Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
YM Cart is a Japanese shopping cart and e-commerce checkout solution embedded in product and category pages via a JavaScript widget. It manages cart state, coupon codes, tax and shipping calculation, and connects to multiple payment gateways. For European merchants serving Japanese tourists or expanding to APAC, YM Cart can simplify Japan-specific payment methods (convenience store, Pay-easy, JCB) but raises GDPR questions around cross-border transfers, cookies for cart persistence, and integration with Japanese analytics tools.
YM Cart is a hosted shopping cart and checkout solution popular in Japan, often embedded as a JavaScript widget into product and category pages of existing storefronts. It handles cart state, coupon and tax logic, shipping rate calculation, and order completion through a connected payment gateway. European merchants typically encounter YM Cart when partnering with Japanese suppliers, expanding into Japan, or running a Japan-specific microsite.
YM Cart sets cart_id (cart contents identifier), ym_session (session ID), ym_user (anonymous returning visitor), and optionally ym_conv (conversion tag) and ym_abandon (cart abandonment marker). It collects the shopper''s name, address, email, phone, and payment metadata at checkout, and stores order history server-side against the user identifier. The widget can integrate with Google Analytics, Yahoo Tag Manager, and Japanese ad networks; those integrations introduce additional cookies and require separate consent.
Cart and session cookies fall under the strictly necessary exemption of Art. 5(3) ePrivacy and do not require consent. Cart abandonment cookies, persistent identifiers, and conversion tags do require prior consent. YM Cart is a data processor for order data and may be an independent controller for aggregate platform analytics. Under the EU-Japan Mutual Adequacy Decision, transfers to Japan are recognised as adequate; you still need a written processing agreement and transparent documentation in your privacy notice.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
On 23 January 2019, the European Commission adopted Decision 2019/419 recognising Japan''s level of data protection as essentially equivalent to the EU, under the Supplementary Rules adopted by the PPC (Personal Information Protection Commission). This means transfers to Japanese recipients certified or otherwise covered by the adequacy decision do not require SCCs or BCRs. However, you must verify that YM Cart''s operator falls within the scope of the decision, document the transfer in your Record of Processing Activities, and inform data subjects in your privacy notice.
Categorise YM Cart cookies in your CMP: cart_id and ym_session as strictly necessary, ym_user and ym_abandon as functional or marketing depending on use, and any conversion tags as marketing. Make sure cart abandonment emails are gated behind explicit marketing consent and include a clear unsubscribe link.
1. Sign a Data Processing Agreement with the YM Cart operator. 2. Confirm that the operator is within scope of the EU-Japan adequacy decision. 3. Map YM Cart cookies into your CMP categories. 4. Disable cart abandonment workflows for visitors who did not consent. 5. Add YM Cart and Japan to your privacy notice transfer disclosure. 6. Document the cross-border transfer (even if adequacy applies) in your Record of Processing Activities.
Websites using YM Cart must obtain user consent under GDPR regulations.
DPIA considerations
YM Cart processes order data (name, address, email, phone, payment metadata) and behavioural cookies (cart_id, ym_session, conversion tag). For European deployments, the principal risks are: (1) data transfer to Japan, which benefits from an EU adequacy decision but must still be documented; (2) integration with third-party Japanese payment gateways that may have their own data flows; (3) persistent cart cookies that may track abandoned carts and trigger reminder emails, requiring marketing consent; (4) potential collection of children's data when used on toy or game stores, requiring an age gate; (5) limited transparency about sub-processors. A streamlined DPIA covering cross-border transfer and the cart abandonment workflow is recommended.
Sample consent text
We use YM Cart to operate our checkout. YM Cart sets cookies that are necessary for your basket and order to function. With your consent, we also use cart abandonment cookies that allow us to remind you about products left in your basket. Your order and cart data are transferred to YM Cart servers in Japan, which the European Commission has recognised as offering an adequate level of data protection. You can manage your preferences at any time in our cookie settings.
Third-party domains contacted
ym-cart.comapi.ym-cart.comcdn.ym-cart.compay.ym-cart.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cart_id | Strictly necessary | 30 days | Identifies the visitor's active shopping cart. Required for adding products, applying coupons and completing checkout. |
| ym_session | Strictly necessary | Session | Session identifier used for authenticated checkout, CSRF protection, and order completion. |
| ym_user | Functional | 1 year | Persistent anonymous identifier used to remember returning shoppers and pre-fill cart contents. |
| ym_conv | Marketing | 90 days | Conversion attribution cookie tying the order to the original referrer or ad campaign. |
| ym_abandon | Marketing | 30 days | Marks the cart as abandoned to trigger reminder workflows (when marketing consent is granted). |
YM Cart uses cookies for user preferences — inform visitors with a consent banner.
cart_id (cart identifier, strictly necessary), ym_session (session ID, strictly necessary), ym_user (anonymous returning visitor, functional or marketing), ym_conv (conversion attribution, marketing), ym_abandon (abandonment marker, marketing). Strictly necessary ones can be set without consent; the rest require prior consent under ePrivacy.
Loading YM Cart for the purpose of operating a shopping cart can rely on the strictly necessary exemption (Art. 5(3) ePrivacy). However, marketing features like cart abandonment emails, conversion attribution, and persistent visitor tracking require prior consent. Configure the widget to operate in essential-only mode until the visitor accepts marketing cookies.
Order processing relies on contract (Art. 6(1)(b) GDPR). Cart abandonment reminders rely on consent or, where the customer is an existing buyer and national law allows soft opt-in, on legitimate interest. Aggregate analytics rely on legitimate interest, balanced against the visitor's expectations.
Yes. YM Cart processes data in Japan. The European Commission's adequacy decision of 23 January 2019 (Decision 2019/419) recognises Japan as offering an adequate level of protection for transfers covered by the Supplementary Rules. Confirm with the operator that they are within scope of the decision; if not, fall back to SCCs.
A full DPIA is not always required, but a streamlined assessment is recommended whenever cart abandonment workflows, persistent identifiers, or integrations with Japanese ad networks are enabled. If you sell to children, the DPIA should also document age verification controls and parental consent flows.
Sign a DPA with the operator, verify adequacy scope, document the transfer in the Record of Processing Activities, integrate cookie categories with your CMP, gate marketing features behind explicit consent, present a clear privacy notice that mentions Japan, and configure secure (HTTPS, SameSite=Lax) cookies.
For European deployments, EU-hosted alternatives include Snipcart (Canada with EU options), CommerceLayer (Italy), and SimpleCart. Native platform carts in Shopify Plus, BigCommerce or Adobe Commerce are common alternatives. Open-source options like CommerceCart (EU community fork) reduce vendor lock-in.
Add an entry for cart_id, ym_session, ym_user, ym_conv, and ym_abandon, with purpose, duration and category. In your privacy notice, identify the YM Cart operator as a data processor, mention Japan as the data processing location, cite the EU adequacy decision, and list the categories of personal data (order data, billing address, IP, browsing behaviour).