Understanding cookie consent in Australia’s evolving data privacy landscape

| | No Comments
Understanding cookie consent in Australia’s evolving data privacy landscape

Scott Forrest, equ’s Head of Digital Marketing: Cookies have always been the backbone of digital marketing. These snippets of website code enable businesses to collect data on user behaviour and preferences, provide relevant content, target ads and engage audiences across channels.

 

In recent years, we’ve seen a shake-up in the regulations and responsibilities around cookies, particularly in Europe and the US. Websites with users from these regions now typically need explicit consent to collect, process and store personal information using cookies.

Australia’s online privacy regulations haven’t evolved at the same speed, but companies may still need to comply.

However, Australia’s online privacy regulations are catching up.

The current state of cookie consent in Australia

To understand what’s changing in Australia’s cookie consent landscape, we need to look globally at the new regulations that have been rolling out–and how businesses are playing catch-up.

You have likely heard of GDPR, the EU’s General Data Protection Regulations. GDPR introduced measures to improve individuals’ control and rights over their personal information. One such measure is that websites must obtain clear and unambiguous consent to process users’ personal information.

Other regulations adopted this idea to varying degrees, including1:
• The California Consumer Privacy Act (CCPA) and similar US state laws
• The California Privacy Rights Act (CPRA), which is expected to supersede CCPA
• UK Privacy and Electronic Communications Regulations (PECR)
• Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)
• China’s Personal Information Protection Law (PIPL)
• South Africa’s Protection of Personal Information Act (POPIA)

Now, it’s Australia’s turn to tighten online privacy and give consumers back control of their personal information.

Where we are today: implied consent and flexible regulation

Cookie consent is not mentioned in Australian legislation. Instead, online data processing practices fall under the Australian Privacy Principles (APPs) outlined in the Privacy Act 1988.

The 13 APPs, which apply to companies and organisations turning over $3m or more, include requirements to:
• Notify users when collecting personal information
• Protect personal information and limit disclosure
• Give individuals the option to remain unidentified or use a pseudonym
• Give individuals access to their personal information upon request and correct information that is incorrect
• Collect personal information only when necessary and disclose personal information only for the purpose it was collected.
• Have a clear and updated privacy policy and implement practices, procedures, and systems to ensure compliance with the APP

Non-compliance carries hefty penalties. Large-scale breaches can result in fines of up to $3.3 million, while smaller infringements, such as missing privacy statements, can cost up to $66,000.

Still, the Privacy Act gives a surprising amount of wiggle room, allowing consent to be implied as long as the data collection notification is clear, accessible, and available at or before the point that data collection starts.

(This doesn’t apply to sensitive information such as health or financial data, which does require explicit consent.)

Understanding cookie consent in Australia’s evolving data privacy landscape

What’s happening: Privacy Act changes are gaining momentum

“…the Privacy Act, which is the primary vehicle for regulating personal information of Australians, is woefully outdated and unfit for the digital age.” – Australia’s Attorney General, The Hon Mark Dreyfus KC MP –

Australian regulators have been watching the impact of international regulations and listening to Australian consumers, 88% of whom believe privacy reforms are crucial, according to the latest Deloitte Privacy Index report.

This led to Australia’s Attorney-General introducing the Privacy and Other Legislation Amendment Bill 2024 in September. Having passed the Senate in November, it was signed into law in December 2024. It was the first major Privacy Act reform in over seven years.

The bill addresses issues such as doxxing, a tort for serious invasion of privacy, enhanced transparency for automated decision-making processes (an initial legislative foray into AI), and enhanced protections for children online. Although the Bill left out proposed changes to consent management, industry pundits expect they are not far behind.

The Bill promised future consultation on these and other issues, including the use of AI (artificial intelligence) in data processing.

What the Privacy Act changes mean for your cookie consent strategy

The Privacy Act changes won’t overhaul cookie consent requirements overnight–regulatory reform takes time, and businesses will likely have a grace period to adapt.

However, taking a ‘wait and see’ approach isn’t ideal.

Lessons from GDPR and other regulatory rollouts highlight the value of early preparation, and with the time on your side, there’s a unique opportunity to craft a cookie consent strategy that’s not only future-ready but also aligned with best practices and customer-centric principles.

 

Continue reading the full story here

Understanding cookie consent in Australia’s evolving data privacy landscape