The Ultimate APPI Compliance Checklist for Every Japanese Shopify Store In 2026

APPI Compliance for Shopify Merchants: What You Need to Have in Place

Japan's Act on the Protection of Personal Information (APPI) applies to any business that handles the personal data of people in Japan — including Shopify merchants based outside the country. The most recent amendment, in force since April 1, 2022, introduced stronger obligations around consent, data subject rights, and cross-border transfers. A further round of amendments is expected by 2027, including administrative fines for violations.

This checklist covers every major APPI requirement your Shopify store needs to meet, with guidance on what each one means in practice and how Consentmo helps you get there.

1. Privacy Policy

What APPI requires

You must publish a privacy policy that explains what personal data you collect, the purpose for which it is used, whether it is shared with third parties, how long it is retained, and how customers can exercise their rights. This must be written in plain language and easily accessible from every page of your store.

Checklist

• Privacy policy is published and linked from your store footer
• States the purpose of collection for each data type (email, payment info, browsing behaviour)
• Names any third parties data is shared with (ad platforms, analytics tools, fulfilment partners)
• Specifies how long each category of data is retained
• Explains how customers can request access, correction, deletion, or suspension of use
• Updated whenever you add new apps or change how data is handled

2. Cookie Consent Banner

What APPI requires

You must notify visitors about the purpose of data collection before or at the time of collection (Articles 17–18). For cookies and tracking scripts, this means displaying a consent notice when a visitor lands on your store. Non-essential cookies — analytics, advertising, personalisation — must not fire until the visitor has been informed and has had the opportunity to respond.

Checklist

• A consent banner appears for visitors from Japan on first visit
• The banner explains what cookies are used and why
• Visitors can accept, reject, or manage preferences
• The banner is displayed in Japanese for Japanese visitors
• Non-essential trackers are blocked until consent is given
• Consent preferences can be updated at any time via a preference widget

How Consentmo handles this

Consentmo's Smart Geotargeting detects Japanese visitors and automatically serves them an APPI-appropriate consent banner in Japanese. The banner is fully customisable and blocks all non-essential scripts until consent is given. A persistent preference widget lets visitors update their choices at any time.

3. Purpose Specification and Use Limitation

What APPI requires

Personal information must only be used for the purpose that was specified at the time of collection. Using it for a new or different purpose — such as sharing customer email addresses with a new marketing platform — requires either a new disclosure or fresh consent (Article 18).

Checklist

• Every data collection point (checkout, account creation, email signup) states a clear purpose
• Data is not used for purposes beyond what was disclosed
• New apps or integrations that process customer data are reflected in your privacy policy before launch
• Marketing emails are only sent to customers who have consented to that use

4. Data Subject Rights and Request Handling

What APPI requires

Customers in Japan have the right to request disclosure of their personal data (Article 27), correction of inaccurate information (Article 32), deletion, and suspension of use or third-party provision (Articles 33–34). You must have a working process to receive, action, and respond to these requests without undue delay.

Checklist

• A dedicated APPI Compliance page is published on your storefront
• The page includes a Do Not Sell My Personal Information request form
• The page includes an Edit Account Information request form
• Store admin receives a notification when a request is submitted
• Customer receives a confirmation email upon submission
• Requests are reviewed and actioned in a reasonable timeframe
• The compliance page is linked from your store footer

How Consentmo handles this

When you enable the Japan region in Consentmo, the app prompts you to generates a pre-built compliance page with working request forms. Every submission triggers an admin notification and a customer confirmation email. From the Consentmo dashboard you can view the customer's data on file and take the appropriate action.

5. Third-Party Data Sharing and Records

What APPI requires

Before sharing personal data with a third party, you must in most cases obtain the individual's consent. You are also required to keep records of third-party provisions — including the date, recipient, categories of data shared, and the purpose — and retain those records for a set period (Article 29).

Checklist

• All third parties receiving customer data are identified in your privacy policy
• Customer consent covers the specific third parties data is shared with
• Records of third-party data provision are logged and retained
• Customers can request cessation of third-party provision

6. Tracker and Script Management

What APPI requires

Every tracking script on your Shopify store — Google Analytics, Meta Pixel, TikTok tracking, Klaviyo, and others — collects personal data the moment it fires. Under APPI's use limitation rules, these scripts must only run if the visitor has been informed of their purpose and has not objected.

Checklist

• All active cookies and scripts on your store are identified and categorised
• Non-essential scripts are blocked before consent is given
• New apps added to your store are scanned for tracking scripts
• Script categories match what is disclosed in your privacy and cookie policy

How Consentmo handles this

Consentmo's Tracker Manager and AI Cookie Scanner runs a full audit of every cookie, script, and pixel active on your store. The AI automatically categorizes unclassified cookies and blocks non-essential trackers until the visitor consents. You can schedule regular scans to catch any new trackers added by app updates.

7. Consent Records and Audit Trail

What APPI requires

While APPI does not currently mandate consent logs with the same specificity as GDPR, the ability to demonstrate lawful data handling is essential — particularly as the proposed 2026 amendments introduce administrative fines and bring enforcement closer to European standards. Documented consent records are your primary defence in the event of a complaint or regulatory inquiry.

Checklist

• Consent interactions are logged with a timestamp, visitor ID, and country
• Logs capture which categories of cookies were accepted or rejected
• Records are exportable for audit or legal purposes
• Consent records are retained for an appropriate period

How Consentmo handles this

Consentmo's Consent Records dashboard logs every interaction automatically, capturing the visitor's unique ID, the page where consent was given, accepted categories, IP address, interaction type, timestamp, country, and device. Records can be filtered and exported at any time.

8. Cross-Border Data Transfers

What APPI requires

If you transfer personal data outside Japan — for example, to a US-based email marketing platform or cloud storage provider — you must ensure the recipient country provides an equivalent level of protection, or obtain specific consent from the individual for the transfer. This requirement is expected to be tightened under the 2026 amendments.

Checklist

• All countries to which customer data is transferred are identified
• Either the recipient country meets APPI equivalency standards, or customer consent covers the transfer
• Cross-border transfers are disclosed in your privacy policy
• Data processing agreements are in place with international service providers where applicable

9. Security Measures

What APPI requires

Businesses must take the necessary and appropriate measures to prevent leakage, loss, or damage to personal data (Article 23). This includes both technical and organizational safeguards.

Checklist

• Shopify store is running on a secure, up-to-date theme with no known vulnerabilities
• Third-party apps are reviewed and unnecessary ones removed
• Admin access is limited to authorised personnel with strong passwords and two-factor authentication
• Payment data is handled exclusively through PCI-DSS compliant processors (Shopify Payments, Stripe, etc.)
• A process is in place to notify affected customers and regulators in the event of a data breach

10. Accessibility

What APPI requires (and beyond)

While accessibility is not explicitly part of APPI, Japan has its own accessibility standards under the Act for Eliminating Discrimination against Persons with Disabilities, and the global WCAG 2.1 guidelines provide the accepted benchmark. Making your compliance pages and cookie banner accessible is both a legal obligation in many markets and a prerequisite for your data rights processes to function for all users.

Checklist

• Cookie consent banner is keyboard navigable and screen reader compatible
• APPI Compliance page is accessible on both desktop and mobile
• Images on the site include descriptive alt text
• Sufficient color contrast on all compliance-related UI elements

How Consentmo handles this

Consentmo includes a built-in Accessibility widget and Alt text scanner to help your store meet ADA, WCAG, and EAA standards alongside its privacy compliance features.

Get Every Item on This List Covered with Consentmo

Most of the items on this checklist - the consent banner, compliance page, request handling, tracker management, consent records, and accessibility widget — are handled automatically by Consentmo when you complete the APPI setup in the app.

Install Consentmo free on the Shopify App Store to get your store APPI compliant without the manual work. If you have questions about any item on this checklist, reach out to our support team via chat or email.