Management of Cookies and Trackers in accordance with the 2026 Personal Information Protection Law Amendment
This page has been translated by machine translation. View original
I am Shigahi from Berlin.
As a Platinum Reseller of Cookiebot at Classmethod Europe GmbH, I support Japanese and European companies with privacy compliance. In this article, I will explain in detail how the 2026 amendment to the Personal Information Protection Law will impact the operation of websites by Japanese companies, and how to efficiently address these changes using Cookiebot, a Consent Management Platform (CMP).
What's happening - Background of the amendment
The Personal Information Protection Law includes a provision to "review every 3 years" after enforcement. Discussions began in November 2023, and after about 2 years of deliberation, the policy for institutional reform was officially announced by the Personal Information Protection Commission on January 9, 2026. Initially, the bill was expected to be submitted to the regular Diet session in 2025, but due to time required for AI-related regulations and penalty system design, the schedule has been changed to submission to the regular Diet session in 2026.
What's important here is that this amendment is not just a minor update. As 8 years have passed since the enforcement of GDPR, and with privacy regulations maturing globally, Japanese law is finally shifting toward "effective enforcement."
The three major points of amendment - Why it's "significant"
The following three points will have the greatest impact on corporate website operations:
1. Strengthened regulation of personal-related information (most important)
This is the core of the current amendment.
Under the current law, explicit consent for "personal-related information" such as Cookie IDs was only required for third-party provision. In other words, explicit consent was not required for data collected and used within your own company on your own website.
After the amendment, this scope is expected to expand significantly. For personal-related information, prohibition of improper use and prohibition of improper acquisition will be newly introduced. The targets include Cookie IDs, email addresses, phone numbers, location information, browsing history, purchase history, interest information, and virtually all data typically handled in website marketing.
What does this mean? You need to accurately understand all cookies installed on your website, clarify their purposes, and properly notify users and obtain consent.
2. Introduction of administrative fines
A major problem with the current law is that economic sanctions for violations have not been effectively functional. Even if a company receives recommendations or orders, they can retain the economic benefits gained from violations - creating a "profitable violation" structure.
To solve this problem, the amendment will introduce an administrative fine system. The violations subject to fines include the following five types:
- Violation of the prohibition of improper use
- Improper acquisition
- Illegal third-party provision
- Violation of special obligations for statistical compilation
- Violation of opt-out related obligations
The amount of the fine is "equivalent to the financial benefit obtained as compensation for the subject act," with requirements including large-scale cases affecting more than 1,000 individuals and infringement of rights and interests.
It's worth noting that data collection through cookies on websites can easily exceed 1,000 people depending on site traffic. In other words, companies operating websites with certain traffic volumes could almost without exception fall within the scope of the administrative fine system.
3. Review of consent regulations (strengthening and relaxation in two directions)
The amendment is not solely about strengthening regulations. A risk-based approach concept is being introduced, with regulations applied differently according to risk levels.
Areas being strengthened:
- Cookie use for marketing purposes (targeted advertising, profiling, etc.)
- Personal information of children under 16 (newly established protection provisions)
- Handling of biometric recognition data
Areas being relaxed:
- Use for statistical purposes
- Use for AI learning purposes (under certain conditions)
- Situations where it is clearly not against the individual's will
This two-tier structure of "strengthening and relaxation" is similar to GDPR's legitimate interest concept, and from my experience with privacy compliance in Europe, I strongly feel that Japanese law is approaching international standards.
Why preparation is needed now
There will be a certain grace period from when the bill is submitted to the Diet until its enactment and enforcement. However, preparation should begin now for the following reasons:
First, cookie inventory takes time. For companies operating multiple websites, the process of identifying all cookies used on every site, classifying their purposes, and determining their destinations requires more work than you might imagine. When supporting our clients, we've seen cases where the number of cookies ballooned from 170 to 900 due to the addition of external tags. Manual management has its limits.
Second, the administrative fine system has a "retroactive" nature. Since it's a mechanism to confiscate economic benefits obtained through violations after the fact, "responding after the law is enforced" may be too late.
Third, consistency with global compliance. The revised CCPA has already been in force since January 2026, and including GDPR compliance, a system that comprehensively covers Japanese, US, and EU laws is required.
How to streamline cookie compliance with Cookiebot
Now, let's look at how Cookiebot CMP's features can specifically address each point of the amended law.
Addressing enhanced regulation of personal-related information
For the "complete understanding of personal-related information and appropriate consent acquisition" most required by the amended law, Cookiebot offers the following features:
Automatic scanning function
Cookiebot's patented automatic scanning technology detects all cookies and trackers on your website. With monthly regular scans, it can capture all cookies, including those added by external vendors or set by third-party scripts.
If you operate multiple sites, you can centrally manage the cookie status of each site, eliminating the situation where "you don't know which cookies are being used on which sites."
4-category automatic classification
Detected cookies are automatically classified into four categories: "Necessary," "Preferences," "Statistics," and "Marketing" (unclassified cookies are temporarily displayed as "Unclassified" and assigned to appropriate categories after review). This allows for "clarification of purpose of use" at the cookie level as required by the amended law.
Prior blocking (zero cookie load)
This feature automatically blocks cookies from being set before obtaining user consent. It directly addresses the "prior consent" requirement of the amended law. Without this function, cookies would already be set when the page loads, and even if a consent banner is displayed, it legally risks becoming "after-the-fact notification."
Automatic generation of cookie declaration
A cookie policy page containing details of detected cookies (name, provider, purpose, expiration date, etc.) is automatically generated and updated. This automates compliance with the notification obligations of the amended law and significantly reduces the burden of manual document management.
Addressing administrative fine risks
Under the administrative fine system, being able to prove "appropriate consent was obtained" becomes critically important.
Complete storage of consent logs
Cookiebot safely stores records of all user consent. A complete audit trail of "when, who, what was consented to (or refused)" is secured, which can be used as evidence of "lawful operation" in administrative fine determinations.
Continuous automatic scanning
Regular scanning detects undetected or unclassified cookies early, preventing unintended violations. Even if a situation like the rapid increase in cookies mentioned earlier occurs, it will be detected in the next scan, preventing risk accumulation.
Addressing the risk-based approach
Cookiebot's four-category classification works perfectly for the risk-based approach introduced in the amended law—the two-tier structure of "statistical purposes relaxed, marketing purposes strictly regulated."
Category-specific consent acquisition
With Cookiebot's consent banner, users can choose to consent or refuse by category. Since the "Statistics" category and "Marketing" category are clearly separated, it's possible to apply relaxed rules to statistical cookies and strict rules to marketing cookies individually under the amended law.
Google Consent Mode V2 integration
Cookiebot supports Google Consent Mode V2. Conversions from consenting users are measured normally, while privacy-protected estimated measurements are maintained for non-consenting users. The ability to balance legal compliance with marketing measurement effectiveness is a significant practical benefit.
Addressing children's personal information protection
The amended law will establish special protection provisions for personal information of children under 16. This direction is similar to the EU's GDPR and Age Appropriate Design Code.
Cookiebot allows banner display settings by region and condition, and can accommodate strict consent requirements for children's websites. With experience in complying with GDPR (age of consent for children is 16) and COPPA (US, 13 years), prompt response to Japanese law amendments can be expected.
Positioning of the amendment from comparison with GDPR/CCPA
From my perspective of seeing privacy compliance in Europe, I'll compare this amendment with GDPR and CCPA.
From an administrative fine perspective: GDPR stipulates enormous fines of "up to 4% of global annual revenue." Japan's administrative fine system is "equivalent to the economic benefit from the violation," which does not reach the level of GDPR financially. However, the shift from the traditional "effectively no sanctions" is groundbreaking in Japan's privacy regulation history.
Consent approach: GDPR principally requires opt-in (prior consent). The revised CCPA is based on opt-out (subsequent refusal). The current Japanese law amendment takes a direction of using both depending on risk, making it a practical approach that is, in a sense, "between GDPR and CCPA."
Cookiebot already complies with major privacy laws including GDPR, CCPA/CPRA, and LGPD, so compliance with the Japanese law amendment can be efficiently handled as an extension of these existing responses. For companies with bases or users in multiple jurisdictions, being able to cover them comprehensively with a single CMP is very important from an operational burden perspective.
Specific implementation and response steps
In preparation for the law amendment enforcement in 2026, I recommend proceeding with the following steps:
Step 1: Current status assessment (Cookie inventory)
Implement Cookiebot and run automatic scans on all websites. Understand all cookies used on each site and check for cookies with unclear purposes or unexpected third-party cookies. Classmethod Europe can issue a Cookiebot trial account, so this process can be done at no cost.
Step 2: Classification and control settings
Based on scan results, appropriately classify each cookie into the four categories (necessary, preferences, statistics, marketing). Accurately classifying "Marketing" and "Statistics" is key to addressing the risk-based approach of the amended law. Enable prior blocking (zero cookie load) to prevent cookie setting before consent.
Step 3: Consent banner and policy preparation
Create Japanese cookie declaration text (purpose statements) and configure Cookiebot's consent banner according to the requirements of the law amendment. Also set up Google Consent Mode V2 to ensure integration with GA4 and Google Ads.
Step 4: Consent log management system construction
In preparation for the introduction of administrative fines, confirm that consent logs are properly saved and managed. Establish a system for preserving evidence in anticipation of audits.
Step 5: Continuous operational monitoring
Regularly check monthly scan reports and routinize the detection, classification, and response to new cookies. Prepare an operational system that can accommodate setting adjustments timed with the enforcement of the law amendment.
Conclusion
The 2026 amendment to the Personal Information Protection Law is a major turning point for privacy regulations in Japan. Strengthened regulation of personal-related information, introduction of administrative fines, adoption of a risk-based approach—these changes will require practical responses from all companies operating websites.
Especially regarding cookies and trackers, situations such as "not knowing which cookies are used for what purpose," "not having a consent mechanism," or "not keeping consent records" will clearly become compliance risks under the amended law.
Using a CMP like Cookiebot enables efficient implementation of a series of responses: comprehensive understanding of cookies through automatic scanning, category-specific consent acquisition, prior blocking, consent log storage, and Google Consent Mode V2 support. As a global CMP with experience in GDPR and CCPA compliance, it enables operations that comprehensively cover Japanese, US, and EU laws.
As an official reseller of Cookiebot, Classmethod Europe GmbH provides comprehensive support from license sales to implementation support, operational support, and advice on responding to legal amendments.
In addition, we have newly started a managed service that includes management and operation of tag managers such as GTM. Cookiebot's consent control is closely linked with GTM (Google Tag Manager), and in many cases, it's insufficient for legal compliance unless both the CMP and tag manager are properly set up and maintained, including tag firing control according to consent categories, Google Consent Mode V2 signal settings, and appropriate management of conversion tags. This is a service that allows you to entrust the operation of both CMP and tag manager for issues such as "implemented Cookiebot but GTM settings aren't keeping up" or "consistency with consent control breaks with each tag addition or change."
If you have concerns like "don't know where to start," "can't keep up with multiple site responses," or "don't have the capacity to manage tags," please feel free to consult with us.
For inquiries about Cookiebot, please visit cookiebot.jp.