.svg)
While the Privacy Act 1988 sits at the heart of privacy laws in Australia, the privacy landscape is evolving quickly. For example, the Privacy and Other Legislation Amendment Act 2024 introduced important changes, including new transparency requirements for the use of automated decision-making tools.
Similarly, the Australian Information Commissioner has published new guidance on tracking pixels, clarifying that the collection of personal information through automated tools, such as tracking pixels, is subject to the Privacy Act 1988.
For organisations operating websites, online platforms, or mobile applications that handle Australians’ personal data, these developments underscore an important reality: whether personal information is gathered directly from users or indirectly through cookies and other tracking technologies, it must comply with the requirements of the Privacy Act 1988.
In this article, we outline the current privacy landscape in Australia, explain when the Privacy Act 1988 applies, break down the key obligations it imposes, and provide practical guidance on achieving compliance, including the compliant use of cookies and similar technologies.
Continue reading to determine if this applies to you and learn how to comply.
What is the landscape around privacy laws in Australia?
In Australia, a mix of state-level and federal laws governs the protection of personal information.
The primary law governing the collection and processing of personal information at the federal level is the Privacy Act 1988.
The Act outlines the Australian Privacy Principles, a set of 13 rules governing the handling of personal information. These rules apply to federal and government agencies. Additionally, most private organisations that earn more than $3 million each year, such as companies, partnerships, and associations, also fall under the scope of the Act.
In addition to the federal Privacy Act 1988, most states have their own privacy laws and regulations, such as Queensland’s Information Privacy Act 2009, and Victoria’s Privacy and Data Protection Act 2014. However, state-level laws cannot override or conflict with the federal Privacy Act, and they typically address more specific sectors and data processing activities, such as the handling of health records.
Does the Australian Privacy Act apply to you?
The Privacy Act applies to your organization if the following conditions are met:
1. Personal Scope of the Act
The Act applies to all Federal government agencies and to all businesses, except “(..) organizations (including all their related bodies corporate each) with less than AUD 3 million (approx. €1.9 million) annual turnover at any time”, registered political parties, and state or territory authorities or instrumentalities.
Businesses will also be automatically subject to the Privacy Act if they use or disclose personal information for a benefit, or collect and use health information.
Note on personal information: Under the Privacy Act, personal information is defined as information or an opinion about an identified individual or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
In short, even if a business’s annual turnover is below the threshold, it will still have to comply with the Privacy Act if it processes personal information for a benefit or if it collects health information.
2. Territorial Scope of the Act
The Australian Privacy Act applies to both Australian and foreign organizations that carry on business in Australia.
Following the Uber decision, the Privacy Act applies to all foreign organizations deemed to be 'carrying on business' in Australia, regardless of whether this includes actively collecting personal information in Australia.
3. Material Scope of the Act
All processing activities, such as collection, sharing, and use related to personal information, fall under the scope of the Act. However, anonymized data or de-identified data is not subject to the Act.
New changes to the Privacy Act 1988 explained
The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024, and many of its provisions came into effect on that date. However, some of its provisions, such as the new requirements on the use of automated decision-making, will come into force in December 2026.
This Act marks the most significant update to Australia’s privacy framework since the introduction of the Privacy Act 1988. It introduces new obligations for organisations, creates additional criminal offences, and expands the powers of the regulator.
Here are the key changes that each organization should take note of:
- New transparency obligations for the use of automated decision-making: The new changes require organizations to revise their privacy policies to inform affected individuals about the collection and processing of their personal information through automated decision-making tools. For instance, a loan application eligibility checker tool falls under the definition of automated decision-making tools.
- White-list for international data transfers: Another critical change relates to the transfer of Australians’ personal information outside Australia. The amendments grant the Minister the authority to approve certain countries if they provide an adequate level of protection for personal information and offer individuals an effective mechanism to enforce their rights.
- New criminal offence: The Act makes it a crime to deliberately share someone’s personal information online in a manner that is harmful or threatening. This offence can lead to a prison sentence of up to 6 years.
- New tort of invasion of privacy: The new amendments provide individuals with the right to bring legal action, such as a claim for damages and an injunction for the violation of their privacy rights through the misuse of their personal information or intrusion into their seclusion.
- New powers have been granted to the Information Commissioner: Under the new amendments, the Commissioner has been given expanded powers to investigate data breaches. They can now review how organisations respond to breaches and require organisations to provide information about actual or suspected data breach incidents.
Requirements to comply with the Australian Privacy Act
Any organization that is subject to the Australia Privacy Act 1988 is called an “APP Entity” and must comply with the 13 principles of the Act:
- An APP entity must handle personal information in a transparent manner, which includes having a clearly expressed and up-to-date APP privacy policy;
- Individuals should be provided with the option of not being identifiable or to use a pseudonym, subject to limited exceptions;
- APP Entities can only collect “solicited” information;
- APP Entities should manage unsolicited personal information in compliance with specific standards;
- APP Entities must inform individuals about the collection and use of their information in a specific manner;
- APP Entities should only disclose personal information to third parties under specific circumstances and subject to specific conditions;
- An APP Entity may only use or disclose personal information for direct marketing purposes if certain conditions are met;
- An APP Entity must fulfill certain requirements before it discloses personal information to overseas recipients;
- An APP Entity can only adopt a government-related identifier of an individual as its own identifier or use or disclose a government-related identifier of an individual under certain circumstances;
- APP Entities should ensure that the personal information they hold is accurate and up-to-date;
- An APP entity must take reasonable steps to protect the personal information it holds from misuse, interference, and loss, and from unauthorized access, modification, or disclosure. It also has obligations to destroy or de-identify personal information in certain circumstances.
- An APP Entity must fulfill individuals’ requests to access their personal information if specific conditions are met;
- APP Entities must keep the personal information they hold correct.
Do I need a cookie consent banner on my website in Australia?
There is no cookie-specific law in Australia.
However, the Privacy Act 1988 applies to cookies and similar technologies when they involve the collection of personal information. This means that key requirements, such as purpose limitation and providing a clear privacy notice, still apply.
Under the Privacy Act, organisations must obtain consent if they collect sensitive personal information or if they wish to use or disclose personal information for a purpose other than the one for which it was collected. Therefore, if your website, mobile app, or online platform collects sensitive information through cookies or similar tools, you must obtain prior consent.
Furthermore, the Australian Information Commissioner published guidance on “Tracking Pixels and Privacy Obligations” in November 2024, clarifying that the use of tracking pixels requires website operators and mobile app developers to comply with the Australian Privacy Act.
The Guidance states that organizations should consider the following privacy obligations when using tracking pixels:
- Organizations should adopt the “data minimization” principle when configuring tracking pixels.
- Organizations should provide individuals with a privacy notice prior to the collection of personal information via tracking pixels. This prior notice can include details such as the types of personal data collected and who may have access to the collected data. Regarding this notice, the Guidance recommends using tools such as cookie banners or pop-up screens to inform individuals.
- In addition to this information notice, organizations must have a dedicated privacy policy that explains the collection, use, processing, transfer, and storage of personal information, including through the use of tracking pixels.
- If an organization uses tracking pixels to collect sensitive personal data, such as information related to health, race, or ethnic origin, it must obtain consent before activating the pixels.
In short, while Australia does not have a standalone cookie law, the Privacy Act and the Commissioner’s guidance make it clear that organisations using cookies or pixels must provide prior privacy notice, obtain consent when required, and configure these tools in a legally compliant way.
If your website uses cookies or tracking pixels to collect Australians’ personal information, you’ll probably need a Consent Management Platform (CMP) to capture consent and meet the transparency requirements of the Australian Privacy Principles.
The transparency principle under the APA mentions that APP entities must take reasonable steps either to notify the individual of some issues or to ensure the individual is aware of those matters, including:
- The organization entity’s identity and contact details
- The facts and circumstances of the collection
- Whether the collection is required or authorized by law
- The purposes of the collection
- The consequences if personal information is not collected
- The entity’s usual disclosures of personal information of the kind collected by the entity
- Information about the entity’s APP Privacy Policy
- Whether the entity is likely to disclose personal information to overseas recipients and, if practicable, the countries where they are located.
These can be displayed in a consent banner, which you can implement with a CMP like ours. Learn more about on our website:
{{learn-more-about-our-cmp-solution}}
What are the enforcement actions you may face for failure to comply with Australian privacy laws?
Under the Privacy Act 1988, the Information Commissioner may investigate alleged non-compliance with the Privacy Act and exercise a range of enforcement powers. For instance, the Commissioner may issue enforcement notices, requiring an organisation to take specified remedial steps.
Where the Commissioner identifies a serious or repeated interference with privacy, it may commence civil penalty proceedings in the Australian courts.
If a body corporate is found to have violated the Privacy Act 1988, the court may impose a penalty equal to the greater of:
- 50 million(Australian Dollar);
- Three times the value of any benefit obtained (directly or indirectly) from the contravention; or
- If the benefit cannot be determined, 30% of the company’s adjusted turnover in the relevant period.
For interferences with privacy that are not serious or repeated, a body corporate may face a civil penalty of up to AUD 3.3 million.
Complying with EU & UK GDPR and E-Privacy Directive
Beyond their activity in Australia, most global Australian organizations are subject to other privacy laws that cover cookie banner requirements.
If your website and business operations target EU & UK-based individuals, you are likely to be subject to the European Union and United Kingdom's strict cookie compliance requirements under two distinct regulations: the General Data Protection Regulation (GDPR) and the E-Privacy Directive.
How to comply with the E-Privacy Directive in Australia?
The E-Privacy Directive includes rules on how businesses can store cookies and similar technologies on users’ devices within the EU.
It should be noted that each EU country and the UK has implemented the E-Privacy Directive into their national laws by making changes, and businesses should check country-based differences for compliance.
However, the E-Privacy Directive introduces the requirement that cookies cannot be stored on user devices unless the user provides consent to the storage of cookies, with two exceptions:
- If the cookie is necessary for the transmission of a communication over an electronic communications network, consent is not needed.
- If the cookie is strictly necessary to provide an information society service explicitly requested by the subscriber or user, consent is no longer required.
How to comply with EU and UK GDPR in Australia?
In addition to the E-Privacy Directive, businesses must also comply with the EU and UK GDPR when collecting personal information via cookies.
Under the GDPR, organizations must rely on one of the six “legal bases” to collect personal data through cookies and similar technologies. Two of those legal bases are highly relevant to processing personal data collected through the use of cookies: Consent and legitimate interest.
While legitimate interest seems like a convenient option to avoid asking for consent, it is far from being so. Different EU data protection authorities have published guidance on whether consent is required for various cookie categories, and each country has distinct requirements.
Partnering with global Privacy UX experts will be instrumental in ensuring you navigate the regulatory intricacies of each country effectively.
How Didomi can help
The data privacy revolution may have originated in Europe with the GDPR, but it is rapidly spreading worldwide. The growing number of privacy fines in Australia, recent amendments, and the OAIC's guidance on tracking pixels underscore the importance of taking privacy compliance seriously.
For Australian organizations (and global ones operating in Australia), this means complying with both local and international privacy regulations. Didomi can help:
- Multiregulation consent management and compliance: Capture, store, and demonstrate valid consent for cookies, tracking pixels, and sensitive personal data, in line with Australian law and OAIC expectations (and more).
- Privacy UX expertise: Collaborate with our team of experts to implement clear, transparent consent banners that meet legal standards while ensuring a seamless user experience.
- Future-ready data solutions: Leverage privacy-preserving technologies, such as server-side tracking, to optimize digital performance while upholding user rights and privacy.
Talk to an expert and find out how Didomi can help you approach data privacy in Australia, and turn compliance into a business opportunity:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
What are sensitive personal information categories under the Privacy Act 1988?
Under the Privacy Act 1988, sensitive information includes personal information related to health, racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, trade-union membership, sexual orientation or practices, criminal record, genetic or biometric information, and other categories defined in the Act.
Is there a cookie law or regulation in Australia?
There is no cookie-specific law in Australia.
Websites, mobile apps, and online platforms are facing increasing scrutiny for the collection and use of personal data through cookies and similar tools, in compliance with Australian privacy laws and regulations.
For instance, the Australian Information Commissioner published a detailed Guidance on “Tracking Pixels and Privacy Obligations” in November 2024, which clarified that the use of tracking pixels requires website operators and mobile app developers to comply with the Privacy Act 1988.
What is the main privacy law that applies to businesses in Australia?
In Australia, a mix of state-level and federal laws governs the protection of personal information.
The primary law governing the collection and processing of personal information at the federal level is the Privacy Act 1988. The Act sets out 13 Australian Privacy Principles (APPs), which outline how personal information must be handled.
.avif.avif){kind=tracking}
