Understanding cookie consent in Australia’s evolving data privacy landscape
Cookies have always been the backbone of digital marketing. These snippets of website code enable businesses to collect data on user behaviour and preferences, provide relevant content, target ads and engage audiences across channels.
In recent years, we’ve seen a shake-up in the regulations and responsibilities around cookies, particularly in Europe and the US. Websites with users from these regions now typically need explicit consent to collect, process and store personal information using cookies.
Australia’s online privacy regulations haven’t evolved at the same speed, but companies may still need to comply.
However, Australia’s online privacy regulations are catching up.
Highlights
- Australian data protection laws do not require cookie consent unless your website collects sensitive personal information.
- Although our local privacy regulations laws lag behind global standards like GDPR, they are set to evolve soon.
- Current implicit cookie consent standards are falling out of favour with consumers and regulators.
- Recent Privacy Act amendments signal the start of ongoing reforms and introduce higher non-compliance penalties.
- Proactively maturing your cookie consent strategy will give your business a competitive edge.
- Following international examples and best practices will help you future-proof compliance.
The current state of cookie consent in Australia
To understand what’s changing in Australia’s cookie consent landscape, we need to look globally at the new regulations that have been rolling out–and how businesses are playing catch-up.
You have likely heard of GDPR, the EU’s General Data Protection Regulations. GDPR introduced measures to improve individuals’ control and rights over their personal information. One such measure is that websites must obtain clear and unambiguous consent to process users’ personal information.
Other regulations adopted this idea to varying degrees, including1:
- The California Consumer Privacy Act (CCPA) and similar US state laws
- The California Privacy Rights Act (CPRA), which is expected to supersede CCPA
- UK Privacy and Electronic Communications Regulations (PECR)
- Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)
- China’s Personal Information Protection Law (PIPL)
- South Africa’s Protection of Personal Information Act (POPIA)
Now, it’s Australia’s turn to tighten online privacy and give consumers back control of their personal information.
Where we are today: implied consent and flexible regulation
Cookie consent is not mentioned in Australian legislation. Instead, online data processing practices fall under the Australian Privacy Principles (APPs) outlined in the Privacy Act 1988.
The 13 APPs, which apply to companies and organisations turning over $3m or more, include requirements to:
- Notify users when collecting personal information
- Protect personal information and limit disclosure
- Give individuals the option to remain unidentified or use a pseudonym
- Give individuals access to their personal information upon request and correct information that is incorrect
- Collect personal information only when necessary and disclose personal information only for the purpose it was collected.
- Have a clear and updated privacy policy and implement practices, procedures, and systems to ensure compliance with the APP
Non-compliance carries hefty penalties. Large-scale breaches can result in fines of up to $3.3 million, while smaller infringements, such as missing privacy statements, can cost up to $66,000.
Still, the Privacy Act gives a surprising amount of wiggle room, allowing consent to be implied as long as the data collection notification is clear, accessible, and available at or before the point that data collection starts.
(This doesn’t apply to sensitive information such as health or financial data, which does require explicit consent.)
What’s happening: Privacy Act changes are gaining momentum
“…the Privacy Act, which is the primary vehicle for regulating personal information of Australians, is woefully outdated and unfit for the digital age.” - Australia’s Attorney General, The Hon Mark Dreyfus KC MP -
Australian regulators have been watching the impact of international regulations and listening to Australian consumers, 88% of whom believe privacy reforms are crucial, according to the latest Deloitte Privacy Index report.
This led to Australia’s Attorney-General introducing the Privacy and Other Legislation Amendment Bill 2024 in September. Having passed the Senate in November, it was signed into law in December 2024. It was the first major Privacy Act reform in over seven years.
The bill addresses issues such as doxxing, a tort for serious invasion of privacy, enhanced transparency for automated decision-making processes (an initial legislative foray into AI), and enhanced protections for children online. Although the Bill left out proposed changes to consent management, industry pundits expect they are not far behind.
The Bill promised future consultation on these and other issues, including the use of AI (artificial intelligence) in data processing.
What the Privacy Act changes mean for your cookie consent strategy
The Privacy Act changes won’t overhaul cookie consent requirements overnight–regulatory reform takes time, and businesses will likely have a grace period to adapt.
However, taking a ‘wait and see’ approach isn’t ideal.
Lessons from GDPR and other regulatory rollouts highlight the value of early preparation, and with the time on your side, there’s a unique opportunity to craft a cookie consent strategy that’s not only future-ready but also aligned with best practices and customer-centric principles.
Best-practice cookie consent strategies: Your checklist for compliance
Review (and revamp) your privacy policy
Before looking ahead, let’s ensure your privacy policy complies with today’s requirements.
The Privacy Act provides at least eight requirements for privacy policies, plus additional information that needs to be included in specific cases, such as how long you retain users’ data or whether it is sent overseas.
You can see the full list of requirements here or get in touch for advice on privacy policy best practices.
Align with international standards
Consent is only one aspect of GDPR among several key principles that are equally important for a mature cookie consent strategy:
- Data minimisation: Don’t collect excessive data or store it for longer than necessary, as it only bloats your servers with little to no benefit.
- Right to withdraw: Make it easy for users to access their data and opt out of processing.
- Fair, lawful and transparent processing: The Privacy Act reforms are already starting to change the rules around clarifying how user data is processed and used, especially by AI systems and marketing automation platforms.
The benefits of best-practice cookie consent go beyond compliance.
With 50% of Australians backing out of purchases because the organisation wants too much personal data (up from 35%), and 59% actively limiting what they share with brands, becoming a leader in this space gives you a competitive advantage.
Overhaul consent management processes
Now that we’ve sorted out your behind-the-scenes systems, let’s look at the user experience.
Many Australian websites use implicit consent banners which advise users that they’re ‘consenting’ to data collection by continuing to use the site. This might be compliant today, but there are better solutions:
- Basic cookie consent banners work for minimal cookie use. They include a simple notification with an “Accept” button and a link to your privacy policy.
- Granular consent options allow users to select specific cookie types (e.g., analytics, advertising). This is important for building trust.
- Consent Management Platforms (CMPs) provide a dynamic solution for managing international audiences. CMPs adjust consent banners to comply with local laws.
Remember: GDPR applies to organisations outside the EU that target European audiences. If your business is borderless, GDPR compliance is non-negotiable.
Focus on transparency and simplicity in communication
There are countless ways to craft cookie consent notifications. In our experience, simple is best.
- Use plain, clear language
- Inform users how and why you are collecting data
- Don’t make them hunt for opt-out options
Transparency builds trust and trust is good for business.
According to PwC’s 2024 Trust Survey, 93% of executives agree that building and maintaining trust improves bottom-line results.
Invest in compliance reviews
Auditing your data protection processes and policies every six months or so helps you identify minor compliance risks before they become major issues.
These audits don’t need to be prolonged and painful exercises, and there are tools and technologies available to automate tasks like data collection and compliance reporting.
The main goal is to bake continuous improvement into your cookie consent strategy, so you have an established review process that enables you to adapt ahead of regulatory changes.
Staying ahead in a privacy-centric world
Cookies play a big role in helping you understand your audience, grow your business online, and become truly data-driven and customer-centric.
So with Australia’s data protection laws set to evolve, and cookie consent likely to become a hot topic, now’s the time to make a plan for Privacy Act compliance. Although the regulations won’t change tomorrow, there will be a time–sooner rather than later–when your systems and processes will need to be ready.
Thankfully, Australian businesses have an opportunity to stay ahead of the curve on regulatory changes and cookie consent requirements. By adopting best practices early, strategically and transparently, you’ll safeguard your business against compliance risks and sharpen your competitive edge.
---------------------------------------------------------------------------------------------
