There are no specific cookie-related laws in force in Australia. However, entities subject to the Australian Privacy Act must handle personal information in accordance with the Australian Privacy Principles (APPs).
“Personal information” is defined under the Australian Privacy Act as information or an opinion about an identified individual or an individual who is reasonably identifiable. If an entity handling data collected via cookies and similar technologies has reasonable access to other information which would enable that data to be associated with an individual, that individual is “identifiable”, regardless of whether the entity makes that link. To be considered personal information, the data collected via cookies and similar technologies must also be considered information “about” a person, meaning that the individual is the subject matter of the information.
In its report in relation to the Digital Platforms Inquiry, the Australian Competition and Consumer Commission (ACCC) stated that there is “considerable legal uncertainty on the issue of whether technical data collected in relation to individuals is within the scope of the definition of personal information”. Recently, in its report in relation to the Privacy Act Review published in February 2023 (Privacy Act Review Report), the Attorney-General’s Department has proposed changes to the definition of personal information in an effort to address this, including:
These proposals were agreed to in-principle by the Australian Government in its response to the Privacy Act Review Report published in September 2023 (Australian Government Response to the Privacy Act Review). Agreement in-principle means that the Australian Government will conduct further engagement and impact assessments on these proposals.
In some circumstances. Under the APPs consent is required:
To the extent that data collected via cookies and similar technologies constitutes personal information, consent is required in the circumstances set out above unless an exception applies.
There are a couple of different approaches taken:
The obligation to give notice and (if required) obtain consent is frequently managed by imposing an obligation on the publisher by way of contract.
The consent requirements referred to above are subject to limited and narrow exemptions (for example, using or disclosing personal information where reasonably expected by the individual and related to the primary purpose of collection or, in the case of direct marketing, using or disclosing personal information by contracted service providers in relation to a specific Commonwealth contract).
Not without regard to the APPs. To the extent that the data collected by each of these types of cookies constitutes personal information, the handling of the data will be subject to the same rules as are set out above and below.
The APP Guidelines state that use of an opt-out mechanism to infer consent will only be appropriate in limited circumstances, as the individual’s intention in failing to opt out may be ambiguous. One relevant circumstance where an opt out mechanism is permissible for private sector organisations, pursuant to the APPs, is where:
The APP Guidelines also include additional, narrower circumstances where an opt-out mechanism is permissible.
The APP Guidelines require entities collecting personal information to take reasonable steps to notify individuals of certain matters, or otherwise ensure that they are made aware of them. To the extent that the data collected via cookies or similar technologies constitutes personal information, entities must take reasonable steps to notify individuals of these matters, or otherwise ensure that they are aware of them. This is not always done in practice, and some publishers only provide notice once a user creates an account.
This is done in some circumstances. See question 2 above.
There is no specific guidance from the Office of the Australian Information Commissioner (OAIC) in relation to cookie walls. Their guidance in relation to consent more generally is that there are four key elements:
The Privacy Act Review Report refers to a submission by the OAIC to the effect that, depending on the circumstances, consent is unlikely to be voluntary when the provision of service is conditional on consent to personal information handling that is not necessary for the provision of the service.
Considering the above, the use of cookie walls may not be an effective means of obtaining consent.
While enforcement action in relation to cookies and similar technologies has previously been uncommon in Australia, significant enforcement actions have recently been brought against Facebook and Google by both the ACCC and OAIC.
In October 2019, the ACCC brought proceedings against Google in the Federal Court. In April 2021, the Federal Court ruled in favour of the ACCC in that case, finding that Google had made misleading representations about the collection and use of location data on Android phones between January 2017 and December 2018. In August 2022, the Federal Court ordered Google to pay AU $60 million in penalties in relation to this conduct.
Two other relevant enforcement actions were brought by the ACCC in the Federal Court against Google and Facebook respectively, namely:
The Privacy Act Review is ongoing with feedback sought in relation to various reform proposals including proposals in relation to direct marketing, targeting and trading. This specifically includes:
Agreement in-principle means that the Australian Government will conduct further engagement and impact assessments on these proposals.
A proposal to provide individuals with an unqualified right to opt out of receiving targeted advertising which was included in the Privacy Act Review Report was not agreed to (either in full or in-principle) by the Australian Government.
Yes.
The Privacy Act Review Report follows a two-year review of Australian privacy laws and contains over 110 proposals which are designed to better align those laws with global standards of privacy protection and give individuals more control over their personal information.
In addition to the reform proposals referred to in Q1 and Q10 above, the proposed reforms also relevantly include:
In December 2022, following two major data breaches impacting Australian consumers, several reforms were enacted including, among other things:
The Australian Government Response to the Privacy Act Review signals significant changes to the rules are on the horizon with most of the proposals referred to in this guide either agreed to or agreed to in-principle. The Australian Government has committed to introduce draft legislation in 2024 concerning those proposals which have been agreed. There will however be further engagement and impact assessments for the proposals only agreed ‘in-principle’.
In response to the Digital Platforms Inquiry, the Australian Government also directed the ACCC to conduct an inquiry into markets for the supply of digital advertising technology services and digital advertising agency services.
There was a consultation process, following which a final report was published on 28 September 2021 (the Final Ad Tech Report). The ACCC made the following recommendations in the Final Ad Tech Report:
The Final Ad Tech Report also relevantly refers to stakeholder concerns regarding potential consumer harms arising from the use of data for ad targeting purposes.
The Digital Platform Services Inquiry, which is taking place between 2020 and 2025, may also have an impact on this area.