Australia’s Privacy Act: Major reforms affecting consent management in 2026
Trusted by thousands of companies worldwide
What is the Australian Privacy Act?
The Privacy Act 1988 is Australia’s primary data protection law regulating how organizations collect, use, store, and disclose personal information. It applies to most Australian businesses, government agencies, and many international companies operating in Australia or handling the personal information of Australian individuals.
The law is built around the Australian Privacy Principles (APPs), which govern transparency, purpose limitation, consent, access rights, data quality, security, and cross-border disclosures.
The Act is currently undergoing major reforms to modernize privacy protections for a digital, data-driven economy. These reforms will significantly affect online tracking, consent management, and digital advertising practices.
What is Personal Identifiable Information (PII) in Australia?
Definition of PII vs. Personal Information
• Personal Information (PI) under the Privacy Act: Any information that identifies or could reasonably identify a person.
• Personally Identifiable Information (PII): A term often used internationally to describe identifying information, but in Australia, PII is essentially covered under the broader “personal information” definition.
The Privacy Act often goes further than global PII definitions by covering opinions, inferred data, and contextual identifiers.
Sensitive Information Categories
Sensitive information is a special category of personal information that attracts stronger protections. It includes:
• Health and biometric data
• Racial or ethnic origin
• Religious or philosophical beliefs
• Sexual orientation or practices
• Criminal records
• Trade union membership
• Genetic information
Processing sensitive information typically requires explicit consent.
Real-world examples of PII considered protected in Australia
Australia considers the following examples to be personal information:
• Names, emails, phone numbers
• Employee records
• Location data
• Online identifiers (cookies, advertising IDs)
• Financial information
• Customer account details
• IP addresses when linked to individuals
• Device identifiers tied to user behaviour
• Inferred stereotypes or behavioural profiles
The AustralianPrivacy Principles
These APPs shape privacy governance, transparency, and security across Australian organizations.
App 1
Legal basis must be established for each processing activity
App 2
Anonymity and pseudonymity
App 3
Collection of solicited personal information
App 4
Dealing with unsolicited personal information
App 5
Notification of the collection of personal information
App 6
Use or disclosure of personal information
App 7
Direct marketing rules
App 8
Cross-border disclosure of personal information
App 9
Adoption, use, or disclosure of government identifiers
App 10
Quality of personal information
App 11
Security of personal information
App 12
Access to personal information
App 13
Correction of personal information
Privacy Act Reform:
What’s Changing in 2026?
Expected 2026 reform highlights include:
Expands to explicitly include technical identifiers such as IPs, device IDs, and cookie identifiers.
.webp){kind=small}
Consent must be: voluntary, informed, current, specific, unambiguous.
Pre-ticked boxes and dark patterns will be restricted.
.svg){kind=small}
Including:
• Right to erasure
• Right to object/opt-out of targeting
• Right to correction
• Right to data portability
.svg){kind=small}
Likely introduction of:
• A children’s privacy code
• Stronger age verification expectations
• High-privacy defaults for minors
.svg){kind=small}
Penalties for serious or repeated breaches may reach:
• AU$50 million
• Three times the benefit obtained
or
• 30% of adjusted turnover over a period
.svg){kind=small}
Cookies and online tracking identifiers are explicitly considered personal information, requiring:
• Clear purpose notices
• User controls
• Valid consent in specific cases (e.g., sensitive data inference)
Compliance Checklist for the Australian Privacy Act
✓ Map personal information and data flows
✓ Review collection notices and privacy policies
✓ Update consent mechanisms to meet 2026 standards
✓ Implement children's privacy safeguards
✓ Introduce rights management workflows (access, deletion, portability)
✓ Deploy cookie and tracking transparency tools
✓ Review third-party data sharing and cross-border rules
✓ Conduct Privacy Impact Assessments (PIAs)
✓ Strengthen internal governance processes
✓ Implement audit-ready consent logs
✓ Ensure data minimization, security, and retention policies
✓ Prepare for reform-driven changes in advertising and analytics
How Didomi can help you meet Australia’s privacy requirements
Centralized consent & preference management
Collect and manage consent aligned with updated APP and reform standards.
Cookie & tracking transparency
Offer clear information and user controls over online identifiers and tracking.
Audit-ready logs
Store proof of consent with timestamps, device data, and versioning.
Preference centers
Allow users to modify their choices at any time.
Multiregion compliance support
Manage GDPR, CCPA, LGPD, and Australia’s Privacy Act from one platform.
Developer-friendly integrations
SDKs, APIs, server-side setups, and Webflow-ready components.
How to Set Up Your Consent Banner for the Australian Privacy Act
.svg){kind=small}
Use clear, plain-language notices
.svg){kind=small}
Provide granular choices, especially for marketing, analytics, and third-party tracking
.svg){kind=small}
Avoid dark patterns and ensure neutral UX
.svg){kind=small}
Enable explicit consent for sensitive data and minors
.svg){kind=small}
Localize for Australian users
.svg){kind=small}
Provide persistent access to the preference center
.svg){kind=small}
Store audit-ready consent logs
.svg){kind=small}
Ensure cross-device syncing for logged-in users