Is Cookie Consent Required in Australia?

Suppose you believe that collecting data by the Australian Privacy Law solely pertains to the forms your clients fill out on your website. In that case, you are mistaken: In the matter involving Uber, the Office of the Australian Information Commissioner (OAIC) concluded that the Australia Privacy Act applies to the gathering of data through "any methods," which includes cookies and other technology with Cookie Consent Compliance.

Suppose you operate in Australia or have website visitors from Australia. In that case, the Australia Privacy Act requires you to comply with its requirements on the use of cookies and other online identifiers to collect the personal data of Australians.

Continue reading to determine whether you are affected by this and how you can comply.

What is the current state of the legislation concerning privacy in Australia?

The central piece of legislation that puts different criteria on companies for how they may collect and use the personal information of Australians is the Australia Privacy Act 1988. This law was passed in 1988. The primary objective of the Act is to strengthen the protection of the personal information of Australian citizens.

When do you need to comply with the Australia Privacy Act? Your company falls within the jurisdiction of the Australia Privacy Act if all of the following requirements are met:

1. The Individuals Who Are Covered by the Act

If a company processes personal information to provide a benefit or if it gathers health information, it must comply with the Australia Privacy Act. It is true even if the company's annual revenue exceeds the threshold.

2. The Reach of the Act Across Territories

The Australian Privacy Act applies to domestic and international companies that operate in Australia and collect personal information about their customers.

For instance, if your company is engaging in any of the following activities, it will satisfy this need regardless of whether you are an organization based in Australia or anywhere else in the world:

• In Australia, the process of actively gathering personal information

• Bringing traffic from inside Australia to a website that is based in another country

3. The Significant Aspects Covered by the Act

The Act covers any processing activities, including the gathering, distributing, and using of personal information, as long as they are connected to processing in some way. But, data that has been anonymized or de-identified is exempt from the requirements of the Act.

There is a revised draft of the Privacy Law and additional regulations

The Australian government announced in March 2019 that it intends to draft a new Online Privacy Bill (OPB) to increase the protection of personal information on social media and other online platforms.

The new privacy law will set additional criteria on how personal data may be gathered and utilized through social media platforms and internet channels. These new regulations will go into effect shortly.

The following categories of businesses will be exempt from the requirements of the Internet Privacy Bill:

• Companies that provide services related to social media platforms

• Organizations that provide services related to data broking

• Big platforms available online

The Internet Privacy Law will include detailed guidelines on how companies should acquire permission from minors and other vulnerable persons. These provisions are intended to protect the privacy of those using the internet. In addition, where a person requests that their personal information not be used or disclosed to third parties, the organization shall make all reasonably possible efforts to comply with such requests.

In addition to this Act, other laws apply to specific fields and organizations. Some of these laws include the Privacy Credit Reporting Code and special requirements about health information and tax file numbers (TFNs).

Complying with the requirements of the Australia Privacy Act is obligatory

"APP Entity" refers to any organization required to comply with the Australia Privacy Act of 1988. An APP Entity is required to abide by the Act's 13 principles, which are as follows:

1. An APP business must handle personally identifiable information openly and honestly.

2. People should be given the choice of not being recognized or of using a pseudonym, with some restrictions allowed.

3. APP Entities are only permitted to acquire information that has been "solicited."

4. APP Entities are required to handle personal information that specific requirements have not explicitly requested.

5. APP Entities must provide persons with detailed information about the acquisition and use of the individuals' information.

6. APP Entities should only give out personally identifiable information to third parties if it's essential, even under very narrow situations.

7. An APP Entity is only allowed to utilize the personal information of persons by specific predetermined parameters.

8. Before disclosing personal information to receivers outside of Australia, an APP Entity is required to satisfy several conditions.

9. An APP Entity is only permitted to use or disclose a government-related identification of a person, adopt a government-related identifier of a person, or adopt a government-related identifier of a person as its identifier under certain conditions.

10. APP Entities are responsible for ensuring that the personal information they maintain is correct and kept up to date.

11. An APP entity with personal information must take reasonable precautions to prevent such information from being mishandled, interfered with, or lost, as well as against unauthorized access, alteration, or disclosure.

12. If specific criteria are satisfied, an APP Entity must comply with a person's request to access their personal information.

Do I need a banner requesting permission to place cookies on my website if I host it in Australia?

Suppose you collect sensitive personal information by the Australia Privacy Act, such as information linked to a person's health, race, criminal background, or sexual orientation. In that case, you must acquire permission from that individual.

As a result, the display of cookie banners is not required in Australia

When companies gather personal information through cookies, they are subject to the rules of the Australia Privacy Act, which they must comply with in full. It includes adhering to a transparency principle, which stipulates that users must be supplied with the appropriate amount of information, whether it is communicated to them in the form of a notice posted at the collecting point or through the privacy policy.

If an individual's personal information was collected for a specific purpose (the primary purpose) or a different purpose (the secondary purpose) related to the primary purpose of the collection - and the individual can reasonably expect the organization to use or disclose the information for that secondary purpose - then the organization is exempt from the requirement that it obtain consent to use or disclose the information.

Certain businesses in Australia may take the position that behavioral advertising is a secondary purpose that consumers can't be expected to anticipate reasonably. Consequently, these businesses may seek users' agreement to comply with the Australia Privacy Act.

Closing Remarks

Although the APA does not mandate that websites show a cookie banner, most worldwide Australian firms are subject to other privacy laws that mandate the display of cookie banners. These laws include the EU and UK GDPR and the E-Privacy Directive.