Revised Telecommunications Business Law June 2023 Enforced the third party COOKIE compatible in Japan. Are your EC sites supported?

by Toyo Hirashima

Revised Telecommunications Business Law enforced in June 2023

Mandatory for third -party COOKIE that starts in Japan

Previously in Go Ride News

  • GDPR compatible on cross -border EC sites for Europe
  • CCPA compatible at cross -borders for the United States

I featured about it.


Reference article

Be careful if you advance to Europe! Let's know about the EU's unique personal information protection law (GDPR)

Is your company okay? California's Shinshu Law CCPA

This time, in June 2022

Revised Telecommunications Business Law (June 2022)

I would like to confirm.

This is because the revision of the Telecommunications Business Law has been promulgated in June 2022 and will be enforced within one year of promulgation, which includes the business operator's third -party cookie obligation. (Scheduled to enforcement in June 2023)

Why is third -party cookie regulated in the first place?

It will be a textbook, but let's check the page of the Ministry of Internal Affairs and Communications.

Q1-3: Why was the external transmission regulations introduced?

Answer: When browsing and using applications such as smartphones, etc., programs such as tags embedded on websites and information collection modules incorporated in the application are sent to the user's terminal, resulting in the terminal of the user. , There is a situation where information about users recorded on the terminal is sent to non -user other than the user without recognizing the user.

Information on users sent is widely used for various purposes, such as identifiers such as cookies and advertising id, browsing history and behavior history.

If such information is being transmitted without recognizing the user, the user cannot use the telecommunications service with peace of mind, and eventually reduces the reliability of the telecommunications service and reduces electricity. It may hinder the healthy development of communication services.

Therefore, it is obliged to give users to confirm the external transmission of such information so that the user can use the telecommunications service with peace of mind.

about it. If you chew it very easily

There is a situation where the data is transmitted externally and used for various purposes including advertising before the user does not do it, so it will be obligatory to provide an opportunity to confirm.It is enacted for the purpose.

After the enforcement in June 2023, it was obliged to respond to one of the following three.

  1. Notify and publish information related to the prescribed matter in advance
  2. Get user consent in advance (opt -in)
  3. Introducing a mechanism (opt -out) that can be rejected later

If you can select multiple methods, the rules will seem close to CCPA.

Even in this revisionNo fines will be imposed even if they violate them, and the Minister of Internal Affairs and Communications will only publish the order of business improvement measures and the name / name of the offender.So this is very different from CCPA, GDPR.

When the store is deployed in multiple countries, the system selection is selected at the cross -border or the cross -border -North American crossing for the EU, and how to process data in the system configuration to make it a GDPR Compliant (compliant) state. You may receive an inquiry.

GDPR, CCPA, Revised Telecommunications Business Law Comparison Table

EU GDPR Users mandatory opt -in when using sites and services Penalties up to 20 million euros or 4%of sales
US CCPA (California Privacy Protection Law) Usage when the user wants to stop selling Cookie Data to third parties (opt -out)

Mandatory to be able to opt -out when selling cookie data to third parties

If there is a request to delete personal information, it will be required to respond and report to consumers
Up to $ 7500/case for a $ 2500 -dollar violation per case
Revised Telecommunications Business Law

Mandiping one of the following correspondence

  1. Notify and publish information related to the prescribed matter in advance
  2. Get user consent in advance (opt -in)

  3. Introducing a mechanism (opt -out) that can be rejected later

There is no fine even if you violate it.

Discounts for business improvement measures by the Minister of Internal Affairs and Communications and the names / names of offenders

Lines and communication business law supporting in Japan in May 2022

HereAccording to the survey, as of May 2022, about 77%did not support the new site category.

It seems that most sites are still not supported in the news site category, whether the penalties are not strictly enacted.

In Europe, META has been fined $ 1.3 billion and a data deletion order, so you can see the difference in state of the country.

The other day, Irish Data Protection Committee (hereinafter referred to as DPC) imposes a clinter of $ 1.3 billion (180,856 million yen) to Meta as a violation of the Privacy Protection Law related to data transfer between Europe and the United States. It was announced. Furthermore, if the meta stops all data transfer between the EU and the United States within 5 months and do not make changes within 6 months, it will be forced to delete 10 years of EU user data. 。

Is your own EC site eligible?

The point is that this time is not a business operator but a service.


  1. Mail service, direct message service, web conference system, etc.
  2. SNS, electronic bulletin boards, video sharing services, online shopping malls, sharing services, matching services, etc.
  3. Online search service
  4. Send information at the request of an unspecified user and provide online provision services for browsing information



Reference source

again,"Telecommunications business entry manual (supplementary edition) Guidebook"The following cases are also applicable.

  • When the company's products and services themselves are provided via the Internet
  • When operating various information provision sites using advertising and affiliate programs for the purpose of making profits as a sole proprietor

SaaS and web media are also considered to be the "online services of various information".。   

however,It seems that it will not be legal if there is no media elements on an e -commerce site that sells its own products and does not provide services as a business as a business.


However, many EC operators think that it is an opportunity to actively appeal to consumer protection.

It is likely that many companies will select "Prior Acquisition".


On the EC site, the most orthodox method is the user consent in advance, but this can be used with app implementation.

Changes and future of third party COOKIE

-The difference between first party cookies and third -party cookies


First party cookies are used for login information and product information in carts with cookies issued from the domain of the site they visited.

The advantage of convenience as a user is great, and there is no concern that it will be blocked at this time.

From the point of view of the company (EC operation, advertising distribution), tracking the domain cannot be tracked


That is the characteristic.


On the other hand, third -party cookies are cookies provided by the advertising media domain.


The purpose of use in advertising distribution of third -party cookies is as follows.


  1. Retering advertisement
  2. Attributation analysis
  3. Web advertising effect measurement
  4. Affiliate ads

From the company's perspective, it was useful for analyzing how the user is doing CV, but from the user side, cookies are given and information is absorbed, so it is a problem from the viewpoint of personal information protection. It is coming.

Correspondence on the browser side



Chrome had foretold the abolition of third -party cookies within 2022 in January 2020, but as of June 2023, it is gradually abolished in the latter half of 2024, and the direction has been abolished. However, it has been postponed.


In the future, it has been announced that it will be replaced by a third -party cookie and shifts to a privacy sandbox that works for advertisers and publishers while maintaining anonymity.


It seems that the rating and testing of this privacy sand box took longer than expected.




Beginning with ITP 1.0 updated in September 2017, the third party cookies begin to block.


ITP is an abbreviation of Intelligent Tracking Prevention, a site tracking prevention function that has been installed in browser safari from Apple iOS 11.


  • ITP 1.0 September 2017

It will be invalid 24 hours after issuing a third party cookie. It will be deleted 30 days later regardless of validity or disabled.


  • ITP2.0 September 2018

In ITP2.0, the third -party cookie restrictions are further enhanced, and even for users who have never visited the site in the past, if they return without the site transition, the third party Cookie will be deleted immediately.


This makes it impossible to return to users who have no site transition.


  • Third Party Cookie Complete Block March 2020


Third party Cookie has become completely blocked.
In addition, if the site does not have a 7 -day transition, the available storage data (Session Storage, etc.) will be deleted immediately.


In 2024, Third Party Cookie will be heading for the final chapter, and CV analysis in advertising operation is even more difficult.



LP advertising improvement by advertising operation that does not rely on Third Party COOKIE targeting and customer journey designFor further information, please contact us



Go Ride CEO

Live, Laugh, Love, Work, Surf, Repeat. Create LifeStyle You Love. Life is Short, let's go ride.


One -stop offered from EC construction to advertising operation.