Data Privacy Laws Australia + Cookie Consent

Learn about cookie consent in data privacy laws in Australia and understand how the evolving data privacy landscape is affecting the global and Australian marketing industry. Dive into the regulation changes to cookie collection, data privacy laws Australia and beyond.

Want more? Download our free whitepaper on Cookies & Data Privacy.

Australians Want More Control of Their Data

84% of Australians want more control and choice over the collection and use of their personal information.

However, just 32% feel in control of their data and privacy.

Source: Australian Government – Office of the Australian Information Commissioner

The Australian Government is currently looking at a reform of data privacy laws in Australia but where do we currently stand with data privacy laws and cookies?

Data Privacy Laws Australia

The Privacy Act 1988 establishes standards for handling personal information. It applies to most businesses and Australian Government agencies with turnover exceeding AUD$3 million.

There are 13 guiding principles called APPs under the Australian Privacy Act and they can be broadly split into 6 categories.

1. Consent
2. Collection
3. Use & disclosure
4. Data quality
5. Access & correction
6. Data destruction

These APPs and categories closely align with the GDPR. The things that tend to differ are the definitions and the scope of what’s included and the obligations.

Rapidfire Guide to APPs for Marketers

The Australian Privacy Principles (APPs) consist of 13 principles. These principles have been in place since 2014 when the NPP and IPP were merged. You should already be on board with these principles as they have been in place since 2014.

1. Open & transparent management of personal information
2. Anonymity & pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of collection of personal information
6. Use or disclosure of personal information
7. Direct marketing
8. Cross-border disclosure
9. Disclosure of government related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information

The APPs are a sound foundation for privacy and will likely remain in place following the reform. However, the definitions, scopes and obligations will change.

Data Privacy Laws Australia and The Digital Services Act

The Digital Services Act is now in play in Australia and it will affect almost all Australian online businesses. Compliance requirements are different and penalties for non-compliance are slightly higher than GDPR. Essentially, if anyone from the EU accesses your website, you need to comply.

This affects everyone.

What About GDPR and Cookies?

GDPR is the global “gold standard” of data privacy. It requires businesses to safeguard the personal data of EU citizens. BUT it’s not just for European companies; it applies globally, including to Australian businesses. And businesses with a global scope are more at risk of non-compliance.

Surprisingly, throughout the GDPR’s 88 pages, it only mentions cookies directly once, in Recital 30.

“Natural persons may be associated with online identifiers provided by their devices, application, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

“This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

GDPR Principles

Compliance with GDPR is very simple in principle.

There are 7 core tenets:

1. 1. Lawfulness, Fairness, and Transparency: Processing personal data should be lawful, fair, and transparent and respect the individual
   2. Purpose Limitation: Collect data for specific, explicit, and legitimate purposes
   3. Data Minimisation: Only collect and process what is required for the purpose you have stated
   4. Accuracy: Keep data up to date
   5. Storage Limitation: Store the data for only as long as required for the purpose
   6. Integrity and Confidentiality: Keep the data safe and secure – away from unlawful processing or accidental loss
   7. Accountability: The data controller must be able to demonstrate full compliance with GDPR

Cookies Fall Under PECR

Cookies fall under the Privacy and Electronic Communications Regulations.

Under PECR we must:

• Receive users’ consent before you use any cookies except strictly necessary cookies
• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received
• Document and store consent received from users
• Allow users to access your service even if they refuse to allow the use of certain cookies
• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place

Data Privacy Laws: Australia is Under Heavy Regulation

Like the EU, Australia is under heavy regulation when it comes to data privacy.

Most of the world (71%) has data privacy regulations in place (137 out of 194 countries) covering 65% of the global population. Most countries have moderate or strict data protection laws and most Western economies come under the category of heavy regulation.

DLA Piper offers a comprehensive overview of data protection laws by country. Use the tool to view information about data privacy laws for every region. We suggest using the map to review each of your marketing territories.

Governments intend to enforce their laws with overseas companies. This is a significant consideration for most online businesses.

The Cost of Non-Compliance of Data Privacy Laws Australia

While governments of other countries intend to enforce their own data privacy laws on Australian businesses, what’s the cost of non-compliance within Australia?

There have been dramatic increases in penalties for non-compliance of data privacy laws in Australia which emphasise the importance of compliance.

Data Privacy Laws Australia Enforcement & Penalties

What’s the cost of non-compliance for corporates and organisations?

• $50,000,000 for serious of repeat breaches, or
• 30% of adjusted turnover for the period, or
• 3X any benefit gained

The above penalties are the cost of non-compliance for corporates and organisations (whichever number is greatest).

Individuals, sole traders and partnerships may be fined up to $2,500,000 for serious or repeated breaches.

Historically, $2.2 Million was the maximum fine, which was recently deemed insufficient off the back of the Optus and Medibank data breaches. Now, new reforms are being introduced in 2024.

Need help?

Given the dramatic increase in fines for non-compliance it’s more important than ever for Australian businesses to comply with data privacy laws in Australia and globally.

In data we trust, and that data has to be safeguarded properly. We help you define your data governance by building a collection of processes, templates and frameworks for your team to use.

We also offer practical training to support data governance best practices while following expectations set by policies and standards.

Need help managing and securing your data? Contact us for a free consultation.

Not ready? Download our free whitepaper on Cookies & Data Privacy for more on data privacy laws Australia and cookies.