cookie policies or adding appropriate pop-up notices.
The recent amendments to the Telecommunications Business Act will impose general requirements on entities that transmit cookie information or other types of user information to third parties (“Cookies Regulations“) from 16 June 2023. The Ministry of Internal Affairs and Communications released amendments to its relevant ordinance (“Amended Regulations“) to add substance to the Cookies Regulations. The Amended Regulations clarify the types of businesses that are now subject to the Cookies Regulations and the measures such businesses need to take to be compliant.
Businesses subject to the Cookie Regulations
The Amended Regulations establish that businesses providing the following four types of telecommunication services are now subject to the Cookies Regulations:
- Telecommunication services that mediate communication of others
This can include services providing e-mail, messaging applications, web conferencing systems that enable meetings with limited participants, and direct messaging functions offered together with SaaS, SNS, and other services.
- Telecommunications services that record information on a recording medium or receive information from a user and thereby making the recorded or input information available for communication by others at the request of an unspecified user
This can include social network services (SNS), electronic bulletin boards, video sharing services, online shopping malls, live streaming services, matching platform services, online games, online education and other content services.
- Telecommunications services that provide information on unlimited websites where the searched information is recorded for communication of others in response to a search request
This refers to general online search services.
- Other telecommunications services that can transmit information in response to requests from unspecified users and are intended to be made available to unspecified users
This refers to search services that limit the scope of search to specific fields, such as transit information search services and services that provide information on employment, career change, part-time jobs.
Measures required by the Cookies Regulations
Under the Amended Telecommunications Business Act, businesses subject to the Cookies Regulations are required to take one of the following measures to transmit cookie information or other user-specific information to a third party: (i) notify users of information about any transmission of user information or make such information readily available to users, (ii) obtain users’ consent, or (iii) provide opt-out measures. The Amended Regulations provide further details regarding (i) and (iii).
For (i), the following information should be notified or made easily accessible to users:
- The type of information about the user that will be transmitted to a third party.
- The name of the person who will process the user information.
- The purpose of use of the information by the processor of the user information.
The Amended Regulations require the information to be provided in a manner which can be easily read by users. The information should be in Japanese without technical language. The information should be clearly written using appropriately sized text.
The information should immediately be provided using a pop-up window or some equivalent means. It should be displayed on the same web page or app page as that which the user was visiting or somewhere else that is easily accessible. A separate written notice is not acceptable.
For (iii), the following information must be made readily available to users:
- The fact that opt-out measures are being taken.
- Whether the transmission of user information or the use of user information will end if an opt-out request is made.
- The method of accepting opt-out requests.
- The effect, if any, of any restriction on the use of such telecommunications services in the event that opt-out measures are taken.
- Information about the user to be transmitted.
- Name of the person processing the information.
- Purpose of use of the information.
Information subject to these Cookies Regulations
The data subject to the Cookies Regulations is typically understood to be cookie information, but it is also possible that identifiers such as advertising IDs, browsing history and action history can also fall under the scope of the Cookies Regulations.
Information that needs to be transmitted for the operation of a telecommunications service is exempt from the Cookies Regulations. The following types of operations are examples of uses that can rely upon this exemption:
- Display a proper screen on the user’s terminal, redisplay the user’s input information.
- Redisplay the user’s authentication information.
- Detect and mitigate damage from illegal activities.
- Reduce the load on the operator’s telecommunications facilities for proper operation.
The transmission of identification codes or “first-party cookies” that are used by a business operators to identify their own users are also exempt.